ASan on android without rooting device

[Francis Ricci]

Hi all!

Historically, I've always used ASan on a rooted/flashed device, as the asan_device_setup script requires root access. Is it possible (even in theory, or with some extra work in the codebase) to run ASan on a non-rooted device? I know you can for a simple C++ binary, since you can just run that via the command-line with LD_PRELOAD. But I know things are quite a bit more complex for apps, since you can't over-write app_process without a r/w system partition. What I've found online so far mostly points to shadow memory and libc issues.

It would be quite valuable for me to be able to run ASan on apps on non-rooted phones (even if I could only get a subset of checks to work), so I'd be willing to put in a fair amount of work to make it happen, if it's the sort of thing that could be possible.

Thanks!
Francis

[Evgenii Stepanov]

Hi,

There is a system property that lets you prepend anything to the
zygote command line for a specific application, "wrap.<app-name>". It
requires a rooted device, but does not require remounting system r/w.

In theory, this requirement could be relaxed by allowing wrapping apps
even on a locked device based on the app manifest - some property like
"debuggable". That requires changing android platform source.

https://source.android.com/devices/tech/debug/asan#using_the_wrap_property

> --
> You received this message because you are subscribed to the Google Groups
> "address-sanitizer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to address-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Evgenii Stepanov]

Oh, and the downside is slow startup. With the wrap property, any
process startup takes several extra seconds to reload all the base
classes.

[Francis Ricci]

On Thu, May 18, 2017 at 3:49 PM, 'Evgenii Stepanov' via
address-sanitizer <address-...@googlegroups.com> wrote:
> Oh, and the downside is slow startup. With the wrap property, any
> process startup takes several extra seconds to reload all the base
> classes.
>
> On Thu, May 18, 2017 at 12:48 PM, Evgenii Stepanov <eug...@google.com> wrote:
>> Hi,
>>
>> There is a system property that lets you prepend anything to the
>> zygote command line for a specific application, "wrap.<app-name>". It
>> requires a rooted device, but does not require remounting system r/w.

Thanks, that should be helpful.

>>
>> In theory, this requirement could be relaxed by allowing wrapping apps
>> even on a locked device based on the app manifest - some property like
>> "debuggable". That requires changing android platform source.

That seems like it would be even better, although I question whether
android would be receptive to that sort of change,
given potential security implications, etc.

[Francis Ricci]

Do you have experience using the wrap property? When I attempt to use it, even for very simple wrappers on system apps, it crashes the entire phone due to a failure to restat the file descriptor table, which appears to result from a failure to run CreateFromFd on a pipe (S_ISFIFO) in the zygote. This occurs even on system apps (tried wrap.com.google.android.youtube, in addition to my own apps), and even when the wrapper is as simple as I could come up with (for example, 'setprop wrap.com.google.android.youtube "exec $@" '). It reproduces for me on a 5X and a 6P running android 7.1.2. Both are rooted, with selinux set to permissive.

I could try flashing my phone with an older version of android, if this is likely to be a bug in android itself.

[Francis Ricci]

Appears to work fine on android 6, so my guess is that 7 introduces a
bug of some sort.

[Evgenii Stepanov]

Yes, you need this fix:
https://android-review.googlesource.com/#/c/318859/

[Francis Ricci]

Thanks!