Boffins believe buggy Binder embiggens Android attack surface
Punching holes in problematic private APIs
Bugs in Android's Binder inter-process communication (IPC) mechanism open up a mass of security bugs, according to University of Michigan boffins Huan Feng and Kang Shin.
In a paper posted to Arxiv, the duo say developers aren't doing enough sanity checking between Binder server and clients. Specifically, they often forget to sanity-check client-side transactions.
To make their point, the researchers crafted a tool they called BinderCracker, which they claimed identified “100 vulnerabilities in six major versions of Android, including the latest version Android 6.0, Marshmallow” – bugs they assert could let attackers execute privileged code, or even brick a victim's smartphone.
At a high level, the problem is described as follows:
Any system service that hinges on the validity (sanity) of client-side transaction is fundamentally vulnerable — the server should be robust on its own. This is probably a best engineering practice for any system that adopts a client–server model, but has surprisingly been overlooked in the implementation of many Android system services.
To run the tests, the researchers say, “BinderCracker automatically crawls the RPC interfaces of both Java and native system services, and injects fuzzing transactions via the Binder surface”. Their test covered more than 2,400 service APIs across the six Android versions they tested, and they reckon that by giving the tool “parameter-aware” fuzzing capabilities, they turned up more flaws than simple black-box fuzzing.
The paper notes that “private APIs” in Android – APIs that aren't documented for third-party developers – are a security problem. Since they're unknown, they don't get checked or tested.
Another architectural issue the paper cites is that de-serialisation is “assumed to be always undisturbed”, another assumption that depends on the validity of the client-side transaction.
Nearly 60 of the vulnerabilities they found could crash system_server – that is, the entire Android runtime, with more than 20 vulnerabilities that could bring down mediaserver.
The researchers say 87 of the bugs still exist in Android 6.0 – 18 of the 117 bugs they found have been fixed, and another dozen “disappeared” not because of bug fixes, but because the relevant source code was either deleted, or “accidentally bypassed” in new versions. ®