- explore your operation system using sql
- host visibility is motivated by intrusion detection
- wanted 1 binary; 6MB with no dependencies
- done in C++
- created and used by facebook (installed on 60 000 osx)
Same osquery query examples:
select pid, name, uid from processes where [constraints]
- the sql syntax is the SQL lite syntax.
- no Windows version; linux and osx only.
- a lot of cool examples: the list of events that happened on the host (files changed, usb sticks inserted).
A second binary that is presented is called osqueryd. osqueryd is a daemon; it uses a json-config config file to set options and define a schedule. The goal of osqueryd is to execute queries peridically and then send the result to an ELK (ElasticSearch+LogStash+Kibana) system.
The queries used by Facebook are packaged in different files; these packages can be also downloaded free of charge.
A kernel contains code from various sources; hardware manufacturers, software companies (google, samsung).
An Android kernel is almost a Linux kerner, so the attack surface is through syscalls;
The way to corrupt the kernel: the user space tries to write in the kernel space by using syscalls or even better use the ioctls to replace the syscall.
The overall idea is to fuzzy the parameters passed to ioctls. The fuzzer used (dronity) is based on the trinity fuzzer; dronity is not yet available (it will be soon on github).
The demo contained the following items:
- dronity fuzzing a Android development board.
- dronity fuzzing a real Android tablet.
- dronity fuzzing an aarch64 kernel on qemu.
- dronity fuzzing an aarch64 kernel with gdb attached (on qemu) in order to intercept the exception thrown by the kernel.