How can I intercept native function calls?
109 views
Skip to first unread message
Manuel Friedli
Jun 21, 2017, 10:00:34 AM6/21/17
to android-ndk
Hi,
I'm a student in computer science. As part of my master's project, I'm trying to intercept calls to functions in native libraries on the Android platform. The goal is to decide whether to allow the call or deny it in order to improve security.
Following the approach of a research paper [1], I want to modify the Procedure Linkage Table (PLT) and the Global Offset Table (GOT) of the ELF file. The idea is that I want to make all the function calls point to my own intercepting function, which decides whether to block the call or pass it through to the original target function.
The ELF specification [2] says (in Book III, Chapter 2 Program Loading and Dynamic Linking, page 2-13, Sections "Global Offset Table" and "Procedure Linkage Table") that the actual contents and form of the PLT and the GOT depend upon the processor. However, in the documentation "ELF for the ARM Architecture" [3], I was unable to see the exact specification of either of those tables.
I have 3 questions:
- How can I map a symbol to a GOT or PLT entry?
- Where do I find the precise specification of the GOT and PLT for ARM processors?
- As the PLT contains machine code; will I have to parse that code in order to modify the target address, or do all PLT entries look identical, so that I could just modify the memory at a constant offset for each PLT entry?
Thanks,
Manuel
[1]: https://link.springer.com/chapter/10.1007/978-3-319-45744-4_23 (Stay in Your Cage! A Sound Sandbox for Third-Party Libraries on Android)
[2]: http://refspecs.linuxbase.org/elf/elf.pdf (Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification Version 1.2)
[3]: http://infocenter.arm.com/help/topic/com.arm.doc.ihi0044f/IHI0044F_aaelf.pdf (ELF for the ARM® Architecture)
I'm a student in computer science. As part of my master's project, I'm trying to intercept calls to functions in native libraries on the Android platform. The goal is to decide whether to allow the call or deny it in order to improve security.
Following the approach of a research paper [1], I want to modify the Procedure Linkage Table (PLT) and the Global Offset Table (GOT) of the ELF file. The idea is that I want to make all the function calls point to my own intercepting function, which decides whether to block the call or pass it through to the original target function.
The ELF specification [2] says (in Book III, Chapter 2 Program Loading and Dynamic Linking, page 2-13, Sections "Global Offset Table" and "Procedure Linkage Table") that the actual contents and form of the PLT and the GOT depend upon the processor. However, in the documentation "ELF for the ARM Architecture" [3], I was unable to see the exact specification of either of those tables.
I have 3 questions:
- How can I map a symbol to a GOT or PLT entry?
- Where do I find the precise specification of the GOT and PLT for ARM processors?
- As the PLT contains machine code; will I have to parse that code in order to modify the target address, or do all PLT entries look identical, so that I could just modify the memory at a constant offset for each PLT entry?
Thanks,
Manuel
[1]: https://link.springer.com/chapter/10.1007/978-3-319-45744-4_23 (Stay in Your Cage! A Sound Sandbox for Third-Party Libraries on Android)
[2]: http://refspecs.linuxbase.org/elf/elf.pdf (Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification Version 1.2)
[3]: http://infocenter.arm.com/help/topic/com.arm.doc.ihi0044f/IHI0044F_aaelf.pdf (ELF for the ARM® Architecture)
Glenn Kasten
Jun 21, 2017, 10:57:50 AM6/21/17
to android-ndk
Since you are interested in security, you might want to take a look at
seccomp. Seccomp does what you want, but at the usermode-kernel boundary
rather than at the native function boundary. Seccomp has the advantage
that it is not as easy for a malicious or buggy app to bypass it, whereas if you
intercept at native function boundary, it is quite easy for a app to bypass.
Reply all
Reply to author
Forward
0 new messages