Papers
Topics
Authors
Recent
Search
2000 character limit reached

JNI Global References Are Still Vulnerable: Attacks and Defenses

Published 1 May 2024 in cs.CR | (2405.00526v1)

Abstract: System services and resources in Android are accessed through IPC based mechanisms. Previous research has demonstrated that they are vulnerable to the denial-of-service attack (DoS attack). For instance, the JNI global reference (JGR), which is widely used by system services, can be exhausted to cause the system reboot (hence the name JGRE attack). Even though the Android team tries to fix the problem by enforcing security checks, we find that it is still possible to construct a JGR exhaustion DoS attack in the latest Android system. In this paper, we propose a new JGR exhaustion DoS attack, which is effective in different Android versions, including the latest one (i.e., Android 10). Specifically, we developed JGREAnalyzer, a tool that can systematically detect JGR vulnerable services APIs via a call graph analysis and a forwarding reachability analysis. We applied this tool to different Android versions and found multiple vulnerabilities. In particular, among 148 system services in Android 10, 12 of them have 21 vulnerabilities. Among them, 9 can be successfully exploited without any permissions. We further analyze the root cause of the vulnerabilities and propose a new defense to mitigate the JGRE attack by restricting resource consumption via global reference counting.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (41)
  1. Y. Gu, K. Sun, P. Su, L. Qi, and D. Feng, “Jgre: An analysis of jni global reference exhaustion vulnerabilities in android,” in IEEE/IFIP International Conference on Dependable Systems & Networks, 2017.
  2. “Cordova,” https://cordova.apache.org/docs/en/latest/guide/overview/index.html.
  3. “Java native interface specification,” http://goo.gl/zqHp29.
  4. “Android api reference: Binder,” https://goo.gl/w2fXFH.
  5. “Android interface definition language,” https://goo.gl/UFrnT3.
  6. Y. Gu, Y. Cheng, L. Ying, Y. Lu, Q. Li, and P. Su, “Exploiting android system services through bypassing service helpers,” in SecureComm 2016, 2016, pp. 44–62.
  7. “Code to fix a jgre vulnerability in notification service,” https://bit.ly/2PHsOzg.
  8. “Code to fix a jgre vulnerability in wifi service,” https://bit.ly/2qA0RLD.
  9. “Nativescript,” https://docs.nativescript.org.
  10. J. Dean, D. Grove, and C. Chambers, “Optimization of oo programs using static class hierarchy analysis,” in Proceedings of the ECOOP, 1995.
  11. Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen, “Edgeminer: Automatically detecting implicit control flow transitions through the android framework,” in Proceedings of the NDSS, 2015.
  12. “Python java paser library.” https://github.com/c2nes/javalang.
  13. R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan, “Soot - a java bytecode optimization framework,” in Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research, ser. CASCON ’99.   IBM Press, 1999, pp. 13–. [Online]. Available: http://dl.acm.org/citation.cfm?id=781995.782008
  14. “Documents for LibClang.” https://clang.llvm.org/docs/Tooling.html.
  15. “Oat2dex tool,” https://github.com/testwhat/SmaliEx.
  16. “Dex2jar tool,” https://goo.gl/skfQLl.
  17. “How art works,” https://source.android.com/devices/tech/dalvik/configure#how_art_works.
  18. “Vdexextractor tool,” https://github.com/anestisb/vdexExtractor.
  19. “Extension android framework jar,” https://github.com/fripSide/AndroidApiExtract.
  20. “Soot,” https://sable.github.io/soot/.
  21. “Javapoet,” https://goo.gl/nsIHR3.
  22. “Market share of each android version.” https://developer.android.com/about/dashboards.
  23. “Dos to telecom service.” https://nvd.nist.gov/vuln/detail/CVE-2019-2137.
  24. L. Zhang, Z. Yang, Y. He, Z. Zhang, Z. Qian, G. Hong, Y. Zhang, and M. Yang, “Invetter: Locating insecure input validations in android services,” in Proceedings of the 25th ACM Conference on Computer and Communications Security, CCS, 2018.
  25. Y. Shao, Q. A. Chen, Z. M. Mao, J. Ott, and Z. Qian, “Kratos: Discovering inconsistent security policy enforcement in the android framework,” in Proceedings of the 23th NDSS, 2016.
  26. “Android api grey list.” https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces.
  27. “Access android hidden api.” https://github.com/tiann/FreeReflection/.
  28. “Code to set 2500 binder proxy count threshold in native bpbinder.cpp,” https://bit.ly/2PM5tfL.
  29. “Code to set 6000 binder proxy count threshold in activitymanagerservice.java,” https://bit.ly/2Ox9e46.
  30. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, “Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps,” in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI ’14.   New York, NY, USA: ACM, 2014, pp. 259–269. [Online]. Available: http://doi.acm.org/10.1145/2594291.2594299
  31. Y. Feng, S. Anand, I. Dillig, and A. Aiken, “Apposcopy: Semantics-based detection of android malware through static analysis,” in Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering.   ACM, 2014, pp. 576–587.
  32. Z. Ma, H. Wang, Y. Guo, and X. Chen, “Libradar: fast and accurate detection of third-party libraries in android apps,” in Proceedings of the 38th international conference on software engineering companion.   ACM, 2016, pp. 653–656.
  33. L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel, “Iccta: Detecting inter-component privacy leaks in android apps,” in Proceedings of the 37th International Conference on Software Engineering-Volume 1.   IEEE Press, 2015, pp. 280–291.
  34. S. Li and G. Tan, “Finding bugs in exceptional situations of jni programs,” in Proceedings of the 16th ACM conference on Computer and communications security.   ACM, 2009, pp. 442–452.
  35. D. Chisnall, B. Davis, K. Gudka, D. Brazdil, A. Joannou, J. Woodruff, A. T. Markettos, J. E. Maste, R. Norton, S. Son et al., “Cheri jni: Sinking the java security model into the c,” in ACM SIGARCH Computer Architecture News, vol. 45, no. 1.   ACM, 2017, pp. 569–583.
  36. C. Qian, X. Luo, Y. Shao, and A. T. Chan, “On tracking information flows through jni in android applications,” in 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.   IEEE, 2014, pp. 180–191.
  37. H. Huang, S. Zhu, K. Chen, and P. Liu, “From system services freezing to system server shutdown in android: All you need is a loop in an app,” in Proceedings of the 22th CCS, 2015.
  38. C. Cao, N. Gao, P. Liu, and J. Xiang, “Towards analyzing the input validation vulnerabilities associated with android system services,” in Proceedings of the 31st ACSAC.   New York, NY, USA: ACM, 2015, pp. 361–370. [Online]. Available: http://doi.acm.org/10.1145/2818000.2818033
  39. A. Armando, A. Merlo, M. Migliardi, and L. Verderame, “Would you mind forking this process? a denial of service attack on android (and some countermeasures),” in IFIP International Information Security Conference.   Springer, 2012, pp. 13–24.
  40. H. Huang, S. Zhu, K. Chen, and P. Liu, “From system services freezing to system server shutdown in android: All you need is a loop in an app,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2015, pp. 1236–1247.
  41. X. Hei, X. Du, and S. Lin, “Two vulnerabilities in android os kernel,” in 2013 IEEE International Conference on Communications (ICC).   IEEE, 2013, pp. 6123–6127.

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free