Sergey Nivens - Fotolia

How can the Dirty COW vulnerability be used to attack Android devices?

A copy-on-write vulnerability known as 'Dirty COW' was found in the Linux kernel of Android devices. Expert Michael Cobb explains the risks of this attack.

The recently discovered Dirty COW Linux kernel vulnerability, which can allow an attacker to gain root access, has also been found to affect Android devices running on ARM chips. How does this work, and what are the risks of this attack for mobile users?

The COW in the Dirty COW vulnerability is short for Copy-On-Write, a computer programming time and resource management technique that uses the abstraction of virtual memory to efficiently implement a duplicate or copy operation on modifiable resources.

If a resource, such as a file or a block of memory, is duplicated, but not modified, there's no need for the system to create a new version, as it can be shared between the copy and the original. This avoids the overhead of creating a full copy. However, if either process makes a change to the resource, a real copy operation takes place -- hence, the term COW, as the copy operation is deferred until the first write occurs.

The Dirty COW vulnerability is a privilege escalation vulnerability, and it is caused by a race condition found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private, read-only memory mappings. A race condition occurs when two threads are racing to access or change shared data, but the thread scheduling algorithm fails to ensure that the events occur in the order the programmer intended. In this instance, data can be written into the wrong memory location, giving an attacker write access to read-only memory mappings of system files that would usually require a root login to modify.

Race conditions are notoriously difficult to find, reproduce and debug. They are usually only found by accident when a system becomes overloaded in a manner unforeseen by the programmer.

Linux creator Linus Torvalds was, in fact, aware of this bug 11 years ago, but it was only considered a theoretical problem back then. A potential fix was removed because it caused problems on the IBM mainframe version of Linux.

The Dirty COW vulnerability only came to light again when Linux researchers demonstrated that advances in technology meant it was no longer theoretical. They created an abnormal load by instructing one thread to hammer away writing changes into the writeable private map, with another thread repeatedly telling the kernel it could temporarily free up any memory used for the mapped file, eventually causing an access collision -- the race condition. This resulted in the data being written into the private memory map of the read-only file, instead. If this were to happen to a system executable or configuration file, the attacker could compromise the system's configuration and integrity, and even gain root control.

The Dirty COW vulnerability can't be exploited remotely -- the attacker must first be able to run the attack code on the system. However, attackers who already have a presence on a network are likely to find this a useful method to increase their privileges, particularly as the vulnerability is almost impossible for antivirus and other security software to detect.

Since this vulnerability has existed since 2007, most Linux-based systems are affected, including Android phones, which are based on Linux. Android users are also slightly more at risk, as apps run with user-level privileges, and could use the exploit to install additional malware and to steal data.

Patches have been released and should be applied to enterprise systems. Google released an Android-wide patch in December 2016.

Next Steps

Find out how the SFG malware dropper bypasses antimalware software

Learn about the Linux kernel memory protection feature on the Android OS

Read how a Linux vulnerability on Android devices allows attacks on TCP communications

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing