Attacking Hexagon: Security Analysis of Qualcomm's aDSP (RECON MONTREAL 2019)
Attending Recon 2019 was an amazing experience with many interesting talks. I would like to thank the organizers for the excellent event and I definitely hope to return next year.
Most importantly, I had the pleasure to present our research on Qualcomm's aDSP which is a separate co-processor in modern Qualcomm chipsets. As evident by the name, it is used in DSP applications like audio/video decoding and machine learning. It uses the Hexagon architecture just like the baseband in Qualcomm chipsets. The memory accesses by aDSP in the system memory pass through an MPU that enforces memory permissions.
Vendors provide a number of functions to be executed on-chip in shared libraries that can be called from the Android userspace through the FastRPC mechanism. The ecosystem includes a number of Android userspace libraries, a kernel driver and also a number of libraries in the aDSP side.
In order to explore the aDSP we used a development board which enabled us to run our own custom code on the aDSP. We also used Qualcomm's Hexagon SDK that provides a full toolchain such as a compiler, assembler and other utilities in order to compile our own code for the aDSP.
Evidently the large number of libraries in use on the aDSP that can be called from Android userspace exposes an interesting attack surface. We performed an analysis on FastCV, a library provided by Qualcomm, commonly used on Android devices for computer vision tasks. For this task we needed a disassembler. We used a number of disassemblers for the Hexagon architecture in order to reverse FastCV but quickly found out that all existing implementations do not work as intended in many cases. In this process we created our own proof of concept disassembler for Hexagon using Ghidra. This is still a work in progress project which we hope to release some time in the near future.
Our fuzzing efforts on FastCV did not yield promising results. However, fuzzing on a system function related handle exposed by the aDSP, yielded a crash. In this way we managed to crash our development board running Android 7. Further tests on later firmware showed that the bug may no longer be present (or be triggerable).
Future work on our aDSP research includes developing a proper disassembler for Hexagon and creating a software or hardware debugging setup that will make bug triaging and analysis easier. Finally, additional investigation is needed in order to examine post exploitation steps such as the compromise of the rest of the system and the circumvention of potentially restrictive memory access permissions.
In conclusion, the Qualcomm aDSP co-processor is a very interesting exploitation target and I look forward to seeing further research in this area.
The slides from our talk are now also available here.