Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Services. Application component No user interface Two main uses Performing background processing Supporting remote method execution.
Syracuse University, New York, USA
PScout: Analyzing the Android Permission Specification
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Remote Procedure Call (RPC)
Cosc 5/4730 Android Services. What is a service? From android developer web pages: Most confusion about the Service class actually revolves around what.
DEVELOPER DAY BEFORE WE START, PLEASE VISIT AND SIGN UPWWW.PAYNOW.CO.ZW.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Crawler-Based Search Engine By: Bryan Chapman, Ryan Caplet, Morris Wright.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
JokerStars: Online Card Playing William Sanville Milestone 4.
C++ fundamentals.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.
JavaScript & jQuery the missing manual Chapter 11
박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST)
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Chapter 2: Objects and Primitive Data Classes and Objects String, Random, Math, NumberFormat, DecimalFormat and Wrapper Classes.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Computer Security and Penetration Testing
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Learningcomputer.com SQL Server 2008 Configuration Manager.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Programming Logic and Design Using Methods. 2 Objectives Review how to use a simple method with local variables and constants Create a method that requires.
CPS120: Introduction to Computer Science Functions.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Copyright 2007 SpringSource. Copying, publishing or distributing without express written permission is prohibited. Forms with Spring MVC Handling Form.
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
Concurrency: Mutual Exclusion and Synchronization Chapter 5.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Android Permissions Demystified
Android Permissions Remystified: A Field Study on Contextual Integrity Presenter: Hongyang Zhao Primal Wijesekera (UBC) Arjun Baokar (UC Berkeley) Ashkan.
Services Background operating component without a visual interface Running in the background indefinitely Differently from Activity, Service in Android.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
Programming Logic and Design Fifth Edition, Comprehensive Chapter 7 Using Methods.
Android and IOS Permissions Why are they here and what do they want from me?
INTRODUCING HYBRID APP KAU with MICT PARK IT COMPANIES Supported by KOICA
CopperDroid Logan Horton. Android - Background Android is complicated to analyse due to having 2 places to check for code execution Normally, code is.
Input Validation vulnerabilities in Android System Services Sukwon Choi scho668.
Authors: William Enck & Patrick McDaniel In collaboration with: Duke University and Intel Labs Presentation: Ed Novak 1.
More Security and Programming Language Work on SmartPhones
What Mobile Ads know about mobile users
Java Primer 1: Types, Classes and Operators
The Object-Oriented Thought Process Chapter 1
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
Presented by Xiaohui (Amy) Lin
Defending Binder Attack Surfaces in Android
Understanding and Defending Binder Attack Surface in Android
Sentinel logic, flags, break Taken from notes by Dr. Neil Moore
Sentinel logic, flags, break Taken from notes by Dr. Neil Moore
Software Security Lesson Introduction
Format String.
Android Topics Asynchronous Callsbacks
Android Topics What are Intents? Implicit Intents vs. Explicit Intents
CS5123 Software Validation and Quality Assurance
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Format String Vulnerability
Presentation transcript:

Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)

Background  Input validation: “Correct testing of any input supplied by something else” Input by user Input by application on the environment  Applied in web applications Prevention of SQL injection Bounds checking for buffer overflow  Existing work on input validation don’t apply for Android system services.

What is an Android System Service?  Services provided by the Android system which encapsulate system functionalities Bluetooth Telephone GPS WiFi  Main differentiator between PC and Android system

Sending requests to a system service  Apps use API calls to send requests to system services  Best way (API) to send request – transact(…) 4 arguments  Malformed inputs -> systems service crash System service methods need to be protected from bad inputs

Problems to address 1.To which extent system service code misses input validation 2.How to develop a cost effective solution

Solving problem 1  Manual inspection of system service code 1972 methods across 96 system services 70% - Perform I.V, 23% - No arguments, 7%- No I.V  Conditions for methods that perform I.V Verify at least one argument Requires that the app satisfies a certain condition

Solving problem 2  Created Buzzer (Binder Fuzzer) Sends malformed requests to Android system services Crash target system service and expose vulnerabilities  Assumptions Acts as an ordinary third party app Can request all permissions that other ordinary third-party apps can Target system version 5.0.1

Buzzer breakdown  Service Module Arguments generator Request data wrapper  Service Chooser  Request Sender/Logger  Log Analyzer Semi-automatic

Buzzer design challenges  Arguments generating Java.util.Random used for primitive, String types Generate random field values for simple classes Replace Android SDK’s library to access hidden classes NULL for complex classes  Too many interface methods (1972 methods!) Methods that require permissions which are not acquirable (703) Methods which return null or have empty function bodies, omitted (8)

#1: Vulnerabilities caused by the generated code  AIDL (Android Interface Definition Language) Allows a programming interface to be agreed upon between application and system service. Necessary for interfaces to be passed onto arguments of the system service method.  Always returns the target interface as long as object is not null

#1: Vulnerability caused by the generate code (2)  Malicious app can forge an interface using a fake object that is not null.  Target system will invoke the forged interface which is actually a different interface on the inside.  SecurityException will be thrown.

#2: Vulnerability in Servicemanager  What is a Servicemanager? All system services must be registered with Servicemanager. Apps must communicate with Servicemanger before sending requests.  Flag value 0 = return reply to app 1 = exit and restart  Servicemanager restart => related processes restart => apps exit/restart. Eg. Zygote, keystore (slightly different scenario)

#3: Vulnerability in the WiFi System Service  Int argument that sets which frequency band to use. 0 = Automatic 1 = 5 GHz 2 = 2.4 GHz  If index > 2 then StringIndexOutOfBoundsException thrown.  WiFi disconnects from access point Attempts to reconnect through settings will cause the settings app to crash

#4: Vulnerability in Search System Service  Search system service Responsible for the search UI Maintains a registry of ‘searchable activities’  launchAssistAction() Method of search system service Starts activities that accept ACTION_ASSIST  Spam launchAssistAction() => UI freeze

#5: Vulnerabilities caused by NULL reference  There are methods which do not check for NULL arguments Eg. registerClient in the system service media.audio_policy  System service crash => related process crash => related system services unavailable Eg. Cannot: watch video, listen to music, use the camera. media.audio_policy mediaserver media.audio_flinger media.player media.camera

Impact of this research  After evaluating 1972 methods across 96 system services 16 vulnerabilities identified.  Findings sent to Google Issues have been accepted, being tracked and investigated.

Criticism  Manual inspection of code to determine methods doing input validation  Buzzers logging is semi-automatic Requests which are constantly sent are logged Messages between between buzzer and target service checked manually  Buzzer is NOT cross-version Relies heavily on native libraries No “Write once, run everywhere” Need NDK set differently for different ABI’s

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.