Publications

Binder Secctx Patch Analysis

11/10/2019 In the beginning of 2019, a new feature was added in the Binder kernel module. This patch allows to send the caller SElinux context in a Binder transaction. This feature was in fact a fix for CVE-2019-2023. This vulnerability is related to an unsafe use of the getpidcon function, leading to ACL bypass. This article studies details of this patch and its impact on security.

icmp-reachable

19/03/2019 A strange behavior was observed by Synacktiv experts during the security assessment of a stateful firewall implementation... After few coffees & RFCs it was understood that it could be a generic issue that might affect multiple IP stacks. So... What is a strange firewall behavior ? This article presents an implicit behavior of Linux nftables and OpenBSD PacketFilter? regarding the filtering of ICMP and ICMPv6 packets we considered as a security issue. It allows an attacker to bypass filtering rules in some cases an...

Binder transactions in the bowels of the Linux Kernel

14/12/2018 Binder is the main IPC/RPC (Inter-Process Communication) system in Android. It allows applications to communicate with each other and it is the base of several important mechanisms in the Android environment. For instance, Android services are built on top of Binder. Message exchanged with Binder are called binder transactions, they can transport simple data such as integers but also process more complex structures like file descriptors, memory buffers or weak/strong references on objects.

Breaking namespace isolation with PF_RING before 7.0.0

21/05/2018 Linux hardening and proper isolation using containerization can be tricky especially when performance is critical. We recently helped a client to design a secure network appliance that involve sniffing network traffic. This device has high security and performance constraints. This post is a feedback on the unlikely integration of fast sniffers with linux containers.