research-article

Public Access

System Service Call-oriented Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation

Authors:

Peng LiuAuthors Info & Claims

MobiSys '17: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services

Pages 225 - 238

https://doi.org/10.1145/3081333.3081361

Published: 16 June 2017 Publication History

Abstract

Android Application Framework is an integral and foundational part of the Android system. Each of the 1.4 billion Android devices relies on the system services of Android Framework to manage applications and system resources. Given its critical role, a vulnerability in the framework can be exploited to launch large-scale cyber attacks and cause severe harms to user security and privacy. Recently, many vulnerabilities in Android Framework were exposed, showing that it is vulnerable and exploitable. However, most of the existing research has been limited to analyzing Android applications, while there are very few techniques and tools developed for analyzing Android Framework. In particular, to our knowledge, there is no previous work that analyzes the framework through symbolic execution, an approach that has proven to be very powerful for vulnerability discovery and exploit generation. We design and build the first system, Centaur, that enables symbolic execution of Android Framework. Due to some unique characteristics of the framework, such as its middleware nature and extraordinary complexity, many new challenges arise and are tackled in Centaur. In addition, we demonstrate how the system can be applied to discovering new vulnerability instances, which can be exploited by several recently uncovered attacks against the framework, and to generating PoC exploits.

References

[1]

S. Anand, M. Naik, H. Yang, and M. J. Harrold. Automated concolic testing of smartphone apps. In FSE, 2012.

Digital Library

[2]

App Manifest. https://developer.android.com/guide/topics/manifest/manifest-intro.html.

[3]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI, 2014.

Digital Library

[4]

K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: analyzing the android permission specification. In CCS, 2012.

Digital Library

[5]

T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: automatic exploit generation. In Communications of the ACM, 2014.

Digital Library

[6]

M. Backes, S. Bugiel, E. Derr, P. McDaniel, D. Octeau, and S. Weisgerber. On demystifying the android application framework: Re-visiting android permission specification analysis. In USENIX Security, 2016.

[7]

D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In USENIX Security, 2008.

Digital Library

[8]

C. Cadar, D. Dunbar, and D. R. Engler. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008.

Digital Library

[9]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: automatically generating inputs of death. In CCS, 2006.

Digital Library

[10]

Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. EdgeMiner: automatically detecting implicit control flow transitions through the android framework. In NDSS, 2015.

[11]

K. Chen, P. Liu, and Y. Zhang. Achieving accuracy and scalability simultaneously in detecting application clones on Android markets. In ICSE, 2014.

Digital Library

[12]

K. Chen, P. Wang, Y. Lee, X. Wang, N. Zhang, H. Huang, WeiZou, and P. Liu. Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-Play scale. In USENIX Security, 2015.

Digital Library

[13]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, pages 239--252, 2011.

Digital Library

[14]

V. Chipounov, V. Kuznetsov, and G. Candea. S2E: a platform for in-vivo multi-path analysis of software systems. In ASPLOS, 2011.

Digital Library

[15]

M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In SOSP, 2007.

Digital Library

[16]

CVE-2015--6628. https://www.cvedetails.com/cve/CVE-2015--6628/.

[17]

CVE-2016--2496. https://www.cvedetails.com/cve/CVE-2016--2496/.

[18]

CVE-2016--3750. https://www.cvedetails.com/cve/CVE-2016--3750/.

[19]

CVE-2016--3759. https://www.cvedetails.com/cve/CVE-2016--3759/.

[20]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010.

Digital Library

[21]

W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, pages 235--245. ACM, 2009.

Digital Library

[22]

D. Engler and D. Dunbar. Under-constrained execution: marking automatic code destruction easy and scalable. In ISSTA, 2007.

Digital Library

[23]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In CCS, 2011.

Digital Library

[24]

P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In PLDI, 2005.

Digital Library

[25]

P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.

[26]

Google. Android Interfaces and Architecture. https://source.android.com/devices/.

[27]

GSON. https://sites.google.com/site/gson/Home.

[28]

Handler. https://developer.android.com/reference/android/os/Handler.html.

[29]

HPROF Parser. https://github.com/eaftan/hprof-parser.

[30]

IDC. Smartphone OS Market Share, 2016. https://www.idc.com/prodserv/smartphone-os-market-share.jsp.

[31]

C. S. Jensen, M. R. Prasad, and A. Moller. Automated testing with targeted event sequence generation. In ISSTA, 2013.

Digital Library

[32]

S. Khurshid, C. S. Pasareanu, and W. Visser. Generalized symbolic execution for model checking and testing. In TACAS, 2003.

Digital Library

[33]

J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385--394, 1976.

Digital Library

[34]

L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel. Iccta: Detecting inter-component privacy leaks in android apps. In Proceedings of the 37th International Conference on Software Engineering, pages 280--291, 2015.

Digital Library

[35]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 229--240, 2012.

Digital Library

[36]

L. Luo, J. Ming, D. Wu, P. Liu, and S. Zhu. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection. In FSE, 2014.

Digital Library

[37]

N. Mirzaei, H. Bagheri, R. Mahmood, and S. Malek. SIG-Droid: automated system input generation for android applications. In ISSRE, 2015.

Digital Library

[38]

N. Mirzaei, S. Malek, C. S. Pasareanu, N. Esfahani, and R. Mahmood. Testing android apps through symbolic execution. In Software Engineering Notes, 2012.

Digital Library

[39]

D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective inter-component communication mapping in android: An essential step towards holistic security analysis. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 543--558, 2013.

Digital Library

[40]

C. S. Pasareanu, P. C. Mehlitz, D. H. Bushnell, K. Gundy-Burlet, M. Lowry, S. Person, and M. Pape. Combining unit-level symbolic execution and system-level concrete execution for testing nasa software. In ISSTA, 2008.

Digital Library

[41]

C. S. Pasareanu, W. Visser, D. Bushnell, J. Geldenhuys, P. Mehlitz, and N. Rungta. Symbolic PathFinder: integrating symbolic execution with model checking for java bytecode analysis. In ASE, 2013.

[42]

D. A. Ramos and D. Engler. Under-Constrained Symbolic Execution: correctness checking for real code. In USENIX Security, 2015.

Digital Library

[43]

D. A. Ramos and D. R. Engler. Practical, low-effort equivalence verification of real code. In CAV, 2011.

Digital Library

[44]

V. Rastogi, Y. Chen, and W. Enck. Appsplayground: automatic security analysis of smartphone applications. In Proceedings of the third ACM conference on Data and application security and privacy, pages 209--220, 2013.

Digital Library

[45]

C. Ren, Y. Zhang, H. Xue, T. Wei, and P. Liu. Towards discovering and understanding task hijacking in android. In USENIX Security, 2015.

Digital Library

[46]

N. Shafiei and F. van Breugel. Automatic handling of native methods in Java PathFinder. In SPIN Symposium on Model Checking of Software, 2014.

Digital Library

[47]

Y. Shao, J. Ott, Q. A. Chen, Z. Qian, and Z. M. Mao. Kratos: discovering inconsistent security policy enforcement in the android framework. In NDSS, 2016.

[48]

Stagefright. https://en.wikipedia.org/wiki/Stagefright_(bug).

[49]

Statista. Cumulative number of apps downloaded from the Google Play, 2016. https://www.statista.com/statistics/281106/number-of-android-app-downloads-from-google-play/.

[50]

M. Sun, T. Wei, and J. Lui. Taintart: A practical multi-level information-flow tracking system for android runtime. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 331--342. ACM, 2016.

Digital Library

[51]

W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda. Model checking programs. In ASE, 2003.

Digital Library

[52]

WSJ. Google says android has 1.4 billion active users. www.wsj.com/articles/google-says-android-has-1--4-billion-active-users-1443546856.

[53]

L.-K. Yan and H. Yin. DroidScope: Seamlessly reconstructing os and dalvik semantic views for dynamic android malware analysis. In USENIX Security, 2012.

Digital Library

[54]

Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1043--1054. ACM, 2013.

Digital Library

[55]

Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In S&P, 2012.

Digital Library

[56]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In NDSS, volume 25, pages 50--52, 2012.

Cited By

Wang JSharp MWu CZeng QLuo LCalandrino JTroncoso C(2023)Can a deep learning model for one architecture be used for others?Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620648(7339-7356)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620648
Kim HOzmen MCelik ZBianchi AXu DCalandrino JTroncoso C(2023)PatchVerifProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620406(3011-3028)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620406
Ma XZeng QChi HLuo LHui PAmiri Sani ANurmi PLiu Y(2023)No More Companion Apps Hacking but One Dongle: Hub-Based Blackbox Fuzzing of IoT FirmwareProceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services10.1145/3581791.3596857(205-218)Online publication date: 18-Jun-2023
https://dl.acm.org/doi/10.1145/3581791.3596857
Show More Cited By

Index Terms

System Service Call-oriented Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation
1. Security and privacy

Recommendations

Testing android apps through symbolic execution

There is a growing need for automated testing techniques aimed at Android apps. A critical challenge is the systematic generation of test cases. One method of systematically generating test cases for Java programs is symbolic execution. But applying ...
FAEG: Feature-Driven Automatic Exploit Generation
Internetware '23: Proceedings of the 14th Asia-Pacific Symposium on Internetware

Buffer overflow vulnerabilities are prevalent in software applications, and their automatic detection and exploitation are of great significance. Modern operating systems implement security mitigation to prevent the exploitation of these ...
Vulnerability Assessment of OAuth Implementations in Android Applications
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Enforcing security on various implementations of OAuth in Android apps should consider a wide range of issues comprehensively. OAuth implementations in Android apps differ from the recommended specification due to the provider and platform factors, and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MobiSys '17: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services

June 2017

520 pages

ISBN:9781450349284

DOI:10.1145/3081333

General Chairs:
Tanzeem Choudhury
Cornell University, USA
,
Steve Ko
University at Buffalo, USA
,
Program Chairs:
Andrew Campbell
Dartmouth College, USA
,
Deepak Ganesan
University of Massachusetts, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

In-Cooperation

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

MobiSys'17

Sponsor:

SIGMOBILE

MobiSys'17: The 15th Annual International Conference on Mobile Systems, Applications, and Services

June 19 - 23, 2017

New York, Niagara Falls, USA

Acceptance Rates

MobiSys '17 Paper Acceptance Rate 34 of 188 submissions, 18%;

Overall Acceptance Rate 274 of 1,679 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
1,044
Total Downloads

Downloads (Last 12 months)150
Downloads (Last 6 weeks)23

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang JSharp MWu CZeng QLuo LCalandrino JTroncoso C(2023)Can a deep learning model for one architecture be used for others?Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620648(7339-7356)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620648
Kim HOzmen MCelik ZBianchi AXu DCalandrino JTroncoso C(2023)PatchVerifProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620406(3011-3028)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620406
Ma XZeng QChi HLuo LHui PAmiri Sani ANurmi PLiu Y(2023)No More Companion Apps Hacking but One Dongle: Hub-Based Blackbox Fuzzing of IoT FirmwareProceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services10.1145/3581791.3596857(205-218)Online publication date: 18-Jun-2023
https://dl.acm.org/doi/10.1145/3581791.3596857
Xu SWang Y(2022)BofAEGSecurity and Communication Networks10.1155/2022/12519872022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/1251987
Sun PChen SFan LGao PSong FYang M(2022)VenomAttack: automated and adaptive activity hijacking in AndroidFrontiers of Computer Science10.1007/s11704-021-1126-x17:1Online publication date: 8-Aug-2022
https://doi.org/10.1007/s11704-021-1126-x
Luo LZeng QYang BZuo FWang J(2021)Westworld: Fuzzing-Assisted Remote Dynamic Symbolic Execution of Smart Apps on IoT Cloud PlatformsProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488022(982-995)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488022
Xiang XZhang RWen HGong XLiu BKim YKim JVigna GShi E(2021)Ghost in the Binder: Binder Transaction Redirection Attacks in Android System ServicesProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484801(1581-1597)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484801
Zeng QLuo LQian ZDu XLi ZHuang CFarkas C(2021)Resilient User-Side Android Application Repackaging and Tampering Detection Using Cryptographically Obfuscated Logic BombsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.295778718:6(2582-2600)Online publication date: 1-Nov-2021
https://doi.org/10.1109/TDSC.2019.2957787
Yilmaz FSridhar MChoi W(2020)Guide Me to Exploit: Assisted ROP Exploit Generation for ActionScript Virtual MachineProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427568(386-400)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427568
Luo LZeng QCao CChen KLiu JLiu LGao NYang MXing XLiu P(2020)Tainting-Assisted and Context-Migrated Symbolic Execution of Android Framework for Vulnerability Discovery and Exploit GenerationIEEE Transactions on Mobile Computing10.1109/TMC.2019.293656119:12(2946-2964)Online publication date: 1-Dec-2020
https://doi.org/10.1109/TMC.2019.2936561
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents