Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)

Published byGervase Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)"— Presentation transcript:

1 Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)

2 Background  Input validation: “Correct testing of any input supplied by something else” Input by user Input by application on the environment  Applied in web applications Prevention of SQL injection Bounds checking for buffer overflow  Existing work on input validation don’t apply for Android system services.

3 What is an Android System Service?  Services provided by the Android system which encapsulate system functionalities Bluetooth Telephone GPS WiFi  Main differentiator between PC and Android system

4 Sending requests to a system service  Apps use API calls to send requests to system services  Best way (API) to send request – transact(…) 4 arguments  Malformed inputs -> systems service crash System service methods need to be protected from bad inputs

5 Problems to address 1.To which extent system service code misses input validation 2.How to develop a cost effective solution

6 Solving problem 1  Manual inspection of system service code 1972 methods across 96 system services 70% - Perform I.V, 23% - No arguments, 7%- No I.V  Conditions for methods that perform I.V Verify at least one argument Requires that the app satisfies a certain condition

7 Solving problem 2  Created Buzzer (Binder Fuzzer) Sends malformed requests to Android system services Crash target system service and expose vulnerabilities  Assumptions Acts as an ordinary third party app Can request all permissions that other ordinary third-party apps can Target system version 5.0.1

8 Buzzer breakdown  Service Module Arguments generator Request data wrapper  Service Chooser  Request Sender/Logger  Log Analyzer Semi-automatic

9 Buzzer design challenges  Arguments generating Java.util.Random used for primitive, String types Generate random field values for simple classes Replace Android SDK’s library to access hidden classes NULL for complex classes  Too many interface methods (1972 methods!) Methods that require permissions which are not acquirable (703) Methods which return null or have empty function bodies, omitted (8)

10 #1: Vulnerabilities caused by the generated code  AIDL (Android Interface Definition Language) Allows a programming interface to be agreed upon between application and system service. Necessary for interfaces to be passed onto arguments of the system service method.  Always returns the target interface as long as object is not null

11 #1: Vulnerability caused by the generate code (2)  Malicious app can forge an interface using a fake object that is not null.  Target system will invoke the forged interface which is actually a different interface on the inside.  SecurityException will be thrown.

12 #2: Vulnerability in Servicemanager  What is a Servicemanager? All system services must be registered with Servicemanager. Apps must communicate with Servicemanger before sending requests.  Flag value 0 = return reply to app 1 = exit and restart  Servicemanager restart => related processes restart => apps exit/restart. Eg. Zygote, keystore (slightly different scenario)

13 #3: Vulnerability in the WiFi System Service  Int argument that sets which frequency band to use. 0 = Automatic 1 = 5 GHz 2 = 2.4 GHz  If index > 2 then StringIndexOutOfBoundsException thrown.  WiFi disconnects from access point Attempts to reconnect through settings will cause the settings app to crash

14 #4: Vulnerability in Search System Service  Search system service Responsible for the search UI Maintains a registry of ‘searchable activities’  launchAssistAction() Method of search system service Starts activities that accept ACTION_ASSIST  Spam launchAssistAction() => UI freeze

15 #5: Vulnerabilities caused by NULL reference  There are methods which do not check for NULL arguments Eg. registerClient in the system service media.audio_policy  System service crash => related process crash => related system services unavailable Eg. Cannot: watch video, listen to music, use the camera. media.audio_policy mediaserver media.audio_flinger media.player media.camera

16 Impact of this research  After evaluating 1972 methods across 96 system services 16 vulnerabilities identified.  Findings sent to Google Issues have been accepted, being tracked and investigated.

17 Criticism  Manual inspection of code to determine methods doing input validation  Buzzers logging is semi-automatic Requests which are constantly sent are logged Messages between between buzzer and target service checked manually  Buzzer is NOT cross-version Relies heavily on native libraries No “Write once, run everywhere” Need NDK set differently for different ABI’s

18 Thank you

Download ppt "Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Services. Application component No user interface Two main uses Performing background processing Supporting remote method execution.

Services. Application component No user interface Two main uses Performing background processing Supporting remote method execution.
Syracuse University, New York, USA

Syracuse University, New York, USA
PScout: Analyzing the Android Permission Specification

PScout: Analyzing the Android Permission Specification
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Cosc 5/4730 Android Services. What is a service? From android developer web pages: Most confusion about the Service class actually revolves around what.

Cosc 5/4730 Android Services. What is a service? From android developer web pages: Most confusion about the Service class actually revolves around what.
DEVELOPER DAY BEFORE WE START, PLEASE VISIT WWW.PAYNOW.CO.ZW AND SIGN UPWWW.PAYNOW.CO.ZW.

DEVELOPER DAY BEFORE WE START, PLEASE VISIT AND SIGN UPWWW.PAYNOW.CO.ZW.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.

API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Crawler-Based Search Engine By: Bryan Chapman, Ryan Caplet, Morris Wright.

Crawler-Based Search Engine By: Bryan Chapman, Ryan Caplet, Morris Wright.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
JokerStars: Online Card Playing William Sanville Milestone 4.

JokerStars: Online Card Playing William Sanville Milestone 4.
C++ fundamentals.

C++ fundamentals.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Similar presentations

Ads by Google