With the rise of modern computing platforms, such as Android and iOS, the popularity of mobile devices has expanded rapidly over the last decade. This growth is large in part a result of the greatly increased availability of applications for modern computing platforms, stemming from the ease at which applications can be created. To enable such accessible application creation, modern computing platforms provide much of the groundwork required to support the wide-ranging applications of mobile devices through the implementation of feature-rich application programming interfaces (APIs). However, such feature-rich APIs require a large and complex code base whose security must now be managed by the platform. As such, with the introduction of these feature-rich APIs, new avenues arise for the admittance of inconsistent and vulnerable access control enforcement.
My research focuses on the development of static analysis tools that support developers and security researchers in the identification of inconsistencies and vulnerabilities in the access control enforcement of the feature-rich APIs in modern computing platforms. In constructing these tools, my research seeks to both: 1) develop a comprehensive understanding of the different forms of access control used in the APIs of modern computing platforms and 2) use that understanding to automate the identification of inconsistencies and vulnerabilities in the access control enforcement of the APIs.
To this end, I have developed three semi-automated static analysis tools (ACMiner, ARF, and Coming Soon) which have uncovered dozens of inconsistencies and vulnerabilities within the access control enforcement of APIs in the Android Platform. All inconsistencies and vulnerabilities from the tools have been reported to Google. I have received a total of 10 CVEs for the more severe vulnerabilities reported. Along with these 10, a number of the other less severe inconsistencies and vulnerabilities have also been fixed.
ACMiner
Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android’s permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. Authorization Check Miner (ACMiner) provides system developers and researchers with a framework for evaluating the correctness of Android’s access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service API, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities.
Related Publications
- Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden, and Alexandre Bartel. ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware. In proceedings of the Ninth ACM Conference on Data and Application Security and Privacy (CODASPY), March 2019, Dallas, Texas, USA. (Acceptance Rate: 23.5%). [PDF] [SOURCE]
@INPROCEEDINGS{gorski-2019-CODASPY, TITLE = {{ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware}}, AUTHOR = {Gorski III, Sigmund Albert and Andow, Benjamin and Nadkarni, Adwait and Manandhar, Sunil and Enck, William and Bodden, Eric and Bartel, Alexandre}, BOOKTITLE = {Ninth ACM Conference on Data and Application Security and Privacy (CODASPY)}, LOCATION = {Dallas, Texas, USA}, MONTH = mar, YEAR = {2019} } - Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden, and Alexandre Bartel. ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware. http://arxiv.org/abs/1901.03603, arXiv:1901.03603, January 2019. [PDF] [SOURCE]
@ARTICLE{acminer-extended, TITLE = {{ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware}}, AUTHOR = {Gorski III, Sigmund Albert and Andow, Benjamin and Nadkarni, Adwait and Manandhar, Sunil and Enck, William and Bodden, Eric and Bartel, Alexandre}, HOWPUBLISHED = {\url{http://arxiv.org/abs/1901.03603}}, archivePrefix = {arXiv}, eprint = {1901.03603}, MONTH = jan, YEAR = {2019} }
Related Tools and Code
Related CVEs
- CVE-2019-9351 [Credit] [Security Bulletin]
- CVE-2019-9377 [Credit] [Security Bulletin]
- CVE-2019-9438 [Credit] [Security Bulletin]
ARF
Over the past decade, the security of the Android platform has undergone significant scrutiny by both academic and industrial researchers. This scrutiny has been largely directed towards third-party applications and a few critical system interfaces, leaving much of Android’s middleware unstudied. Building upon recent efforts to more rigorously analyze authorization logic in Android’s system services, we revisit the problem of permission re-delegation, but in the context of system service APIs. The Android Re-delegation Finder (ARF) analysis framework aids security analysts in the identification of permission re-delegation vulnerabilities within Android’s system services. ARF analyzes an interconnected graph of APIs in system services, deriving calling dependencies, annotating permission checks, and identifying potentially vulnerable deputies that improperly expose information or functionality to third-party applications.
Related Publications
- Sigmund Albert Gorski III and William Enck. ARF: Identifying Re-Delegation Vulnerabilities in Android System Services. In proceedings of the 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), May 2019, Miami, Florida, USA. (Acceptance Rate: 25.6%). [PDF] [SOURCE]
@INPROCEEDINGS{gorski-2019-WiSec, TITLE = {{ARF: Identifying Re-Delegation Vulnerabilities in Android System Services}}, AUTHOR = {Gorski III, Sigmund Albert and Enck, William}, BOOKTITLE = {12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)}, LOCATION = {Miami, Florida, USA}, MONTH = may, YEAR = {2019} }
Related Tools and Code
Related CVEs
- CVE-2019-2098 [Fix] [Security Bulletin]
- CVE-2019-2092 [Fix] [Security Bulletin]
- CVE-2019-2091 [Fix] [Security Bulletin]
- CVE-2019-2090 [Fix] [Security Bulletin]
Coming Soon
Information on this paper will be posted soon.