Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding and Defending Binder Attack Surface in Android

Published byMilton Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "Understanding and Defending Binder Attack Surface in Android"— Presentation transcript:

1 Understanding and Defending Binder Attack Surface in Android
By Wen-Kai Chen

2 Motivation Android as the most popular smartphone OS
Developers not trust worthy Inter-process communication (IPC) Different attack methods (DoS, Information Leakage, Crash System…etc.) Where are the security boundaries in Android? What are the vulnerabilities in Android? Solutions? Prevent attack? Diagnose Attack?

3 Background: Communication [Part 1]
Client side Server side IPC (Inter Process Communication) Binder Specific IPC Communication between 2 processes ioctl with Binder Library syscall with kernel level driver Transaction marshalled into parcel object Client/Server architecture

4 Background: Communication [Part 2]
AIDL (Android Interface Definition Language) Relieves tasks on developer Hide details on binder and RPC (Remote Procedural Call) Stubs and Proxy created Remote Procedural Call (RPC) Initiated by client Sends message to remote server Message contains parameter including data types – packed by stubs (aka marshalling) Within Binder Transaction [1]

5 Problems Analyzed 115 Android Source Codes
Sanity check client-side public API RPC parameters unchecked and deserialization process unprotected. Fuzzing - Binder transaction with non-primitive data types Uncaught exception & Erroneous Input (Crash + Reboot) Null parameters also causes crash Manipulate RPC parameters Inputs an important factor of security Injection on client-side

6 Ideas/Solutions for Security [Part 1]
Root cause analysis (Suggestion) Server double checks on input parameters Precautionary Testing (Suggestion) Before ROM release Static code analysis tool (aka “lint”). Inspection/Add metadata E.g @NonNull “lint” on RPC input Introduction of BinderCracker software (Implmented) Testing Binder-Based RPC Used before each product release Identify vulnerabilities report to AOSP (Android Open Source Project) Manage dependencies across transactions Recording component Fuzzing component

7 Ideas/Solutions for Security [Part 2]
BinderCracker Matching input/output of adjacent transaction, construction of dependency graph Record seed transactions and dependencies, then fuzz system service Monitor input/output Replay transaction before fuzzing Runtime Diagnostic Tool Maintains sender, schema, content, passing information for each transaction in case of failure. Provide detailed report of transaction. Warn user with visual prompt Diagnose instead of preventing problems

8 What’s Wrong? [Part 1] BinderCracker
Only identifies vulnerabilities in Binder based RPC Insufficient solutions Effectiveness of reporting to AOSP Actual solution? 18 Fixes out of 137 Vulnerabilities found

9 What’s Wrong? [Part 2] Data types within RPC
Hard to sanitize Root cause analysis, precautionary analysis and runtime diagnostic tool as suggestion Clear boundaries/rules not identified Not being able to identify who causes the crash and why it crashed DoS Attack is not fixed by BinderCracker

10 Improvements Implementation of ”lint” to RPC should be carried out and used with BinderCracker Collaborate diagnostic tool with BinderCracker Report + Vulnerabilities BinderCracker itself does not fix the problem identified, rather it only act as vulnerability identifier.

11 My Opinion Article is mainly about identifying vulnerabilities
Developer should be careful with IPC Sanity check is important in both client and server side Not only attack in Binder, other attacks on cryptography is important too.

12 Thanks for listening

Download ppt "Understanding and Defending Binder Attack Surface in Android"

Similar presentations

Slides on cross-domain call and Remote Procedure Call (RPC)

Slides on cross-domain call and Remote Procedure Call (RPC)
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Remote Procedure Call Design issues Implementation RPC programming

Remote Procedure Call Design issues Implementation RPC programming
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
Implementing Remote Procedure Calls Andrew Birrell and Bruce Nelson Presented by Kai Cong.

Implementing Remote Procedure Calls Andrew Birrell and Bruce Nelson Presented by Kai Cong.
Tutorials 2 A programmer can use two approaches when designing a distributed application. Describe what are they? Communication-Oriented Design Begin with.

Tutorials 2 A programmer can use two approaches when designing a distributed application. Describe what are they? Communication-Oriented Design Begin with.
Middleware Technologies compiled by: Thomas M. Cosley.

Middleware Technologies compiled by: Thomas M. Cosley.
Apache Axis: A Set of Java Tools for SOAP Web Services.

Apache Axis: A Set of Java Tools for SOAP Web Services.
Outcomes What is RPC? The difference between conventional procedure call and RPC? Understand the function of client and server stubs How many steps could.

Outcomes What is RPC? The difference between conventional procedure call and RPC? Understand the function of client and server stubs How many steps could.
490dp Prelude: Design Report Remote Invocation Robert Grimm (borrowing some from Hank Levy)

490dp Prelude: Design Report Remote Invocation Robert Grimm (borrowing some from Hank Levy)
Remote Procedure Calls. 2 Client/Server Paradigm Common model for structuring distributed computations A server is a program (or collection of programs)

Remote Procedure Calls. 2 Client/Server Paradigm Common model for structuring distributed computations A server is a program (or collection of programs)
.NET Mobile Application Development Remote Procedure Call.

.NET Mobile Application Development Remote Procedure Call.
K. Jamroendararasame*, T. Matsuzaki, T. Suzuki, and T. Tokuda Department of Computer Science, Tokyo Institute of Technology, JAPAN Two Generators of Secure.

K. Jamroendararasame*, T. Matsuzaki, T. Suzuki, and T. Tokuda Department of Computer Science, Tokyo Institute of Technology, JAPAN Two Generators of Secure.
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, 2005 4.1 Operating System Concepts Operating Systems Lecture 12 Communicating over.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 12 Communicating over.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Other Topics RPC & Middleware.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Other Topics RPC & Middleware.
1 Chapter 38 RPC and Middleware. 2 Middleware  Tools to help programmers  Makes client-server programming  Easier  Faster  Makes resulting software.

1 Chapter 38 RPC and Middleware. 2 Middleware  Tools to help programmers  Makes client-server programming  Easier  Faster  Makes resulting software.
Distributed Processing and Client/Server

Distributed Processing and Client/Server
11 September 2008CIS 340 # 1 Topics To examine the variety of approaches to handle the middle- interaction (continued) 1.RPC-based systems 2.TP monitors.

11 September 2008CIS 340 # 1 Topics To examine the variety of approaches to handle the middle- interaction (continued) 1.RPC-based systems 2.TP monitors.
Introduction to Distributed Systems Slides for CSCI 3171 Lectures E. W. Grundke.

Introduction to Distributed Systems Slides for CSCI 3171 Lectures E. W. Grundke.
Advanced Computer Networks Topic 2: Characterization of Distributed Systems.

Advanced Computer Networks Topic 2: Characterization of Distributed Systems.

Similar presentations

Ads by Google