Extract, process, and query Android security policies from Android firmware. BigMAC is a Python tool that helps analysts understand DAC, MAC (SELinux), and capabilities (CAP) on Android devices. It provides a framework for recovering security policies from firmware images, allowing for scalable policy extraction, and for interactive querying using Prolog. This was released at USENIX Security'20.
Clone the main repository:
git clone https://github.com/FICS/BigMAC
Make a Python 3 virtual environment:
cd BigMAC/
virtualenv -p python3 venv
Activate the virtual environment (do this for each terminal):
source venv/bin/activate
Your prompt will now look like:
(venv) $
Install sefcontext-parser (it's not on pip):
git clone https://github.com/jakev/sefcontext-parser
cd sefcontext-parser
python setup.py install
Install swi-prolog (8.0.X and above is needed):
sudo apt-add-repository ppa:swi-prolog/stable
sudo apt-get update
sudo apt-get install swi-prolog
Install libsepol (a different version than distros have is needed):
git clone --branch libsepol-2.7 https://github.com/SELinuxProject/selinux.git
Install the required build dependencies:
sudo apt install build-essential flex bison swig python-dev graphviz libgraphviz-dev pkg-config libaudit-dev
Apply the selinux.patch below to selinux to make sure that it will be buildable. Apply the patch like this:
$ cd selinux
$ patch -p1 < ../selinux.patch
Build a specific libsepol to be able to parse Android sepolicy files:
make -j # this may not completely build. as long as sepol is built, continue to install step
sudo make install # you MUST install before building setools
Get setools for use in Python:
git clone https://github.com/TresysTechnology/setools.git
cd setools
git checkout 856b56accba14 # required to match with libsepol version
Apply the setools.patch below to setools to make sure that it will be buildable. Apply the patch like this:
$ cd setools
$ patch -p1 < ../setools.patch
patching file setup.py
Build and install setools.
Make sure the SEPOL_SRC points to the correct path:
SEPOL_SRC=$(pwd)/../selinux/libsepol/ python3 setup.py build_ext build_py install
Go back to the main BigMAC directory and install all pip requirements:
BigMAC/ $ pip install -r requirements.txt
Try running the process.py main file:
$ ./process.py
BigMAC Android Policy Processor
by Grant Hernandez (https://hernan.de/z)
usage: process.py [-h] --vendor VENDOR [--debug] [--debug-init] [--skip-boot]
[--draw-graph] [--focus-set FOCUS_SET] [--save] [--load]
[--save-policy] [--list-objects] [--dont-expand-objects]
[--prolog]
policy_name
process.py: error: the following arguments are required: --vendor, policy_name
If you see the usage, all imports are correctly installed. Now move on to the next section to get started.
Extract out the eval/eval-policy.tar.gz file included in the repo for some example policies. For extracting your own from firmware we are working to stream line this process. See the tools/ for more information.
To start, process a single image from a vendor and print out the log, but don't save anything. Use this to sanity check your saved policies and policy processing code.
./process.py --vendor aosp policy/aosp/sailfish-ppr2.181005.003.a1-factory-dec6298c
./process.py --vendor aosp sailfish-ppr2.181005.003.a1-factory-dec6298c # equivalent to above
The saved policies directory is set in the config.py file.
If you want to process a policy an interact with the final results using IPython, add the --debug flag.
./process.py --debug --vendor aosp sailfish-ppr2.181005.003.a1-factory-dec6298c
...
In [0]: inst
Out[0]: <overlay.SEPolicyInst at 0x7ff0a8fd2d30>
Try viewing and playing with inst.processes, inst.subjects, and inst.objects!
Processing the entire policy into a graph takes time. The final results can be saved and loaded to speed things up.
./process.py --vendor aosp sailfish-ppr2.181005.003.a1-factory-dec6298c --save
./process.py --vendor aosp sailfish-ppr2.181005.003.a1-factory-dec6298c --load --debug # you can load from now on
The saved database will be under the firmware specific policy directory under the db/ sub directory.
To run prolog queries against the policy, add the --prolog command. The first time you do this, you will need to compile the prolog helpers.
./process.py --vendor aosp sailfish-ppr2.181005.003.a1-factory-dec6298c --load --prolog
query>
Prolog mode will fully instantiate the graph and emit Prolog facts and
binaries. The facts from the last run will be stored in the current directory
under facts.pl. This is compiled together with helper functions that will
enable you to query against a static binary of facts, greatly speeding up
queries. These binaries are stored in the db/ sub directory of the firmware
and can be run manually if you wish.