An Android System Vulnerability Risk Evaluation Method for Heap Overflow

Abstract

Android smart device has become a preferred target for attackers as it carries plenty of private and sensitive information. However, heap overflow vulnerability in Android system gives the opportunity to execute arbitrary malicious code and even steal personal privacy. The existence of such vulnerability makes Android system too weak to defense attacks and protect privacy. It's necessary to evaluate the security risk brought to the system. However, current vulnerability risk evaluation methods mainly focus on predicting the likelihood of exploiting, which is not enough and convictive for system security researcher. In this paper, we propose an Android system vulnerability risk evaluation method for heap overflow. We detect whether the heap overflow vulnerability is existent in current Android system, and then validate the exploitability by crafted input data. The evaluation result is classified into three kinds: inexistent, existent but not exploitable, existent and exploitable. Experiment results prove the effectiveness and indicate a good performance of the method.