Kalysch A, Deutel M, Müller T (2020)
Publication Language: English
Publication Type: Conference contribution, Conference Contribution
Publication year: 2020
Publisher: Association for Computing Machinery
City/Town: New York, United States
Pages Range: 1 - 6
Conference Proceedings Title: Proceedings of the 15th International Conference on Availability, Reliability and Security
Event location: Virtual Event, Dublin, Ireland
ISBN: 978-1-4503-8833-7
URI: https://dl.acm.org/doi/10.1145/3407023.3407052
Fuzzing is a test method in vulnerability assessments that calls the interfaces of a program in order to find bugs in its input processing. Automatically generated inputs, based on a set of templates and randomness, are sent to a program at a high rate, collecting crashes for later investigation. We apply fuzz testing to the interprocess communication (IPC) on Android in order to find bugs in the mechanisms how Android apps communicate with each other. The sandboxing principle on Android usually ensures that apps can only communicate to other apps via programmatic interfaces. Unlike traditional operating systems, two Android apps running in the same user context are not able to access the data of each other(security) or quit the other app (safety). Our IPC fuzzer for Android detects the structure of data sent within Intents between apps by disassembling and analyzing an app’s bytecode. It relies on multiple mutation engines for input generation and supports post-mortem analysis for a detailed insight into crashes. We tested 1488 popular apps from the Google Play-Store, enabling us to crash 450 apps with intents that could be sent from any unprivileged app on the same device, thus undermining the safety guarantees given by Android. We show that any installed app on a device could easily crash a series of other apps, effectively rendering them useless. Even worse, we discovered flaws in popular frameworks like Unity, the Google Services API, and the AdjustSDK. Comparing our implementation to previous research shows improvements in the depth and diversity of our detected crashes.
APA:
Kalysch, A., Deutel, M., & Müller, T. (2020). Template-based Android inter-process communication fuzzing. In Melanie Volkamer, Christian Wressnegger (Eds.), Proceedings of the 15th International Conference on Availability, Reliability and Security (pp. 1 - 6). Virtual Event, Dublin, Ireland: New York, United States: Association for Computing Machinery.
MLA:
Kalysch, Anatoli, Mark Deutel, and Tilo Müller. "Template-based Android inter-process communication fuzzing." Proceedings of the ARES '20: The 15th International Conference on Availability, Reliability and Security, Virtual Event, Dublin, Ireland Ed. Melanie Volkamer, Christian Wressnegger, New York, United States: Association for Computing Machinery, 2020. 1 - 6.
BibTeX: Download