Input Validation vulnerabilities in Android System Services Sukwon Choi scho668.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Moving Target Defense in Cyber Security

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

OWASP Mobile Top 10 Why They Matter and What We Can Do

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Prevent Cross-Site Scripting (XSS) attack

Approaches to Application Security – DSM

Introduction Telerik Software Academy Software Quality Assurance.

Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CloudAppSec : Cloud Based Application Security for Android Applications Animesh Nandanwar Kshitij Desai Mayuresh Randive

Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Building Secure Web Applications With ASP.Net MVC.

Copyright Security-Assessment.com 2004 Security-Assessment.com Advances in Web Application Hacking by Nick von Dadelszen.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Android Permissions Demystified

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.

Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)

Copyright Office Material Copyright Request System.

“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.

Joshua Garcia Institute for Software Research

Content Coverity Static Analysis Use cases of Coverity Examples

Web Application Security

Module: Software Engineering of Web Applications

SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

Module: Software Engineering of Web Applications

Module: Software Engineering of Web Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Key Points Unfolding the Situations to Drill a Framework in PHP

Module 30 (Unix/Linux Security Issues II)

AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM

Daniel Kouril, Ivo Nutar Masaryk University

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Yii - For the Future - Gen Web Development Platform

Systematic Detection of capability leaks in stock android smartphones

HTML Level II (CyberAdvantage)

Security of web applications.

Web Application Security

Chapter -8 Digital Signatures

Software Security Slide Set #10 Textbook Chapter 11 Clicker Questions

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019

Lecture 33: Testing I April 20, 2018

OWASP Application Security Verification Standard

OWASP Application Security Verification Standard

Presentation transcript:

Input Validation vulnerabilities in Android System Services Sukwon Choi scho668

Introduction  Input Validation?  Examples of conventional input validation:  Prevention of SQL injection through sanitization of user-supplied input.  Prevention of XSS (Cross-Site Scripting) .. And a few more  However, these do not cover input validation of Android System Services.

android system services  A group of services that are provided by the Android Framework  Bluetooth, Telephone, etc  Primary factor that differentiate Android and conventional PC  Use API calls to use these “System Services”  These System Service Methods should adopt input validation techniques to increase security.

Problem 1: To which extent system services misses input validation  A lot of attack vectors for Android System Services  96 Services, and 1972 Methods between those services  System services are vulnerable to input attacks  Methods doing input validation should satisfy one of these:  Method verifies atleast one argument  Method requires the app satisfies a certain condition such as permissions.  Many methods actually do validate input BUT are not adequate

Problem 2: How to develop a cost-effective vulnerability scanner to find the vulnerability caused by invalid input  Buzzer (Binder Fuzzer)  Buzzer acts as an ordinary third party app  It can request all the permissions which an ordinary third party app could be authorized to have  The target test system for this application is Android without any modifications.

Buzzer: Design & Implementation  Four Sections  Service Module  Service Chooser  Request Sender/Logger  Log Analyzer

Buzzer: Findings  Vulnerabilities caused by system generated code.  Vulnerabilities in the ServiceManager

Buzzer: Findings  Vulnerabilities in WiFi System Service  Vulnerabilities in Search System Service  Vulnerabilities caused by NULL reference

Criticism  A lot of manual work required  Use static analysis program to analyze source code  Script to completely automate analysis of log file  Android 6.0 introduces new ways to manage permissions  Might be difficult to constantly ask for permission  Need a way to automate the process