Ghost in the Binder: Binder Transaction Redirection Attacks in Android System Services

Binder, the main mechanism for Android applications to access system services, adopts a client-server role model in its design, assuming the system service as the server and the application as the client. However, a growing number of scenarios require the system service to act as a Binder client and to send queries to a Binder server possibly instantiated by the application. Departing from this role-reversal possibility, this paper proposes the Binder Transaction Redirection (BiTRe) attacks, where the attacker induces the system service to transact with a customized Binder server and then attacks from the Binder server---an often unprotected direction. We demonstrate the scale of the attack surface by enumerating the utilizable Binder interfaces in BiTRe, and discover that the attack surface grows with the Android release version. In Android 11, more than 70% of the Binder interfaces are affected by or can be utilized in BiTRe. We prove the attacks' feasibility by (1) constructing a prototype system that can automatically generate executable programs to reach a substantial part of the attack surface, and (2) identifying a series of vulnerabilities, which are acknowledged by Google and assigned ten CVEs.

[1]  Chao Zhang,et al.  FANS: Fuzzing Android Native System Services via Automated Interface Analysis , 2020, USENIX Security Symposium.

[2]  Zhuoqing Morley Mao,et al.  Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework , 2016, NDSS.

[3]  Kang G. Shin,et al.  BinderCracker: Assessing the Robustness of Android System Services , 2016, ArXiv.

[4]  Tomáö Rosa Android Binder Security Note On >Passing Binder Through Another Binder< , 2011 .

[5]  Gabriele Bavota,et al.  An Empirical Study on Android-Related Vulnerabilities , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[6]  Lei Zhang,et al.  Invetter: Locating Insecure Input Validations in Android Services , 2018, CCS.

[7]  Jian Liu,et al.  System Service Call-oriented Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation , 2017, MobiSys.

[8]  William Enck Analysis of Access Control Enforcement in Android , 2020, SACMAT.

[9]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[10]  Yongji Wang,et al.  Exception beyond Exception: Crashing Android System by Trapping in "Uncaught Exception" , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).

[11]  Kai Chen,et al.  From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App , 2015, CCS.

[12]  Zhang Yuqing,et al.  A fuzzing test for dynamic vulnerability detection on Android Binder mechanism , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[13]  Jacques Klein,et al.  Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android , 2014, IEEE Transactions on Software Engineering.

[14]  Ji Xiang,et al.  Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services , 2015, ACSAC.

[15]  Ninghui Li,et al.  Analysis of SEAndroid Policies: Combining MAC and DAC in Android , 2017, ACSAC.

[16]  Ninghui Li,et al.  AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection , 2018, NDSS.

[17]  Peng Liu,et al.  Call Me Back!: Attacks on System Server and System Apps in Android through Synchronous Callback , 2016, CCS.

[18]  Heng Yin,et al.  Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing , 2021, USENIX Security Symposium.

[19]  Alessandro Orso,et al.  ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies , 2012, ISSTA 2012.

[20]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[21]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[22]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[23]  Antonio Ken Iannillo,et al.  Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations , 2017, 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE).

[24]  William Enck,et al.  ARF: identifying re-delegation vulnerabilities in Android system services , 2019, WiSec.

[25]  Eric Bodden,et al.  ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware , 2019, CODASPY.

[26]  Sorin Lerner,et al.  Retrofitting Fine Grain Isolation in the Firefox Renderer (Extended Version) , 2020, USENIX Security Symposium.

[27]  Ninghui Li,et al.  Precise Android API Protection Mapping Derivation and Reasoning , 2018, CCS.