The document discusses attacking proprietary Android vendor customizations through fuzz testing and fault injection testing. It presents Chizpurfle, a gray-box Android fuzzer designed to generate invalid inputs to identify vulnerabilities in vendor customization code without access to source code. Chizpurfle leverages dynamic instrumentation to trace code coverage on actual devices during fuzzing. It detected two bugs from fuzzing Samsung services. The document also discusses a fault injection testing tool that injects faults into Android components to evaluate failure propagation and mitigation. The tool found vendors have varying success in handling faults across components.

1. ATTACKING PROPRIETARY
ANDROID VENDOR
CUSTOMIZATIONS
ITALIAN CONFERENCE ON
CYBERSECURITY (ITASEC18)
Roberto Natella (Critiware, Federico II Univ.)

2.  The Android OS now
dominates the global
smartphone market
 Dozens of vendors customize
the Android Open-Source
Project (AOSP) to compete on
the market
 Vendor customizations
widen the attack surface

3. Custom system services in three commercial devices
69%
31%
Samsung Galaxy S6 Edge
45%
55%
Huawei P8 Lite
28%
72%
HTC One M9

4. Linux kernel
RILD GPSD
Camera
HAL
Sensors
HAL
...
Bionic
SQLite
socket socketlib lib
Teleph.
registry
service
Location
mngmt
service
Camera
service
Sensor
service
binder
Activity/
Package/
... Mngmt.
lib
binder binder binder binder
User apps, stock apps (camera, phone, store, ...)
Android Framework API
... ......

5. Linux kernel
...
Bionic
SQLite
socket socketlib lib
Teleph.
registry
service
Location
mngmt
service
Camera
service
Sensor
service
binder
Activity/
Package/
... Mngmt.
lib
binder binder binder binder
User apps, stock apps (camera, phone, store, ...)
Android Framework API
socket
S Pen
Gesture
service
binder
RILD GPSD
Camera
HAL
Sensors
HAL
... ......
S Pen
HAL
New services and related drivers:
• Mobile personal assistants
• Mobile payments
• User interfaces
• ...
RILD GPSD
Camera
HAL
Sensors
HAL
Custom drivers for proprietary hw:
• Phone
• Camera
• ...

6. ATTACKING PROPRIETARY
ANDROID VENDOR
CUSTOMIZATIONS
1. Android OS fuzz testing
2. Android OS fault injection testing

7. Linux kernel
...
Bionic
SQLite
socket socketlib lib
Teleph.
registry
service
Location
mngmt
service
Camera
service
Sensor
service
binder
Activity/
Package/
... Mngmt.
lib
binder binder binder binder
User apps, stock apps (camera, phone, store, ...)
Android Framework API
... ......
socket
S Pen
Gesture
service
binder
S Pen
HAL
RILD GPSD
Camera
HAL
Sensors
HAL
Fuzzer
Fuzzing is a security testing technique to
identify vulnerable software interfaces, by
injecting invalid and unexpected inputs

8. com.samsung.android.cocktailbar.ICocktailBarService
{
"name":"updateCocktail",
"parameters": [
"java.lang.String",
"com.samsung.android.cocktailbar.CocktailInfo",
"int”
]
}
“string” a CocktailInfo object 2
• Random
• Zero
• One
• Add/sub
random eps.
• Max/min value
• ...
• Null
• New obj with
random values
• Fuzz obj fields
• ...
• Random
• Substring
• Truncate
• Replace char
• Very long string
• ...

9. easy to
apply
• does not
look at
target’s
internals
• uses purely
random
inputs
low
coverage
• executes the
same code,
over and
over
• misses
corner cases
high
coverage
• generates
inputs by
looking at
target’s
internals
hard to
apply
• needs source
code, or
• needs to run
on emulated
environments
Vendor customizations do not
provide source code, and cannot
run on a device emulator!
White-boxBlack-box

10.  Chizpurfle is a fuzzing tool designed
to run on the actual device and to
attack its vendor customizations
 no need for recompiling the
target code
 no execution on emulated
environment
 The tool leverages dynamic binary
instrumentation techniques (such
as just-in-time code rewriting) to
trace coverage
fuzz
inputs
coverage
info
Actual
Android
device
Fuzzer

11. ANDROID DEVICE
SEED
MANAGER
FUZZ INPUT
GENERATOR
METHOD
EXTRACTOR
SYSTEM SERVICE
STORAGE
TEST
EXECUTOR
OUTPUT
ANALYZER
INSTRUMENTATION
MODULE
1) Identifies
customized services
running on the
device
2) Executes the target
with just-in-time
rewriting, to track code
coverage
3) Generates new test
inputs by mutating the best
test inputs from the
previous generation
For technical details, see the paper:
“Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations,”
28th IEEE International Symposium on Software Reliability Engineering (Best Paper Award)

12. CHIZPURFLE TARGET PROCESS
INSTRUM.
MODULE
STALKER
SERVER
PROCESS
THREAD
DYN LIB
INJECT
FOLLOW
INJECT
for each block
REWRITE
BLOCK
ADDRESS

13. CHIZPURFLE TARGET PROCESS
INSTRUM.
MODULE
STALKER
SERVER
PROCESS
THREAD
for each block
DYN LIB
NJECT
FOLLOW
INJECT
REWRITE
BLOCK
ADDRESS
mov x29, sp
mov x3, x30
ldp x29,x30,[sp],16
stp x29,x30,[sp-16]!
add x30,x0,#4
save address
stalk (bl f_label)
save address
stalk(ret)
mov x29, sp
mov x3, x30
ldp x29,x30,[sp],16
stp x29,x30,[sp-16]!
add x30,x0,#4
ret
bl f_label
Block
(before rewriting)
Block
(after rewriting)

14.  Chizpurfle detected
2,272 service methods
from Samsung
customizations
 Chizpurfle performed
34,645 tests on these
methods
 Found 9 failures caused
by 2 distinct bugs
Samsung Galaxy S6 Edge
Android 7.0 Nougat

15.  Input strings that include
SQL control expressions
(such as single quotes)
trigger an SQL exception
 The input crashes the
phone process, and
interrupts any ongoing call
VOIP SERVICE
callInVoIP(String SIPAddress)
SELECT reject_number FROM
reject_num WHERE reject
number=‘[...a random string with
a single quote...]’
CRASH

16.  A tricky input to
the S Pen Gesture
service triggers a
fatal error
(NullPointerExc.)
 The System Server
process fails,
causing a reboot of
the smartphone
SPENGESTURE SERVICE
injectInput(…, android.view.InputEvent [ ], ...)
android.view.InputEvent array is
non-null and non-empty, and at
least one of its elements is null
REBOOT

17. On average, Chizpurfle covers 2.3x
more code than black-box testing
(within the same time budget)
Chizpurfle has an average execution
slow-down of 11.97x (comparable to
other dynamic analysis tools)

18. ATTACKING PROPRIETARY
ANDROID VENDOR
CUSTOMIZATIONS
1. Android OS fuzz testing
2. Android OS fault injection testing

19. Linux kernel
...
Bionic
SQLite
socket socketlib lib
Teleph.
registry
service
Location
mngmt
service
Camera
service
Sensor
service
binder
Activity/
Package/
... Mngmt.
lib
binder binder binder binder
User apps, stock apps (camera, phone, store, ...)
Android Framework API
socket
S Pen
Gesture
service
binder
RILD GPSD
Camera
HAL
Sensors
HAL
... ......
S Pen
HAL
RILD GPSD
Camera
HAL
Sensors
HAL
What if it is faulty?
(no response; exceptions or
errors; slow response;
corrupted data/metadata)
Software fault injection is an
innovative form of testing that
evaluates how components’ failures
can escalate into system failures

20. Linux kernel
...
Bionic
SQLite
socket socketlib lib
Teleph.
registry
service
Location
mngmt
service
Camera
service
Sensor
service
binder
Activity/
Package/
... Mngmt.
lib
binder binder binder binder
User apps, stock apps (camera, phone, store, ...)
Android Framework API
socket
S Pen
Gesture
service
binder
RILD GPSD
Camera
HAL
Sensors
HAL
... ......
S Pen
HAL
RILD GPSD
Camera
HAL
Sensors
HAL
The user is notified about the
problem (not only with a crash, but
with an “informative” message)

The faulty component
is disabled, killed or
restarted

The rest of the system
“masks” the fault
(for example, retry the
failed operation)

Fault
Injector
What if it is faulty?
(no response; exceptions or
errors; slow response;
corrupted data/metadata)

21. Linux kernel
...
Bionic
SQLite
socket socketlib lib
Teleph.
registry
service
Location
mngmt
service
Camera
service
Sensor
service
binder
Activity/
Package/
... Mngmt.
lib
binder binder binder binder
User apps, stock apps (camera, phone, store, ...)
Android Framework API
socket
S Pen
Gesture
service
binder
RILD GPSD
Camera
HAL
Sensors
HAL
... ......
S Pen
HAL
RILD GPSD
Camera
HAL
Sensors
HAL
The upper services ignore errors
from the lower components

The user gets weird, cryptic notifications
(without any clue on the problem)

The system ignores the
failed state of the
subsystem

Fault
Injector
What if it is faulty?
(no response; exceptions or
errors; slow response;
corrupted data/metadata)

22. Linux kernel
...
Bionic
SQLite
socket socketlib lib
Teleph.
registry
service
Location
mngmt
service
Camera
service
Sensor
service
binder
Activity/
Package/ ...
Mngmt.
lib
binder binder binder binder
User apps, stock apps (camera, phone, store, ...)
Android Framework API
socket
S Pen
Gesture
service
binder
RILD GPSD
Camera
HAL
Sensors
HAL
S Pen
HAL
RILD GPSD
Camera
HAL
Sensors
HAL
LIBHOOK
The LIBHOOK injects arbitrary code into Android processes (both C++ and Java-based).
The collection of faults injectors emulate the failure of the components.
Binderinjector
Socketinjector
Libraryinjector
Syscallinjector
Processinjector
Stressinjector
Control scripts and data
analysis scripts (on PC)
L.H.L.H.
L.H. L.H.

23. Components under test
Fault injection target:
RILD daemon (process) +
rild socket (IPC) +
pppd (process)
Fault injection target:
Kernel driver + /dev files
Fault injection target:
Phone hardware

24. • Comparative analysis of
three commercial devices
 Which device experiences the
most severe or frequent
failures?
 Which faults (delays, data
corruptions, resource leaks, ...)
are the most critical?
 How to mitigate failures (e.g.,
device freezes, stuck UI, etc.)?
Huawei
Samsung
HTC
For technical details, see the paper:
“Dependability Assessment of the Android OS Through Fault Injection”
IEEE Transactions on Reliability

25. • The Huawei device had the highest failure rate
• Most of Camera failures are CRASHes (the system is not able to handle
exceptions)
• Most of Phone failures failures are FATAL errors (the phone appears available,
but it is unable to make or receive calls)
0%
20%
40%
60%
80%
100%
Samsung S6
Edge
Huawei P8 HTC M9
CRASH ANR FATAL OK
0%
20%
40%
60%
80%
100%
Samsung S6
Edge
Huawei P8 HTC M9
CRASH ANR FATAL OK
CAMERA PHONE

26. baseband
processor
RILD Phone Services
Telephony
Registry
com.vendor.phone
Service
Manager
1. Drop AT
messages
2. Crash of the
process that hosts
phone services
3. The Telephony Registry looks for the
Subscription Service (one of the unavailable phone
services), but the Service Manager returns an
exception because the service is dead.
4. The Telephony Registry
does not properly handle the
exception and crashes
5. Even if the phone UI is
still responsive, the phone
is not working (e.g., cannot
start a phone call)

27. com.huawei.Camera
1. Inject an erroneous return code
from reads on the virtual device file
2. The Mediaserver reports a fatal error
“method not yet implemented”
3. The Mediaserver
process crashes
Mediaserver/dev/video*
4. The stock camera
app crashes

28. 28
0%
20%
40%
60%
80%
100%
Samsung S6
Edge
Huawei P8 HTC M9
CRASH ANR FATAL OK
SURFACE FLINGER
0%
20%
40%
60%
80%
100%
Samsung S6
Edge
Huawei P8 HTC M9
CRASH ANR FATAL OK
SYSTEM SERVER
 The System Server and Surface Flinger are critical components of
Android OS
 Faults in these targets are likely to cause weird effects on user
interactions
 The System UI can get stuck if they are slow or do not respond

29. ©2016 CRITIWARE S.R.L. CONFIDENTIAL AND PROPRIETARY
bind_service timeliness fault
(slow response, or no response)
The stock camera app hangs, and the
System UI does not react to tapping
on the “quit activity” button

30. ©2016 CRITIWARE S.R.L. CONFIDENTIAL AND PROPRIETARY
resolve_intent timeliness
(slow response, or no
response)
The System UI is stuck, and does not
react to tapping on the “show
activities” button

31.  Injections in the SQLite and Bionic libraries linked to the System
Server
 The faults propagated to many apps through unhandled
exceptions
 e.g., the Package Manager crashes in the case of corrupted APK
metadata
31
0%
20%
40%
60%
80%
100%
Samsung S6
Edge
Huawei P8 HTC M9
CRASH ANR FATAL OK
SQLITE
0%
20%
40%
60%
80%
100%
Samsung S6
Edge
Huawei P8 HTC M9
CRASH ANR FATAL OK
BIONIC

32. 32
I/CorruptionManager( 2966): corrupting Bionic open return value
W/CorruptionManager( 2966): ints_to_replace is empty, adding defaults
I/INJEVENT( 2966): INJECTED CORRUPTION
I/LIBHOOK ( 2966): Bionic Hooks close function
I/LIBHOOK ( 2966): Bionic Hooks read function (222)E/CursorWindow( 2966): ashmem_create_region ashmemFd=-1, result=-9
E/CursorWindow( 2966): Could not allocate CursorWindow '/data/system/locksettings.db' of size 2097152 due to error -9.
E/JavaBinder( 2966): *** Uncaught remote exception! (Exceptions are not yet supported across processes.)
E/JavaBinder( 2966): android.database.CursorWindowAllocationException: Cursor window allocation of 2048 kb failed. # Open Cursors=1 (#
cursors opened by this proc=1)
E/JavaBinder( 2966): at android.database.CursorWindow.<init>(CursorWindow.java:108)
E/JavaBinder( 2966): at android.database.AbstractWindowedCursor.clearOrCreateWindow(AbstractWindowedCursor.java:198)
E/JavaBinder( 2966): at android.database.sqlite.SQLiteCursor.fillWindow(SQLiteCursor.java:139)
E/JavaBinder( 2966): at android.database.sqlite.SQLiteCursor.getCount(SQLiteCursor.java:133)
E/JavaBinder( 2966): at android.database.AbstractCursor.moveToPosition(AbstractCursor.java:197)
E/JavaBinder( 2966): at android.database.AbstractCursor.moveToFirst(AbstractCursor.java:237)
E/JavaBinder( 2966): at com.android.server.LockSettingsService.readFromDb(LockSettingsService.java:595)
E/JavaBinder( 2966): at com.android.server.LockSettingsService.getLong(LockSettingsService.java:258)
E/JavaBinder( 2966): at com.android.internal.widget.ILockSettings$Stub.onTransact(ILockSettings.java:108)
E/JavaBinder( 2966): at com.android.server.HwLockSettingsService.onTransact(HwLockSettingsService.java:170)
E/JavaBinder( 2966): at android.os.Binder.execTransact(Binder.java:446)
…. The user
cannot unlock
the device!
Injected an
invalid file
handle

33. 33
Camera
Service
Camera
process,Driver
Phone
RILDsocket
Phone
ATchannel,Driver
Sensors
Service
Sensors
process,Driver
SystemServer
ActivityManager
SystemServer
PackageManager
SurfaceFlinger
Bionic
SQLite
Unavailability X X X X X X X X
Timeliness X X X X X X
Corruption X X X X
Resource mgmt. X X X
The Android OS should better handle
errors/exceptions returned from lower layers

34. 34
Camera
Service
Camera
process,Driver
Phone
RILDsocket
Phone
ATchannel,Driver
Sensors
Service
Sensors
process,Driver
SystemServer
ActivityManager
SystemServer
PackageManager
SurfaceFlinger
Bionic
SQLite
Unavailability X X X X X X X X
Timeliness X X X X X X
Corruption X X X X
Resource mgmt. X X X
When possible, the interactions between Android
components should be asynchronous
A stalled component should not stall other components in cascade
(e.g., the System UI)

35. 35
Camera
Service
Camera
process,Driver
Phone
RILDsocket
Phone
ATchannel,Driver
Sensors
Service
Sensors
process,Driver
SystemServer
ActivityManager
SystemServer
PackageManager
SurfaceFlinger
Bionic
SQLite
Unavailability X X X X X X X X
Timeliness X X X X X X
Corruption X X X X
Resource mgmt. X X X
Protocols inside Android (such as the AT
protocol mgmt in RILD) should robustly handle
drops and corruptions in the data streams