Sifter generates syscall tracers and filters for kernel modules automatically. It utilizes Syzkaller’s syscall description and generates an eBPF/tracepoints tracer that logs syscalls along with their arguments. After analyzing the trace, seccomp/eBPF filters are generated to limit untrusted programs’ syscall usage, which includes their argument values and the sequences. Currently, the prototype is implemented and tested on Google Pixel 3.
To try Sifter on Google Pixel 8, you will need to compile and install the customized Android and kernel.
Download AOSP source
mkdir main && cd main && REPO_ALLOW_SHALLOW=0 repo init -c -u https://android.googlesource.com/platform/manifest -b main --use-superproject --partial-clone --partial-clone-exclude=platform/frameworks/base --clone-filter=blob:limit=100k && repo sync -c -j32
Patch AOSP to support tracers and filters generated by Sifter. The patch files can be found in sifter/patches-new/
cd bionic && git apply <sifter>/patches-new/sifter-bionic.patch && cd ../
cd external/libbpf && git apply <sifter>/patches-new/sifter-libbpf.patch && cd ../../
cd frameworks/base && git apply <sifter>/patches-new/sifter-frameworks.patch && cd ../
cd system/selinux && git apply <sifter>/patches-new/sifter-selinux.patch && cd ../
Compile AOSP
source build/envsetup.sh
lunch shiba-trunk_staging-userdebug
m
Enter recovery mode by pressing and holding power + volume down bottons and then flash the device
fastboot --disable-verity --disable-verification flashall
After the flash prociess finishes, reboot the phone and check if it succeeds
fastboot reboot
Now we download the AOSP kernel for Pixel 8, patch it and flash it.
mkdir shiba-kernel && cd shiba-kernel
repo init -u https://android.googlesource.com/kernel/manifest -b android-gs-shusky-6.1-android16
repo sync
Apply the patches
git apply <sifter>/patches-new/sifter-aosp-complete.patch <shiba-kernel>/aosp
Build the kernel
./build_shusky.sh --no//build/kernel/kleaf:use_prebuilt_gki
Flash the image
cd out/shusky/dist
adb reboot bootloader
fastboot oem disable-verity
fastboot oem disable-verification
fastboot flash dtbo dtbo.img
fastboot flash vendor_kernel_boot vendor_kernel_boot.img
fastboot flash boot boot.img
fastboot reboot fastboot
fastboot flash vendor_dlkm vendor_dlkm.img
fastboot flash system_dlkm system_dlkm.img
fastboot reboot bootloader
fastboot reboot
Now the device is able to run tracers and filters generated by filter.
Since Sifter leverages Syzkaller’s syscall description to automatically generate tracers and filters, you will need to install Syzkaller before running Sifter’s tracer/filter generator.
Follow the guide to compile and install Syzkaller
git clone https://github.com/trusslab/sifter.git
cd sifter
In Sifter’s directory, generate the eBPF/tracepoints tracer by running the following command
go run sifter_v2.go -mode tracer -config ../syzkalls/src/github.com/google/syzkaller/configs/adb_binder.cfg -fd fd_kgsl -out kgsl
In the default output directory, gen/, you will find the generated source code for the eBPF tracer (e.g., linux_arm64_kgsl.c) and a configuration file you will need later for the agent to load the corresonding tracer (e.g., linux_arm64_kgsl_agent.cfg)
In Android main, create sifter-kern for compiling eBPF tracers and filters
mkdir externel/sifter-kern && cd externel/sifter-kern
Copy the generated eBPF tracer, linux_arm64_xxx.c, to the current directory and create the makefile, Android.bp
bpf {
name: "linux_arm64_xxx.o",
srcs: ["linux_arm64_xxx.c"],
cflags: [
"-Wall",
"-Werror",
],
}
Compile the tracer
mm
In blueline-aosp, copy and compile the user-space agent
cp -r <sifter>/agent external/ && cd external/agent
Compile the agent
mm
Push the tracer and agent to the device
adb push blueline-aosp/out/target/product/blueline/system/etc/bpf/linux_arm64_xxx.o /etc/bpf/
adb shell mkdir /data/sifter
adb push blueline-aosp/out/target/product/blueline/system/bin/agent /data/sifter/
adb push <sifter>/gen/linux_arm64_xxx_agent.cfg /data/sifter/
Reboot the device and the tracer will be loaded automatically during boot. You can check if the tracer is being loaded successfully by
adb logcat -s bpfloader
To start tracing syscalls of user programs, execute the agent, which will attach the eBPF tracer to the tracepoint hook and log the syscalls of the target program specified by its 16-character-long command (
adb shell /data/sifter/agent -c <agent configuration file> -p <comm> -o <output file>
After the desired trace is collected, you can analyze and generate eBPF/seccomp filters by feed the trace to sifter again by
go run sifter.go -mode filter -config ../syzkalls/src/github.com/google/syzkaller/configs/adb_binder.cfg -fd fd_kgsl -out kgsl
The work was supported in part by NSF Awards #1763172 and #1846230 as well as Google’s 2020 Android Security and PrIvacy REsearch (ASPIRE) Award.