Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services

Proceedings of the 31st Annual Computer Security Applications Conference Pub Date : 2015-12-07 DOI:10.1145/2818000.2818033

Chen Cao, Neng Gao, Peng Liu, Ji Xiang

{"title":"Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services","authors":"Chen Cao, Neng Gao, Peng Liu, Ji Xiang","doi":"10.1145/2818000.2818033","DOIUrl":null,"url":null,"abstract":"Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community. We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services. In this work, we take the first steps to analyze Android specific input validation vulnerabilities. In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services. b) We developed a new input validation vulnerability scanner for Android devices. This tool fuzzes all the Android system services by sending requests with malformed arguments to them. Through comprehensive evaluation of Android system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in Android system services. We have reported all the issues to Google and Google has confirmed them.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"109 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"43","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 31st Annual Computer Security Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2818000.2818033","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 43

Abstract

Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community. We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services. In this work, we take the first steps to analyze Android specific input validation vulnerabilities. In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services. b) We developed a new input validation vulnerability scanner for Android devices. This tool fuzzes all the Android system services by sending requests with malformed arguments to them. Through comprehensive evaluation of Android system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in Android system services. We have reported all the issues to Google and Google has confirmed them.

查看原文本刊更多论文

Android系统服务相关输入验证漏洞分析

虽然输入验证漏洞在web应用安全中起着至关重要的作用，但迄今为止，此类漏洞在Android安全研究社区中基本上被忽视了。我们发现，由于独特的Framework Code层，Android设备确实需要在系统服务中进行特定的输入验证漏洞分析。在这项工作中，我们首先分析了Android特定的输入验证漏洞。具体而言，a)我们采取了测量相应攻击面和报告当前Android系统服务输入验证状态的第一步。b)我们为Android设备开发了一个新的输入验证漏洞扫描程序。这个工具通过发送带有错误参数的请求来模糊所有Android系统服务。通过对Android系统90多种系统服务、1900多种系统服务方式的综合评估，我们发现了16个Android系统服务漏洞。我们已经向谷歌报告了所有问题，谷歌已经证实了这些问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 31st Annual Computer Security Applications Conference

自引率

0.00%

发文量