Politecnico di Torino (logo)

Android Native Library Fuzzing

Paolo Celada

Android Native Library Fuzzing.

Rel. Antonio Lioy, Mathias Payer. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview

Android applications can have part of their components developed in a native language, such as C or C++. Developers, using the Native Development Kit, pack inside each application a shared library holding the native implementation of a subset of its methods. The Java Native Interface (JNI) allows each native method to interact directly with the rest, by providing a means to create or update Java objects, call Java methods, and several other operations. Two fundamental reasons lead to its integration: native programs have better performance, a key factor given Android’s limited hardware, and offer the possibility to reuse tested and optimized native libraries. Unfortunately, any security guarantees provided by Java are invalidated when using native code. Native code does not provide temporal or memory safety and is susceptible to format string vulnerabilities and type confusion, which can all lead to critical consequences, including but not limited to code execution, privileges escalation, and control flow hijacking. Security is therefore critical, and yet no public tools testing native components dynamically exist. Existing tools either perform data-flow static analysis or ignore any side-effect correlated to them while analyzing the overall application. When fuzzing native libraries in Android, the fuzzing engine should take into consideration that native code interacts with the rest of the application using the JNI, and therefore the Android Runtime (ART). If it is not capable of reproducing the ART behavior, the results generated by the fuzzer, if any, are not valid and reproducible by a stand-alone Android application. We propose a framework to dynamically test native components in Android applications. First, we present the steps required to port a common fuzzing engine, AFL++, on an Android device, with the necessary patches. Then, we describe the design of a fuzzing harness crafted specifically to work with Android native components, which loads the ART to fulfill JNI requests, fetch the native target function address and fork its state at every execution to have the performance benefits of the fork server. It uses AFL++ as a black-box fuzzer. Considering the scarce performance when using it on a single Android device, we developed a framework to use such harness on a phone cluster, parallelizing per device each fuzzing campaign. The framework works together with a native method’s extractor and is capable of fuzzing each method of a set of Android applications per name or signature. The results when using the framework on closed-source Android applications show that it is capable of both reproducing known CVEs in Android native components, and discovering new bugs. For any bug found, the library is manually analyzed using common debugging and reversing tools to perform root cause analysis.

Relators: Antonio Lioy, Mathias Payer
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 48
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: EPFL
URI: http://webthesis.biblio.polito.it/id/eprint/24554
Modify record (reserved for operators) Modify record (reserved for operators)