Samsung KNOX™ is an umbrella name used by Samsung for a collection of security features deployed on its Android devices. While some of its modules are user-facing (such as the My KNOX™ app), others perform their tasks in the background. One such module, called TIMA RKP (short for Real-time Kernel Protection), is responsible for defending the system in case of a successful kernel exploit.
In this paper, we explain how a standard root exploit subverts the kernel, and explore the protection mechanisms of the RKP module that prevent this kind of exploitation. We then avoid these protections, and execute code in the system user context. Malicious access to the system account can be used, for instance, to replace legitimate applications with rogue versions, with access to all available permissions, without the user’s notice.
Next, we delve deeper into the RKP module, to identify the specific tests performed to prevent privilege escalation. We leverage this newfound knowledge to subvert the RKP module and achieve root privileges. Furthermore, we disable additional kernel protections, and finish off with loading a custom, unsigned kernel module, in order to remount the /system partition as writable.