Android is the most widely deployed operating system for smartphones and recent estimates indicate that it will continue to remain so in next years. Android is a Java stack built on top of a native Linux kernel.
Services and functionalities are achieved through the interplay of components living at different layers of the operating system. Security in Android is granted by a set of cross-layers security mechanisms that collectively constitute the Android Security Framework (ASF). The security offered by the ASF has been recently challenged by the discovery of a number of vulnerabilities involving different layers of the Android stack
In this paper we argue that a systematic analysis of the interplay among the different layers of Android is necessary. To this aim, we provide a simple model of the interaction among the components based on the concept of flow.
Our model allows us to reason about the security implications associated with the cross-layer interactions in Android, including a recently discovered vulnerability that allows a malicious application to force the system to fork an un bounded number of processes thereby making the device to tally unresponsive.
The problem is due to the fact that the invocation of a critical functionality offered by the forking of a new process within Android (a Zygote) is not restricted to the ASF and can be invoked by any application (including malicious ones). An interesting question is whether the problem is limited to the Zygote process or if instead it is a more general issue in Android.
To ascertain this, we have defined and carried out an empirical assessment of the allowed flows within the Android cross-layered architecture. Our experiments indicate that little control is exercised among the Android and the Linux layers, thereby indicating that the attack surface of the Android platform is wider than expected.
We have shown that attacks to the security of Android may be driven by malicious applications and that the ASF as well as the native security mechanisms at the Linux layer may be not sufficient to discriminate between the caller of an invocation. Such a scenario may lead to vulnerabilities whose exploitation by malicious applications may go undetected as it is the case for the Zygote vulnerability.
To support our observations we have developed 1) a kernel module that logs system calls invoked by AF layer and 2) a tester application capable to read the logs and re-execute successfully the tracked calls.
Our experiments indicate that little control is exercised among the Android and the Linux layers, thereby indicating that the attack surface of the Android platform is wider than expected.
To read this external content in full download the complete paper from the author archives online at Arxiv.org.