On Return Oriented Programming Threats in Android Runtime

Android has taken a large share of operating systems for smart devices including smartphones, and has been an attractive target to the attackers. The arms race between attackers and defenders typically occurs on two front lines — the latest attacking technology and the latest updates to the operating system (including defense mechanisms deployed). In terms of attacking technology, Return-Oriented Programming (ROP) is one of the most sophisticated attack methods on Android devices. In terms of the operating system updates, Android Runtime (ART) was the latest and biggest change to the Android family. In this paper, we investigate the extent to which Android Runtime (ART) makes Return-Oriented Programming (ROP) attacks easier or more difficulty. In particular, we show that by updating system libraries and adopting Ahead-of-Time compiling instead of Justin- Time compiling in the ART architecture, a larger number and more diverse gadgets are disclosed to ROP attackers, which serve as direct ingredients to ROP attacks. We show that between three and six times more gadgets are found on the ART adopted versions of Android due to the new ART runtime. Moreover, in constrained situations where an attacker requires specific instructions and target registers, Android running ART provides up to 30% more conditional coverage than pre-ART Android does. We additionally demonstrate a sample ROP attack on post- ART Android that would not have been possible on pre-ART Android.