Presentation is loading. Please wait.

Presentation is loading. Please wait.

Input Validation vulnerabilities in Android System Services Sukwon Choi scho668.

Published byLambert Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Input Validation vulnerabilities in Android System Services Sukwon Choi scho668."— Presentation transcript:

1 Input Validation vulnerabilities in Android System Services Sukwon Choi scho668

2 Introduction  Input Validation?  Examples of conventional input validation:  Prevention of SQL injection through sanitization of user-supplied input.  Prevention of XSS (Cross-Site Scripting) .. And a few more  However, these do not cover input validation of Android System Services.

3 android system services  A group of services that are provided by the Android Framework  Bluetooth, Telephone, etc  Primary factor that differentiate Android and conventional PC  Use API calls to use these “System Services”  These System Service Methods should adopt input validation techniques to increase security.

4 Problem 1: To which extent system services misses input validation  A lot of attack vectors for Android System Services  96 Services, and 1972 Methods between those services  System services are vulnerable to input attacks  Methods doing input validation should satisfy one of these:  Method verifies atleast one argument  Method requires the app satisfies a certain condition such as permissions.  Many methods actually do validate input BUT are not adequate

5 Problem 2: How to develop a cost-effective vulnerability scanner to find the vulnerability caused by invalid input  Buzzer (Binder Fuzzer)  Buzzer acts as an ordinary third party app  It can request all the permissions which an ordinary third party app could be authorized to have  The target test system for this application is Android 5.0.1 without any modifications.

6 Buzzer: Design & Implementation  Four Sections  Service Module  Service Chooser  Request Sender/Logger  Log Analyzer

7 Buzzer: Findings  Vulnerabilities caused by system generated code.  Vulnerabilities in the ServiceManager

8 Buzzer: Findings  Vulnerabilities in WiFi System Service  Vulnerabilities in Search System Service  Vulnerabilities caused by NULL reference

9 Criticism  A lot of manual work required  Use static analysis program to analyze source code  Script to completely automate analysis of log file  Android 6.0 introduces new ways to manage permissions  Might be difficult to constantly ask for permission  Need a way to automate the process

Download ppt "Input Validation vulnerabilities in Android System Services Sukwon Choi scho668."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Approaches to Application Security – DSM

Approaches to Application Security – DSM
Introduction Telerik Software Academy Software Quality Assurance.

Introduction Telerik Software Academy Software Quality Assurance.
Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.

Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.

Similar presentations

Ads by Google