research-article

Open access

Ghost in the Binder: Binder Transaction Redirection Attacks in Android System Services

Authors:

Baoxu LiuAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 1581 - 1597

https://doi.org/10.1145/3460120.3484801

Published: 13 November 2021 Publication History

Abstract

Binder, the main mechanism for Android applications to access system services, adopts a client-server role model in its design, assuming the system service as the server and the application as the client. However, a growing number of scenarios require the system service to act as a Binder client and to send queries to a Binder server possibly instantiated by the application. Departing from this role-reversal possibility, this paper proposes the Binder Transaction Redirection (BiTRe) attacks, where the attacker induces the system service to transact with a customized Binder server and then attacks from the Binder server---an often unprotected direction. We demonstrate the scale of the attack surface by enumerating the utilizable Binder interfaces in BiTRe, and discover that the attack surface grows with the Android release version. In Android 11, more than 70% of the Binder interfaces are affected by or can be utilized in BiTRe. We prove the attacks' feasibility by (1) constructing a prototype system that can automatically generate executable programs to reach a substantial part of the attack surface, and (2) identifying a series of vulnerabilities, which are acknowledged by Google and assigned ten CVEs.

References

[1]

Yousra Aafer, Jianjun Huang, Yi Sun, Xiangyu Zhang, Ninghui Li, and Chen Tian. 2018a. AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection. In NDSS.

[2]

Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li. 2018b. Precise android api protection mapping derivation and reasoning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1151--1164.

Digital Library

[3]

Yousra Aafer, Wei You, Yi Sun, Yu Shi, Xiangyu Zhang, and Heng Yin. 2021. Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing. In 30th USENIX Security Symposium (USENIX Security 21).

[4]

Muath Alkhalaf, Shauvik Roy Choudhary, Mattia Fazzini, Tevfik Bultan, Alessandro Orso, and Christopher Kruegel. 2012. Viewpoints: differential string analysis for discovering client-and server-side input validation inconsistencies. In Proceedings of the 2012 International Symposium on Software Testing and Analysis. 56--66.

Digital Library

[5]

Android Code Search. 2021 a. libbinder: Add SafeInterface. https://cs.android.com/android/_/android/platform/frameworks/native/+/d630e520de9ff4bc50723a7e8f91b6d9be27db1c. Accessed on Jan 31, 2021.

[6]

Android Code Search. 2021 b. Source code of CameraService.h in AOSP. https://cs.android.com/android/platform/superproject/+/master:frameworks/av/services/camera/libcameraservice/CameraService.h?q=cameraservice. Accessed on May 7, 2021.

[7]

Android developers. 2021 a. Android AppOpsManager. https://developer.android.com/reference/android/app/AppOpsManager. Accessed on Aug 3, 2021.

[8]

Android developers. 2021 b. Android PermissionChecker Developer API. https://developer.android.com/reference/androidx/core/content/PermissionChecker. Accessed on July 29, 2021.

[9]

Android Developers. 2021. Parcel. https://developer.android.com/reference/android/os/Parcel#active-objects. Accessed on Feb 2, 2021.

[10]

Android Developers Blog. 2017. Here comes Treble: A modular base for Android. https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html. Accessed on Feb 2, 2021.

[11]

Android Open Source Project. 2021. Android Interface Definition Language (AIDL). https://developer.android.com/guide/components/aidl. Accessed on Jan 31, 2021.

[12]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: analyzing the Android permission specification. In the ACM Conference on Computer and Communications Security. 217--228.

[13]

Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. 2016. On demystifying the Android application framework: Re-visiting Android permission specification analysis. In 25th USENIX security symposium (USENIX security 16). 1101--1118.

[14]

A. Bartel, J. Klein, M. Monperrus, and Y. Le Traon. 2014. Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android. IEEE Transactions on Software Engineering, Vol. 40, 6 (2014), 617--632.

[15]

Michal Bednarski. 2017. Reparcel Bug. https://github.com/michalbednarski/ReparcelBug. Accessed on Feb 3, 2021.

[16]

Cao Chen, Gao Neng, Liu Peng, and Xiang Ji. 2015. Towards Analyzing the Input Validation Vulnerabilities Associated with Android System Services. In Proceedings of the 31st Annual Computer Security Applications Conference. Association for Computing Machinery, 361--370.

[17]

Haining Chen, Ninghui Li, William Enck, Yousra Aafer, and Xiangyu Zhang. 2017. Analysis of SEAndroid policies: combining MAC and DAC in Android. In Proceedings of the 33rd Annual Computer Security Applications Conference. 553--565.

Digital Library

[18]

William Enck. 2020. Analysis of access control enforcement in Android. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 117--118.

Digital Library

[19]

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security. 627--638.

Digital Library

[20]

Huan Feng and Kang G Shin. 2016. BinderCracker: Assessing the Robustness of Android System Services. arXiv preprint arXiv:1604.06964 (2016).

[21]

Guang Gong. 2015. Fuzzing android system services by binder call to escalate privilege. BlackHat USA (2015).

[22]

Sigmund Albert Gorski, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden, and Alexandre Bartel. 2019. ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. 25--36.

Digital Library

[23]

Sigmund Albert Gorski III and William Enck. 2019. ARF: identifying re-delegation vulnerabilities in Android system services. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks. 151--161.

[24]

Qidan He. 2016. Hey your Parcel Looks Bad, Fuzzing and Exploiting Parcelization vulnerabilities in Android. In BlackHat Asia, 2016.

[25]

Heqing Huang, Sencun Zhu, Kai Chen, and Peng Liu. 2015. From system services freezing to system server shutdown in Android: All you need is a loop in an app. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1236--1247.

Digital Library

[26]

Jim Huang. 2012. Android IPC Mechanism. https://www.slideshare.net/jserv/android-ipc-mechanism.

[27]

Antonio Ken Iannillo, Roberto Natella, Domenico Cotroneo, and Cristina Nita-Rotaru. 2017. Chizpurfle: A gray-box Android fuzzer for vendor service customizations. In IEEE 28th International Symposium on Software Reliability Engineering (ISSRE). 1--11.

[28]

Wang Kai, Zhang Yuqing, Liu Qixu, and Fan Dan. 2015. A fuzzing test for dynamic vulnerability detection on Android Binder mechanism. In IEEE Conference on Communications and Network Security (CNS). 709--710.

[29]

Nick Kralevich. 2017. Honey, I Shrunk the Attack Surface -- Adventures in Android Security Hardening.

[30]

Chris Lattner. 2008. LLVM and Clang: Next generation compiler technology. In The BSD conference, Vol. 5.

[31]

Mario Linares-Vásquez, Gabriele Bavota, and Camilo Escobar-Velásquez. 2017. An empirical study on Android-related vulnerabilities. In IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE, 2--13.

Digital Library

[32]

Baozheng Liu, Chao Zhang, Guang Gong, Yishun Zeng, Haifeng Ruan, and Jianwei Zhuge. 2020. FANS: Fuzzing Android Native System Services via Automated Interface Analysis. In 29th USENIX Security Symposium (USENIX Security).

[33]

Lannan Luo, Qiang Zeng, Chen Cao, Kai Chen, Jian Liu, Limin Liu, Neng Gao, Min Yang, Xinyu Xing, and Peng Liu. 2017. System service call-oriented symbolic execution of Android framework with applications to vulnerability discovery and exploit generation. In Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services. 225--238.

Digital Library

[34]

Pratyusa K Manadhata and Jeannette M Wing. 2010. An attack surface metric. IEEE Transactions on Software Engineering, Vol. 37, 3 (2010), 371--386.

Digital Library

[35]

Microsoft Security Update Guide. 2020. CVE-2020--1393 Windows Diagnostics Hub Elevation of Privilege Vulnerability. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020--1393. Accessed on Jan 31, 2021.

[36]

Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting fine grain isolation in the Firefox renderer. In 29th USENIX Security Symposium (USENIX Security 20). 699--716.

[37]

Stephen Hines Nick Desaulniers, Greg Hackmann. 2021. Compiling Android userspace and Linux Kernel with LLVM. https://llvm.org/devmtg/2017--10/slides/Hines-CompilingAndroidKeynote.pdf. Accessed on Jan 31, 2021.

[38]

Tomá? Rosa. 2011. Android Binder Security Note: On Passing Binder Through Another Binder. https://crypto.hyperlink.cz/files/xbinder.pdf. Accessed on Feb 2, 2021.

[39]

Yuru Shao, Qi Alfred Chen, Zhuoqing Morley Mao, Jason Ott, and Zhiyun Qian. 2016. Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework. In NDSS.

[40]

SUDONULL. 2019. EvilParcel Vulnerability Analysis. https://sudonull.com/post/26295-EvilParcel-Vulnerability-Analysis-Doctor-Web-Blog. Accessed on Feb 3, 2021.

[41]

relax Tuna. 2021. Monthly tarball of AOSP. https://mirrors.tuna.tsinghua.edu.cn/aosp-monthly/. Accessed on May 6, 2021.

[42]

Kai Wang, Yuqing Zhang, and Peng Liu. 2016. Call Me Back! Attacks on System Server and System Apps in Android Through Synchronous Callback. In ACM SIGSAC Conference on Computer and Communications Security. 92--103.

[43]

J. Wu, S. Liu, S. Ji, M. Yang, T. Luo, Y. Wu, and Y. Wang. 2017. Exception beyond Exception: Crashing Android System by Trapping in "Uncaught Exception". In IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP). 283--292.

[44]

Lei Zhang, Zhemin Yang, Yuyu He, Zhenyu Zhang, Zhiyun Qian, Geng Hong, Yuan Zhang, and Min Yang. 2018. Invetter: Locating insecure input validations in android services. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1165--1178.

Digital Library

[45]

Walter Zimmer. 1995. Relationships between design patterns. Pattern languages of program design, Vol. 57 (1995), 345--364.

Cited By

Muhammad ZAnwar ZJaved ASaleem BAbbas SGadekallu T(2023)Smartphone Security and Privacy: A Survey on APTs, Sensor-Based Attacks, Side-Channel Attacks, Google Play Attacks, and DefensesTechnologies10.3390/technologies1103007611:3(76)Online publication date: 12-Jun-2023
https://doi.org/10.3390/technologies11030076
Wang BYang CMa J(2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3267666

Index Terms

Ghost in the Binder: Binder Transaction Redirection Attacks in Android System Services
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

The Android OS not only dominates 78.6% of the worldwide smartphone market in 2014, but importantly has been widely used for mission critical tasks (e.g., medical devices, auto/aircraft navigators, embedded in satellite project). The core of Android, ...
VenomAttack: automated and adaptive activity hijacking in Android
Abstract
Activity hijacking is one of the most powerful attacks in Android. Though promising, all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities. They no longer pose security threats in recent Android ...
SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Strategic Priority Research Program of Chinese Academy of Sciences
Shandong Key Research and Development Program

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
2,116
Total Downloads

Downloads (Last 12 months)688
Downloads (Last 6 weeks)117

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Muhammad ZAnwar ZJaved ASaleem BAbbas SGadekallu T(2023)Smartphone Security and Privacy: A Survey on APTs, Sensor-Based Attacks, Side-Channel Attacks, Google Play Attacks, and DefensesTechnologies10.3390/technologies1103007611:3(76)Online publication date: 12-Jun-2023
https://doi.org/10.3390/technologies11030076
Wang BYang CMa J(2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3267666

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents