SlideShare a Scribd company logo

Attacking Proprietary Android Vendor Customizations

Download as PPTX, PDF
Roberto Natella
Roberto Natella

The document discusses attacking proprietary Android vendor customizations through fuzz testing and fault injection testing. It presents Chizpurfle, a gray-box Android fuzzer designed to generate invalid inputs to identify vulnerabilities in vendor customization code without access to source code. Chizpurfle leverages dynamic instrumentation to trace code coverage on actual devices during fuzzing. It detected two bugs from fuzzing Samsung services. The document also discusses a fault injection testing tool that injects faults into Android components to evaluate failure propagation and mitigation. The tool found vendors have varying success in handling faults across components.

1 of 35
ATTACKING PROPRIETARY ANDROID VENDOR CUSTOMIZATIONS ITALIAN CONFERENCE ON CYBERSECURITY (ITASEC18) Roberto Natella (Critiware, Federico II Univ.)
 The Android OS now dominates the global smartphone market  Dozens of vendors customize the Android Open-Source Project (AOSP) to compete on the market  Vendor customizations widen the attack surface
Custom system services in three commercial devices 69% 31% Samsung Galaxy S6 Edge 45% 55% Huawei P8 Lite 28% 72% HTC One M9
Linux kernel RILD GPSD Camera HAL Sensors HAL ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API ... ......
Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL New services and related drivers: • Mobile personal assistants • Mobile payments • User interfaces • ... RILD GPSD Camera HAL Sensors HAL Custom drivers for proprietary hw: • Phone • Camera • ...
ATTACKING PROPRIETARY ANDROID VENDOR CUSTOMIZATIONS 1. Android OS fuzz testing 2. Android OS fault injection testing
Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API ... ...... socket S Pen Gesture service binder S Pen HAL RILD GPSD Camera HAL Sensors HAL Fuzzer Fuzzing is a security testing technique to identify vulnerable software interfaces, by injecting invalid and unexpected inputs
com.samsung.android.cocktailbar.ICocktailBarService { "name":"updateCocktail", "parameters": [ "java.lang.String", "com.samsung.android.cocktailbar.CocktailInfo", "int” ] } “string” a CocktailInfo object 2 • Random • Zero • One • Add/sub random eps. • Max/min value • ... • Null • New obj with random values • Fuzz obj fields • ... • Random • Substring • Truncate • Replace char • Very long string • ...
easy to apply • does not look at target’s internals • uses purely random inputs low coverage • executes the same code, over and over • misses corner cases high coverage • generates inputs by looking at target’s internals hard to apply • needs source code, or • needs to run on emulated environments Vendor customizations do not provide source code, and cannot run on a device emulator! White-boxBlack-box
 Chizpurfle is a fuzzing tool designed to run on the actual device and to attack its vendor customizations  no need for recompiling the target code  no execution on emulated environment  The tool leverages dynamic binary instrumentation techniques (such as just-in-time code rewriting) to trace coverage fuzz inputs coverage info Actual Android device Fuzzer
ANDROID DEVICE SEED MANAGER FUZZ INPUT GENERATOR METHOD EXTRACTOR SYSTEM SERVICE STORAGE TEST EXECUTOR OUTPUT ANALYZER INSTRUMENTATION MODULE 1) Identifies customized services running on the device 2) Executes the target with just-in-time rewriting, to track code coverage 3) Generates new test inputs by mutating the best test inputs from the previous generation For technical details, see the paper: “Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations,” 28th IEEE International Symposium on Software Reliability Engineering (Best Paper Award)
CHIZPURFLE TARGET PROCESS INSTRUM. MODULE STALKER SERVER PROCESS THREAD DYN LIB INJECT FOLLOW INJECT for each block REWRITE BLOCK ADDRESS
CHIZPURFLE TARGET PROCESS INSTRUM. MODULE STALKER SERVER PROCESS THREAD for each block DYN LIB NJECT FOLLOW INJECT REWRITE BLOCK ADDRESS mov x29, sp mov x3, x30 ldp x29,x30,[sp],16 stp x29,x30,[sp-16]! add x30,x0,#4 save address stalk (bl f_label) save address stalk(ret) mov x29, sp mov x3, x30 ldp x29,x30,[sp],16 stp x29,x30,[sp-16]! add x30,x0,#4 ret bl f_label Block (before rewriting) Block (after rewriting)
 Chizpurfle detected 2,272 service methods from Samsung customizations  Chizpurfle performed 34,645 tests on these methods  Found 9 failures caused by 2 distinct bugs Samsung Galaxy S6 Edge Android 7.0 Nougat
 Input strings that include SQL control expressions (such as single quotes) trigger an SQL exception  The input crashes the phone process, and interrupts any ongoing call VOIP SERVICE callInVoIP(String SIPAddress) SELECT reject_number FROM reject_num WHERE reject number=‘[...a random string with a single quote...]’ CRASH
 A tricky input to the S Pen Gesture service triggers a fatal error (NullPointerExc.)  The System Server process fails, causing a reboot of the smartphone SPENGESTURE SERVICE injectInput(…, android.view.InputEvent [ ], ...) android.view.InputEvent array is non-null and non-empty, and at least one of its elements is null REBOOT
On average, Chizpurfle covers 2.3x more code than black-box testing (within the same time budget) Chizpurfle has an average execution slow-down of 11.97x (comparable to other dynamic analysis tools)
ATTACKING PROPRIETARY ANDROID VENDOR CUSTOMIZATIONS 1. Android OS fuzz testing 2. Android OS fault injection testing
Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL RILD GPSD Camera HAL Sensors HAL What if it is faulty? (no response; exceptions or errors; slow response; corrupted data/metadata) Software fault injection is an innovative form of testing that evaluates how components’ failures can escalate into system failures
Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL RILD GPSD Camera HAL Sensors HAL The user is notified about the problem (not only with a crash, but with an “informative” message)  The faulty component is disabled, killed or restarted  The rest of the system “masks” the fault (for example, retry the failed operation)  Fault Injector What if it is faulty? (no response; exceptions or errors; slow response; corrupted data/metadata)
Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL RILD GPSD Camera HAL Sensors HAL The upper services ignore errors from the lower components  The user gets weird, cryptic notifications (without any clue on the problem)  The system ignores the failed state of the subsystem  Fault Injector What if it is faulty? (no response; exceptions or errors; slow response; corrupted data/metadata)
Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL S Pen HAL RILD GPSD Camera HAL Sensors HAL LIBHOOK The LIBHOOK injects arbitrary code into Android processes (both C++ and Java-based). The collection of faults injectors emulate the failure of the components. Binderinjector Socketinjector Libraryinjector Syscallinjector Processinjector Stressinjector Control scripts and data analysis scripts (on PC) L.H.L.H. L.H. L.H.
Components under test Fault injection target: RILD daemon (process) + rild socket (IPC) + pppd (process) Fault injection target: Kernel driver + /dev files Fault injection target: Phone hardware
• Comparative analysis of three commercial devices  Which device experiences the most severe or frequent failures?  Which faults (delays, data corruptions, resource leaks, ...) are the most critical?  How to mitigate failures (e.g., device freezes, stuck UI, etc.)? Huawei Samsung HTC For technical details, see the paper: “Dependability Assessment of the Android OS Through Fault Injection” IEEE Transactions on Reliability
• The Huawei device had the highest failure rate • Most of Camera failures are CRASHes (the system is not able to handle exceptions) • Most of Phone failures failures are FATAL errors (the phone appears available, but it is unable to make or receive calls) 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK CAMERA PHONE
baseband processor RILD Phone Services Telephony Registry com.vendor.phone Service Manager 1. Drop AT messages 2. Crash of the process that hosts phone services 3. The Telephony Registry looks for the Subscription Service (one of the unavailable phone services), but the Service Manager returns an exception because the service is dead. 4. The Telephony Registry does not properly handle the exception and crashes 5. Even if the phone UI is still responsive, the phone is not working (e.g., cannot start a phone call)
com.huawei.Camera 1. Inject an erroneous return code from reads on the virtual device file 2. The Mediaserver reports a fatal error “method not yet implemented” 3. The Mediaserver process crashes Mediaserver/dev/video* 4. The stock camera app crashes
28 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK SURFACE FLINGER 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK SYSTEM SERVER  The System Server and Surface Flinger are critical components of Android OS  Faults in these targets are likely to cause weird effects on user interactions  The System UI can get stuck if they are slow or do not respond
©2016 CRITIWARE S.R.L. CONFIDENTIAL AND PROPRIETARY bind_service timeliness fault (slow response, or no response) The stock camera app hangs, and the System UI does not react to tapping on the “quit activity” button
©2016 CRITIWARE S.R.L. CONFIDENTIAL AND PROPRIETARY resolve_intent timeliness (slow response, or no response) The System UI is stuck, and does not react to tapping on the “show activities” button
 Injections in the SQLite and Bionic libraries linked to the System Server  The faults propagated to many apps through unhandled exceptions  e.g., the Package Manager crashes in the case of corrupted APK metadata 31 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK SQLITE 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK BIONIC
32 I/CorruptionManager( 2966): corrupting Bionic open return value W/CorruptionManager( 2966): ints_to_replace is empty, adding defaults I/INJEVENT( 2966): INJECTED CORRUPTION I/LIBHOOK ( 2966): Bionic Hooks close function I/LIBHOOK ( 2966): Bionic Hooks read function (222)E/CursorWindow( 2966): ashmem_create_region ashmemFd=-1, result=-9 E/CursorWindow( 2966): Could not allocate CursorWindow '/data/system/locksettings.db' of size 2097152 due to error -9. E/JavaBinder( 2966): *** Uncaught remote exception! (Exceptions are not yet supported across processes.) E/JavaBinder( 2966): android.database.CursorWindowAllocationException: Cursor window allocation of 2048 kb failed. # Open Cursors=1 (# cursors opened by this proc=1) E/JavaBinder( 2966): at android.database.CursorWindow.<init>(CursorWindow.java:108) E/JavaBinder( 2966): at android.database.AbstractWindowedCursor.clearOrCreateWindow(AbstractWindowedCursor.java:198) E/JavaBinder( 2966): at android.database.sqlite.SQLiteCursor.fillWindow(SQLiteCursor.java:139) E/JavaBinder( 2966): at android.database.sqlite.SQLiteCursor.getCount(SQLiteCursor.java:133) E/JavaBinder( 2966): at android.database.AbstractCursor.moveToPosition(AbstractCursor.java:197) E/JavaBinder( 2966): at android.database.AbstractCursor.moveToFirst(AbstractCursor.java:237) E/JavaBinder( 2966): at com.android.server.LockSettingsService.readFromDb(LockSettingsService.java:595) E/JavaBinder( 2966): at com.android.server.LockSettingsService.getLong(LockSettingsService.java:258) E/JavaBinder( 2966): at com.android.internal.widget.ILockSettings$Stub.onTransact(ILockSettings.java:108) E/JavaBinder( 2966): at com.android.server.HwLockSettingsService.onTransact(HwLockSettingsService.java:170) E/JavaBinder( 2966): at android.os.Binder.execTransact(Binder.java:446) …. The user cannot unlock the device! Injected an invalid file handle
33 Camera Service Camera process,Driver Phone RILDsocket Phone ATchannel,Driver Sensors Service Sensors process,Driver SystemServer ActivityManager SystemServer PackageManager SurfaceFlinger Bionic SQLite Unavailability X X X X X X X X Timeliness X X X X X X Corruption X X X X Resource mgmt. X X X The Android OS should better handle errors/exceptions returned from lower layers
34 Camera Service Camera process,Driver Phone RILDsocket Phone ATchannel,Driver Sensors Service Sensors process,Driver SystemServer ActivityManager SystemServer PackageManager SurfaceFlinger Bionic SQLite Unavailability X X X X X X X X Timeliness X X X X X X Corruption X X X X Resource mgmt. X X X When possible, the interactions between Android components should be asynchronous A stalled component should not stall other components in cascade (e.g., the System UI)
35 Camera Service Camera process,Driver Phone RILDsocket Phone ATchannel,Driver Sensors Service Sensors process,Driver SystemServer ActivityManager SystemServer PackageManager SurfaceFlinger Bionic SQLite Unavailability X X X X X X X X Timeliness X X X X X X Corruption X X X X Resource mgmt. X X X Protocols inside Android (such as the AT protocol mgmt in RILD) should robustly handle drops and corruptions in the data streams

Recommended

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
Avinash Birnale
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationPositive Hack Days
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמןlihig
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 

Recommended

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
Avinash Birnale
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationPositive Hack Days
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמןlihig
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?
TI Safe
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on Android
Gary Bisson
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android SecurityNational Cheng Kung University
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs AraştırmasıAvtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
Erol Dizdar
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
ysurer
 
An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition
Fraunhofer AISEC
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing
Jewel Joy
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
IOSR Journals
 
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
Mahmoud Hammad
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
Speck&Tech
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 

More Related Content

What's hot

White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?
TI Safe
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on Android
Gary Bisson
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs AraştırmasıAvtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
Erol Dizdar
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
ysurer
 
An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition
Fraunhofer AISEC
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing
Jewel Joy
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
IOSR Journals
 
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
Mahmoud Hammad
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 

What's hot (19)

White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on Android
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs AraştırmasıAvtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application security
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
 
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 

Similar to Attacking Proprietary Android Vendor Customizations

NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
Speck&Tech
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
Android containerization in brief
Android containerization in briefAndroid containerization in brief
Android containerization in brief
Po-wen Cheng
 
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersEclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
MicroEJ
 
RAD Industrial Automation, Labs, and Instrumentation
RAD Industrial Automation, Labs, and InstrumentationRAD Industrial Automation, Labs, and Instrumentation
RAD Industrial Automation, Labs, and Instrumentation
Embarcadero Technologies
 
Embedded Android : System Development - Part III
Embedded Android : System Development - Part IIIEmbedded Android : System Development - Part III
Embedded Android : System Development - Part III
Emertxe Information Technologies Pvt Ltd
 
WoT.js - WoT App. Framework for Open Source Hardware
WoT.js - WoT App. Framework for Open Source HardwareWoT.js - WoT App. Framework for Open Source Hardware
WoT.js - WoT App. Framework for Open Source Hardware
Jonathan Jeon
 
Embedded system design process
Embedded system design processEmbedded system design process
Embedded system design processRayees CK
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
Eric Theis resume61.1
Eric Theis resume61.1Eric Theis resume61.1
Eric Theis resume61.1
Eric Theis
 
Embedded. What Why How
Embedded. What Why HowEmbedded. What Why How
Embedded. What Why How
Volodymyr Shymanskyy
 
IoT Week 2021_Jens Hagemeyer presentation
IoT Week 2021_Jens Hagemeyer presentationIoT Week 2021_Jens Hagemeyer presentation
IoT Week 2021_Jens Hagemeyer presentation
VEDLIoT Project
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered deviceEmbedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
EmbeddedFest
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
n|u - The Open Security Community
 
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxEclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
Brett Hackleman
 

Similar to Attacking Proprietary Android Vendor Customizations (20)

NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
Android containerization in brief
Android containerization in briefAndroid containerization in brief
Android containerization in brief
 
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersEclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
 
RAD Industrial Automation, Labs, and Instrumentation
RAD Industrial Automation, Labs, and InstrumentationRAD Industrial Automation, Labs, and Instrumentation
RAD Industrial Automation, Labs, and Instrumentation
 
Embedded Android : System Development - Part III
Embedded Android : System Development - Part IIIEmbedded Android : System Development - Part III
Embedded Android : System Development - Part III
 
WoT.js - WoT App. Framework for Open Source Hardware
WoT.js - WoT App. Framework for Open Source HardwareWoT.js - WoT App. Framework for Open Source Hardware
WoT.js - WoT App. Framework for Open Source Hardware
 
Embedded system design process
Embedded system design processEmbedded system design process
Embedded system design process
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Eric Theis resume61.1
Eric Theis resume61.1Eric Theis resume61.1
Eric Theis resume61.1
 
Embedded. What Why How
Embedded. What Why HowEmbedded. What Why How
Embedded. What Why How
 
IoT Week 2021_Jens Hagemeyer presentation
IoT Week 2021_Jens Hagemeyer presentationIoT Week 2021_Jens Hagemeyer presentation
IoT Week 2021_Jens Hagemeyer presentation
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered deviceEmbedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
 
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxEclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
 

Recently uploaded

Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
varshanayak241
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
MayankTawar1
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 

Recently uploaded (20)

Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 

Attacking Proprietary Android Vendor Customizations

  • 1. ATTACKING PROPRIETARY ANDROID VENDOR CUSTOMIZATIONS ITALIAN CONFERENCE ON CYBERSECURITY (ITASEC18) Roberto Natella (Critiware, Federico II Univ.)
  • 2.  The Android OS now dominates the global smartphone market  Dozens of vendors customize the Android Open-Source Project (AOSP) to compete on the market  Vendor customizations widen the attack surface
  • 3. Custom system services in three commercial devices 69% 31% Samsung Galaxy S6 Edge 45% 55% Huawei P8 Lite 28% 72% HTC One M9
  • 4. Linux kernel RILD GPSD Camera HAL Sensors HAL ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API ... ......
  • 5. Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL New services and related drivers: • Mobile personal assistants • Mobile payments • User interfaces • ... RILD GPSD Camera HAL Sensors HAL Custom drivers for proprietary hw: • Phone • Camera • ...
  • 6. ATTACKING PROPRIETARY ANDROID VENDOR CUSTOMIZATIONS 1. Android OS fuzz testing 2. Android OS fault injection testing
  • 7. Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API ... ...... socket S Pen Gesture service binder S Pen HAL RILD GPSD Camera HAL Sensors HAL Fuzzer Fuzzing is a security testing technique to identify vulnerable software interfaces, by injecting invalid and unexpected inputs
  • 8. com.samsung.android.cocktailbar.ICocktailBarService { "name":"updateCocktail", "parameters": [ "java.lang.String", "com.samsung.android.cocktailbar.CocktailInfo", "int” ] } “string” a CocktailInfo object 2 • Random • Zero • One • Add/sub random eps. • Max/min value • ... • Null • New obj with random values • Fuzz obj fields • ... • Random • Substring • Truncate • Replace char • Very long string • ...
  • 9. easy to apply • does not look at target’s internals • uses purely random inputs low coverage • executes the same code, over and over • misses corner cases high coverage • generates inputs by looking at target’s internals hard to apply • needs source code, or • needs to run on emulated environments Vendor customizations do not provide source code, and cannot run on a device emulator! White-boxBlack-box
  • 10.  Chizpurfle is a fuzzing tool designed to run on the actual device and to attack its vendor customizations  no need for recompiling the target code  no execution on emulated environment  The tool leverages dynamic binary instrumentation techniques (such as just-in-time code rewriting) to trace coverage fuzz inputs coverage info Actual Android device Fuzzer
  • 11. ANDROID DEVICE SEED MANAGER FUZZ INPUT GENERATOR METHOD EXTRACTOR SYSTEM SERVICE STORAGE TEST EXECUTOR OUTPUT ANALYZER INSTRUMENTATION MODULE 1) Identifies customized services running on the device 2) Executes the target with just-in-time rewriting, to track code coverage 3) Generates new test inputs by mutating the best test inputs from the previous generation For technical details, see the paper: “Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations,” 28th IEEE International Symposium on Software Reliability Engineering (Best Paper Award)
  • 12. CHIZPURFLE TARGET PROCESS INSTRUM. MODULE STALKER SERVER PROCESS THREAD DYN LIB INJECT FOLLOW INJECT for each block REWRITE BLOCK ADDRESS
  • 13. CHIZPURFLE TARGET PROCESS INSTRUM. MODULE STALKER SERVER PROCESS THREAD for each block DYN LIB NJECT FOLLOW INJECT REWRITE BLOCK ADDRESS mov x29, sp mov x3, x30 ldp x29,x30,[sp],16 stp x29,x30,[sp-16]! add x30,x0,#4 save address stalk (bl f_label) save address stalk(ret) mov x29, sp mov x3, x30 ldp x29,x30,[sp],16 stp x29,x30,[sp-16]! add x30,x0,#4 ret bl f_label Block (before rewriting) Block (after rewriting)
  • 14.  Chizpurfle detected 2,272 service methods from Samsung customizations  Chizpurfle performed 34,645 tests on these methods  Found 9 failures caused by 2 distinct bugs Samsung Galaxy S6 Edge Android 7.0 Nougat
  • 15.  Input strings that include SQL control expressions (such as single quotes) trigger an SQL exception  The input crashes the phone process, and interrupts any ongoing call VOIP SERVICE callInVoIP(String SIPAddress) SELECT reject_number FROM reject_num WHERE reject number=‘[...a random string with a single quote...]’ CRASH
  • 16.  A tricky input to the S Pen Gesture service triggers a fatal error (NullPointerExc.)  The System Server process fails, causing a reboot of the smartphone SPENGESTURE SERVICE injectInput(…, android.view.InputEvent [ ], ...) android.view.InputEvent array is non-null and non-empty, and at least one of its elements is null REBOOT
  • 17. On average, Chizpurfle covers 2.3x more code than black-box testing (within the same time budget) Chizpurfle has an average execution slow-down of 11.97x (comparable to other dynamic analysis tools)
  • 18. ATTACKING PROPRIETARY ANDROID VENDOR CUSTOMIZATIONS 1. Android OS fuzz testing 2. Android OS fault injection testing
  • 19. Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL RILD GPSD Camera HAL Sensors HAL What if it is faulty? (no response; exceptions or errors; slow response; corrupted data/metadata) Software fault injection is an innovative form of testing that evaluates how components’ failures can escalate into system failures
  • 20. Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL RILD GPSD Camera HAL Sensors HAL The user is notified about the problem (not only with a crash, but with an “informative” message)  The faulty component is disabled, killed or restarted  The rest of the system “masks” the fault (for example, retry the failed operation)  Fault Injector What if it is faulty? (no response; exceptions or errors; slow response; corrupted data/metadata)
  • 21. Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL ... ...... S Pen HAL RILD GPSD Camera HAL Sensors HAL The upper services ignore errors from the lower components  The user gets weird, cryptic notifications (without any clue on the problem)  The system ignores the failed state of the subsystem  Fault Injector What if it is faulty? (no response; exceptions or errors; slow response; corrupted data/metadata)
  • 22. Linux kernel ... Bionic SQLite socket socketlib lib Teleph. registry service Location mngmt service Camera service Sensor service binder Activity/ Package/ ... Mngmt. lib binder binder binder binder User apps, stock apps (camera, phone, store, ...) Android Framework API socket S Pen Gesture service binder RILD GPSD Camera HAL Sensors HAL S Pen HAL RILD GPSD Camera HAL Sensors HAL LIBHOOK The LIBHOOK injects arbitrary code into Android processes (both C++ and Java-based). The collection of faults injectors emulate the failure of the components. Binderinjector Socketinjector Libraryinjector Syscallinjector Processinjector Stressinjector Control scripts and data analysis scripts (on PC) L.H.L.H. L.H. L.H.
  • 23. Components under test Fault injection target: RILD daemon (process) + rild socket (IPC) + pppd (process) Fault injection target: Kernel driver + /dev files Fault injection target: Phone hardware
  • 24. • Comparative analysis of three commercial devices  Which device experiences the most severe or frequent failures?  Which faults (delays, data corruptions, resource leaks, ...) are the most critical?  How to mitigate failures (e.g., device freezes, stuck UI, etc.)? Huawei Samsung HTC For technical details, see the paper: “Dependability Assessment of the Android OS Through Fault Injection” IEEE Transactions on Reliability
  • 25. • The Huawei device had the highest failure rate • Most of Camera failures are CRASHes (the system is not able to handle exceptions) • Most of Phone failures failures are FATAL errors (the phone appears available, but it is unable to make or receive calls) 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK CAMERA PHONE
  • 26. baseband processor RILD Phone Services Telephony Registry com.vendor.phone Service Manager 1. Drop AT messages 2. Crash of the process that hosts phone services 3. The Telephony Registry looks for the Subscription Service (one of the unavailable phone services), but the Service Manager returns an exception because the service is dead. 4. The Telephony Registry does not properly handle the exception and crashes 5. Even if the phone UI is still responsive, the phone is not working (e.g., cannot start a phone call)
  • 27. com.huawei.Camera 1. Inject an erroneous return code from reads on the virtual device file 2. The Mediaserver reports a fatal error “method not yet implemented” 3. The Mediaserver process crashes Mediaserver/dev/video* 4. The stock camera app crashes
  • 28. 28 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK SURFACE FLINGER 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK SYSTEM SERVER  The System Server and Surface Flinger are critical components of Android OS  Faults in these targets are likely to cause weird effects on user interactions  The System UI can get stuck if they are slow or do not respond
  • 29. ©2016 CRITIWARE S.R.L. CONFIDENTIAL AND PROPRIETARY bind_service timeliness fault (slow response, or no response) The stock camera app hangs, and the System UI does not react to tapping on the “quit activity” button
  • 30. ©2016 CRITIWARE S.R.L. CONFIDENTIAL AND PROPRIETARY resolve_intent timeliness (slow response, or no response) The System UI is stuck, and does not react to tapping on the “show activities” button
  • 31.  Injections in the SQLite and Bionic libraries linked to the System Server  The faults propagated to many apps through unhandled exceptions  e.g., the Package Manager crashes in the case of corrupted APK metadata 31 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK SQLITE 0% 20% 40% 60% 80% 100% Samsung S6 Edge Huawei P8 HTC M9 CRASH ANR FATAL OK BIONIC
  • 32. 32 I/CorruptionManager( 2966): corrupting Bionic open return value W/CorruptionManager( 2966): ints_to_replace is empty, adding defaults I/INJEVENT( 2966): INJECTED CORRUPTION I/LIBHOOK ( 2966): Bionic Hooks close function I/LIBHOOK ( 2966): Bionic Hooks read function (222)E/CursorWindow( 2966): ashmem_create_region ashmemFd=-1, result=-9 E/CursorWindow( 2966): Could not allocate CursorWindow '/data/system/locksettings.db' of size 2097152 due to error -9. E/JavaBinder( 2966): *** Uncaught remote exception! (Exceptions are not yet supported across processes.) E/JavaBinder( 2966): android.database.CursorWindowAllocationException: Cursor window allocation of 2048 kb failed. # Open Cursors=1 (# cursors opened by this proc=1) E/JavaBinder( 2966): at android.database.CursorWindow.<init>(CursorWindow.java:108) E/JavaBinder( 2966): at android.database.AbstractWindowedCursor.clearOrCreateWindow(AbstractWindowedCursor.java:198) E/JavaBinder( 2966): at android.database.sqlite.SQLiteCursor.fillWindow(SQLiteCursor.java:139) E/JavaBinder( 2966): at android.database.sqlite.SQLiteCursor.getCount(SQLiteCursor.java:133) E/JavaBinder( 2966): at android.database.AbstractCursor.moveToPosition(AbstractCursor.java:197) E/JavaBinder( 2966): at android.database.AbstractCursor.moveToFirst(AbstractCursor.java:237) E/JavaBinder( 2966): at com.android.server.LockSettingsService.readFromDb(LockSettingsService.java:595) E/JavaBinder( 2966): at com.android.server.LockSettingsService.getLong(LockSettingsService.java:258) E/JavaBinder( 2966): at com.android.internal.widget.ILockSettings$Stub.onTransact(ILockSettings.java:108) E/JavaBinder( 2966): at com.android.server.HwLockSettingsService.onTransact(HwLockSettingsService.java:170) E/JavaBinder( 2966): at android.os.Binder.execTransact(Binder.java:446) …. The user cannot unlock the device! Injected an invalid file handle
  • 33. 33 Camera Service Camera process,Driver Phone RILDsocket Phone ATchannel,Driver Sensors Service Sensors process,Driver SystemServer ActivityManager SystemServer PackageManager SurfaceFlinger Bionic SQLite Unavailability X X X X X X X X Timeliness X X X X X X Corruption X X X X Resource mgmt. X X X The Android OS should better handle errors/exceptions returned from lower layers
  • 34. 34 Camera Service Camera process,Driver Phone RILDsocket Phone ATchannel,Driver Sensors Service Sensors process,Driver SystemServer ActivityManager SystemServer PackageManager SurfaceFlinger Bionic SQLite Unavailability X X X X X X X X Timeliness X X X X X X Corruption X X X X Resource mgmt. X X X When possible, the interactions between Android components should be asynchronous A stalled component should not stall other components in cascade (e.g., the System UI)
  • 35. 35 Camera Service Camera process,Driver Phone RILDsocket Phone ATchannel,Driver Sensors Service Sensors process,Driver SystemServer ActivityManager SystemServer PackageManager SurfaceFlinger Bionic SQLite Unavailability X X X X X X X X Timeliness X X X X X X Corruption X X X X Resource mgmt. X X X Protocols inside Android (such as the AT protocol mgmt in RILD) should robustly handle drops and corruptions in the data streams

Editor's Notes

  1. The Android OS has become the most popular mobile OS, as it is the foundation of dozens of mobile devices from more than 20 Android vendors (including Samsung, HTC, Huawei, Motorola, Xiaomi, LG, and others). Basing on the open-source version of the Android OS, these vendors develop their own proprietary Android OS in order to differentiate from the competition and to make the user experience unique and more enjoyable. For example, vendor customizations include mobile personal assistants, advanced photo enhancements, mobile payments, and so on. Unfortunately, these customizations also introduce new vendor-specific software flaws, thus widening the attack surface of the Android OS and making it more prone to security, reliability and performance issues.