摘要: |
输入验证型漏洞在Web安全领域颇受重视,但其在安卓安全研究领域却在很大程度上被忽视。我们发现由于安卓系统中独特的框架层设计,安卓设备需要对系统服务(System Service)进行具体的输入验证分析。本文工作对安卓系统中的输入验证型漏洞进行了分析,1)我们分析了系统服务的攻击面,介绍了目前系统服务中的输入验证的实现情况;2)我们开发了一个漏洞扫描器,通过向系统服务发送带有畸形参数的请求对其进行模糊测试。在对安卓系统中90多个服务和1900多个函数进行综合的分析后,我们发现了16个系统服务漏洞。最后,我们把这些漏洞报告给谷歌并得到了谷歌的确认。 |
关键词: 安卓系统服务 输入验证 Buzzer 漏洞 |
DOI: |
Received:October 13, 2015Revised:November 30, 2015 |
基金项目:本课题得到863计划-云计算安全体系架构研究(No.2013AA01A214)资助。 |
|
Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services |
CAO Chen,GAO Neng,XIANG Ji,LIU Peng |
Institute of Information Engineering, CAS, Beijing 100093, China;The Pennsylvania State University, USA |
Abstract: |
Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community. We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services. In this work, we take the first steps to analyze Android specific input validation vulnerabilities. In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services. b) We developed a new input validation vulnerability scanner for Android devices. This tool fuzzes all the An-droid system services by sending requests with malformed arguments to them. Through comprehensive evaluation of An-droid system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in An-droid system services. We have reported all the issues to Google and Google has confirmed them. |
Key words: android system services input validation Buzzer vulnerabilities |