Trust, But Verify: A Longitudinal Analysis Of Android OEM Compliance and Customization

Andrea Possemato, Simone Aonzo, D. Balzarotti, Y. Fratantonio
{"title":"Trust, But Verify: A Longitudinal Analysis Of Android OEM Compliance and Customization","authors":"Andrea Possemato, Simone Aonzo, D. Balzarotti, Y. Fratantonio","doi":"10.1109/SP40001.2021.00074","DOIUrl":null,"url":null,"abstract":"Nowadays, more than two billions of mobile devices run Android OS. At the core of this success are the open source nature of the Android Open Source Project and vendors’ ability to customize the code base and ship it on their own devices. While the possibility of customizations is beneficial to vendors, they can potentially lead to compatibility and security problems. To prevent these problems, Google developed a set of requirements that must be satisfied for a vendor to brand its devices as \"Android,\" and recently introduced Project Treble as an effort to partition vendor customizations. These requirements are encoded as part of a textual document (called Compatibility Definition Document, or CDD) and various automated tests. This paper performs the first longitudinal study on Android OEM customizations. We first built a dataset of 2,907 ROMs, spanning across 42 different vendors, and covering Android versions from 1.6 to 9.0 (years 2009–2020). We then developed an analysis framework and pipeline to extract each ROM’s customization layers and evaluate it across several metrics. For example, we analyze ROMs to determine whether they are compliant with respect to the various requirements and whether their customizations negatively affect the security posture of the overall device. In the process, we focus on various aspects, ranging from security hardening of binaries, SELinux policies, Android init scripts, and kernel security hardening techniques. Our results are worrisome. We found 579 over 2,907 (~20%) of the ROMs have at least one violation for the CDD related to their Android version — incredibly, 11 of them are branded by Google itself. Some of our findings suggest that vendors often go out of their way to bypass or \"comment out\" safety nets added by the Android security team. In other cases, we found ROMs that modify init scripts to launch at boot outdated versions (with known CVEs and public POCs) of programs as root and reachable from a remote attacker (e.g., tcpdump ). This paper shows that Google’s efforts are not enough, and we offer several recommendations on how to improve the compliance check pipelines.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"18 1","pages":"87-102"},"PeriodicalIF":0.0000,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40001.2021.00074","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 9

Abstract

Nowadays, more than two billions of mobile devices run Android OS. At the core of this success are the open source nature of the Android Open Source Project and vendors’ ability to customize the code base and ship it on their own devices. While the possibility of customizations is beneficial to vendors, they can potentially lead to compatibility and security problems. To prevent these problems, Google developed a set of requirements that must be satisfied for a vendor to brand its devices as "Android," and recently introduced Project Treble as an effort to partition vendor customizations. These requirements are encoded as part of a textual document (called Compatibility Definition Document, or CDD) and various automated tests. This paper performs the first longitudinal study on Android OEM customizations. We first built a dataset of 2,907 ROMs, spanning across 42 different vendors, and covering Android versions from 1.6 to 9.0 (years 2009–2020). We then developed an analysis framework and pipeline to extract each ROM’s customization layers and evaluate it across several metrics. For example, we analyze ROMs to determine whether they are compliant with respect to the various requirements and whether their customizations negatively affect the security posture of the overall device. In the process, we focus on various aspects, ranging from security hardening of binaries, SELinux policies, Android init scripts, and kernel security hardening techniques. Our results are worrisome. We found 579 over 2,907 (~20%) of the ROMs have at least one violation for the CDD related to their Android version — incredibly, 11 of them are branded by Google itself. Some of our findings suggest that vendors often go out of their way to bypass or "comment out" safety nets added by the Android security team. In other cases, we found ROMs that modify init scripts to launch at boot outdated versions (with known CVEs and public POCs) of programs as root and reachable from a remote attacker (e.g., tcpdump ). This paper shows that Google’s efforts are not enough, and we offer several recommendations on how to improve the compliance check pipelines.
信任,但要验证:Android OEM合规和定制的纵向分析
如今,超过20亿的移动设备运行Android操作系统。这一成功的核心是Android开源项目的开源特性,以及供应商定制代码库并将其发布到自己的设备上的能力。虽然自定义的可能性对供应商是有益的,但它们可能会导致兼容性和安全性问题。为了防止这些问题,谷歌制定了一套要求,供应商必须满足这些要求才能将其设备标记为“Android”,并且最近推出了Project Treble,作为对供应商定制进行分区的努力。这些需求被编码为文本文档(称为兼容性定义文档,或CDD)和各种自动化测试的一部分。本文首次对Android OEM定制进行了纵向研究。我们首先构建了一个包含2,907个rom的数据集,涵盖了42个不同的供应商,涵盖了从1.6到9.0(2009-2020年)的Android版本。然后,我们开发了一个分析框架和管道来提取每个ROM的定制层,并跨几个指标对其进行评估。例如,我们分析rom以确定它们是否符合各种需求,以及它们的定制是否对整个设备的安全状态产生负面影响。在这个过程中,我们将关注各个方面,包括二进制文件的安全加固、SELinux策略、Android init脚本和内核安全加固技术。我们的结果令人担忧。我们发现,在2907个(约20%)的rom中,有579个至少有一个与Android版本相关的CDD违规,令人难以置信的是,其中11个是谷歌自己的品牌。我们的一些发现表明,供应商经常绕过或“评论”Android安全团队添加的安全网。在其他情况下,我们发现修改初始化脚本的rom在引导时以root身份启动过时版本的程序(具有已知的cve和公共poc),并且可以从远程攻击者(例如tcpdump)访问。本文表明Google的努力是不够的,我们提供了一些关于如何改进遵从性检查管道的建议。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信