1. ANDROID IPC MECHANISM
nfsnfs @ Advanced Defense Lab
1

2. REFERENCE
• ⼤大量引⽤用以下資料:
• http://www.slideshare.net/yeg239/android-internals-06-
binder-typical-subsystem-rev11
• http://marakana.com/s/post/1340/
Deep_Dive_Into_Binder_Presentation.htm
• http://www.slideshare.net/jserv/android-ipc-mechanism
• http://developer.android.com/guide/components/aidl.html
• http://www.jbcreativgroup.com/pdf/an-empirical-study-of-
the-robustness-of-inter-component-77091.pdf2

3. OUTLINE
• IPC
• Java Layer
• Binder
• Security Issue in IPC
3

4. WHAT IS IPC ?
• IPC = Inter-Process Communication
• Process 之間的溝通
• More ... ?
4

5. WHY IPC?
• Android 中每個 process 都有⾃自⼰己的 address space
• Data Isolation
• IPC 可能造成很⼤大的 overhead，也可能造成安全問題
5

6. 有什麼不⼀一樣 ?
• Traditional Linux
• Pipe
• Signal
• Message Queue
• Semaphore
• Socket
• Shared Memory 6

7. ANDROID IPC SYSTEM
• Binder
• 從 OpenBinder 來的
• BeOS / Palm
• 完全重寫後成為 Android binder
7

8. SOCKETVS BINDER
Socket
!
File Descriptor
Network
Stream I/O
Binder
!
PID
Local only
IOCTL
8

9. BINDER
!
Linux Kernel
/dev/binder
servicemanager system_server
App3
App2
App1
9

10. WHY BINDER ?
• Security
• isolated process with distinct ID
• Stability
• crashed process
• Memory Management
• no need to free objects
10

11. BIONIC C
• 不⽀支援傳統 SystemV IPCs
• No SysV semaphores, shared memory, message queues
• SysV IPC 會有 kernel resource leakage 的問題
11

12. COMMUNICATIONS
Application
!
Home Contacts Phone Browser
IPC IPC IPC
Application Framework
IPC
IPC & JNI
Native Layer
12

13. ANDROID IPC
• Intent
• 在 Java 層，⽤用來傳送訊息的資料結構
• Asynchronous Communication
• ContentResolver 跟 ContentProvider 是
Synchronous Communication
• 透過 CRUD API
13

14. INTENT
• 包含⼀一些基本資料
• data //表⽰示所需的資料
• action //表⽰示要作的事情
• category //action 的類型
• component //送給哪個 component
• extras //要傳的額外資料
14

15. INTENT 分類
• Explicit Intent
• 有指定 component 的 Intent
• Implicit Intent
• 無指定 component 的 Intent
15

16. EXPLICIT INTENT
• Intent.setComponent(ComponentName)
• Intent.setClass(Context, Class)
• new Intent(Context, Class)
16

17. INTENT
• 不適合⽤用在 low-latency 通訊
• 基於 Binder
• Intent 實作 Cloneable 和 Parcelable
• 是 Parcelable 才能透過 IPC 傳遞
• ... Or you are a primitive type
17

18. 與 ACTIVITY 互動
Activity Activity
start
return
18

19. ⽤用 INTENT 可以做什麼 ?
• startActivity(Intent)
• startActivityForResult(Intent, int)
• 開啟⼀一個 Activity ...
19

20. 與 SERVICE 互動
Activity
BroadcastReceiver
Service
start / stop / bind
start / stop / bind
20

21. ⽤用 INTENT 可以做什麼 ?
• startService(Intent)
• 開啟⼀一個 Service ...
• stopService(Intent)
• 關閉⼀一個 Service ...
21

22. ⽤用 INTENT 可以做什麼 ?
• bindService(Intent, ServiceConnection, int)
• 跟⼀一個 Service 建⽴立連線 ..
• ServiceConnection 裡⾯面可以初始化⼀一些 bind 後所需的
變數
22

23. 與 BROADCASTRECEVIER 互
動
BroadcastReceiverActivity
Service
System
send Intent
23

24. ⽤用 INTENT 可以做什麼 ?
• sendBroadcast(Intent)
• sendOrderedBroadcast、sendStickyBroadcast、
sendStickyOrderedBroadcast
• 送 Intent 到 BroadcastReceiver ...
24

25. 另外還有 ... ?
• Messenger & Handler
• 常⽤用於 Activity / Service 間通訊
• Message.what: 要做什麼
• Message.setData(Bundle): 要傳的資料
• 不同 process，請⽤用 Bundle
• 如果同 process 內，可使⽤用 Message.obj 傳 object
25

26. MESSENGER & HANDLER
App A App B
Activity
ServiceMessenger
Handler
call back
start
pass by
reference
call back
reference / call
26

27. MESSENGER & HANDLER
• 和 Intent 很像
• 但提供了雙向溝通!
• Android Developer 網站說明:
Reference to a Handler, which others can use to send
messages to it. This allows for the implementation of
message-based communication across processes, by
creating a Messenger pointing to a Handler in one
process, and handing that Messenger to another
process.
27

28. MESSENGER & HANDLER
• 特⾊色
• Low latency, but still asynchronous
28

29. MESSENGER & HANDLER
• DEMO
29

30. MESSENGER & HANDLER
• 在 Service 中註冊 Handler 和 Messenger
30

31. MESSENGER & HANDLER
• 在 Service onBind 的時候 return ⼀一個 IBinder
• 與 Service bind 在⼀一起的 Activity 可透過此 IBinder
物件傳送訊息
31

32. MESSAGE
• ⽤用 Message.obtain() 從 mPool 拿⼀一個 Message
object
• 較不建議⽤用 new Message();
• replyTo: 回應給這個 Messenger
32

33. 所以來說說他們背後的
BINDER 吧 !
33

34. BINDER !
• 超重要的！
In the Android platform, the binder is used for
nearly everything that happens across processes
in the core platform. - Dianne Hackborn!
[https://lkml.org/lkml/2009/6/25/3]
34

35. METHOD INVOCATION
• 在同⼀一個 Process 內的時候
caller
callee
35

36. OTHER PROCESS?
• RPC ?
• Messaging Passing ?
• Socket ?
• ...
36

37. BINDER 系統架構其實是 ...
Java Binder
⽤用⼾戶端/伺服器端
Native Binder
⽤用⼾戶端/伺服器端
Java Binder
Framework
Native Binder
Framework
Binder 核⼼心程式庫
Binder Adapter
ProcessState.cpp / IPCThreadState.cpp
Binder Driver
37

38. BINDER COMMUNICATION
Client Binder Service
Process A Kernel Process B
38

39. BINDER DRIVER
• Binder driver
• ioctl(binderFd, BINDER_WRITE_READ, &bwd) system call
• open / release / poll / mmap / flush / ioctl
• /dev/binder
39

40. FLAT_BINDER_OBJECT
• binder 和 handle 分別表⽰示 local object 和 remote object
• binder 會幫忙作這對應
40

41. FLAT_BINDER_OBJECT 的TYPE
• BINDER_TYPE_BINDER / BINDER_TYPE_WEAK_BINDER -
本機物件
• BINDER_TYPE_HANDLE /
BINDER_TYPE_WEAK_HANDLE - 遠端物件參照
• BINDER_TYPE_FD - 檔案
41

42. FLAT_OBJECT_TYPE 的 FLAG
• TF_ONE_WAY - 單向，⾮非同步，不需要返回
• TF_ROOT_OBJECT - 根物件，代表 type 是本機物件
• TF_STATUS_CODE - 狀態碼，代表 type 是 handle
• TF_ACCEPT_FDS - 可以接受 file descriptor，所以 handle
就會是 file descriptor
42

43. 實際傳遞的資料
BINDER_TRANSACTION_DATA
43

44. BINDER_WRITE_READ
• read_buffer 和 write_buffer 是⼀一
個指標（指向 user space 的
buffer）
• BC_TRANSACTION
• 解析將要被處理的資料
• BC_REPLY
• 回傳結果資料
struct binder_write_read {
signed long write_size;
signed long write_consumed;
unsigned long write_buffer;
signed long read_size;
signed long read_consumed;
unsigned long read_buffer;
}
44

45. BINDER COMMUNICATION
• Native Level 來說，通常⽤用 libbinder 解決，不⽤用直接操作
ioctl driver
• 但有時候想隱藏 binder，讓 client ⽐比較容易處理 ...
• AIDL !
• A Java-like lanaguage
45

46. BINDER COMMUNICATION
Client Binder Service
Process A Kernel Process B
StubProxy
46

47. AIDL
• Proxy 和 Stub
• Java-based
• 可以⽤用 aidl ⼯工具產⽣生
• Android Studio 中，把 aidl 檔案放在 /main/aidl/
<package_name>/ 底下，會⾃自⼰己在 /build/source/aidl 產
⽣生該 Interface
47

48. AIDL
• AIDL example:
48

49. AIDL
• AIDL 只是⽤用來產⽣生⼀一個 Interface
• 包含 Proxy 和 Stub 這兩個 class!
49

50. AIDL
• 產⽣生出的 interface:
50

51. AIDL
• Service 中的 Stub
51

52. MARSHALLING AND
UNMARSHALLING
• Marshalling 就是做出 Parcel object 的⾏行為
• Unmarshalling 就是將 Parcel 還原回原本的 object
52

53. PARCEL
• AIDL 會幫我們 handle 這件事
• 其實是將 object ⽤用 native binary encoding 的⽅方式重新包裝
53

54. ANDROID.OS.PARCEL
• http://www.slideshare.net/jserv/android-ipc-mechanism
54

55. BINDER COMMUNICATION
Client Binder Service
Process A Kernel Process B
StubManager Proxy
55

56. SYSTEM SERVICES
• System Services 使⽤用的作法
• Clients 根本感覺不出他們在使⽤用 IPC
• Context.getSystemService(String)
56

57. SYSTEM SERVICES
• NOTIFICATION_SERVICE
• LOCATION_SERVICE
• CONNECTIVITY_SERVICE
• WIFI_SERVICE
• ... 族繁不及備載: http://developer.android.com/reference/
android/content/Context.html
57

58. 使⽤用 SYSTEM SERVICES 的⽅方式
• Example:
58

59. BINDER COMMUNICATION
Binder Service
Kernel Process B
Service
Manager
Proxy
Client
Process A
Manager Proxy Context Manager
Framework
register CM
await reqs
get CM register
service
registered
service
register svc tx
get CM
get svc tx
init manager
get service
got service
59

60. CONTEXT MANAGER
• Binder Driver 只會允許⼀一個 Context Manager 註冊
• 所以 servicemanager 是第⼀一個被啟動的 Android service
• http://androidxref.com/4.3_r2.1/xref/frameworks/native/
cmds/servicemanager/service_manager.c
• servicemanager a.k.a Context Manager
60

61. SERVICEMANAGER IN INIT.RC
init.rc 裡⾯面有 service 的啟動順序
61

62. 設定 SERVICEMANAGER
• frameworks/native/cmds/servicemanager/service_manager.c
這是 (void *) 0
等待 request
62

63. 設定 SERVICEMANAGER
• BINDER_SET_CONTEXT_MGR
• frameworks/native/cmds/servicemanager/binder.c
63

64. 設定 SERVICEMANAGER
• http://lxr.linux.no/linux+v3.10.6/drivers/staging/android/binder.c#L2622
64

65. SVGMGR_HANDLER
• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/
servicemanager/service_manager.c#203
65

66. SERVICE MANAGER
• 系統服務需要跟 service manager 註冊
• 應⽤用程式如果要⽤用系統服務要跟 service manager 查詢
66

67. 註冊系統服務
• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/
servicemanager/service_manager.c#do_add_service
67

68. 檢查要註冊的服務是否有權限
• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/
servicemanager/service_manager.c#svc_can_register
68

69. ⺫⽬目前註冊的 SERVICE
• adb shell service list
69

70. 測試系統服務
• adb service call phone 1 s16 “1234567890”
70

71. 其實是...
• AIDL 中的順序
• http://androidxref.com/4.3_r2.1/xref/frameworks/base/telephony/java/com/android/internal/
telephony/ITelephony.aidl
1
271

72. 整體流程
• http://marakana.com/s/post/1340/
Deep_Dive_Into_Binder_Presentation.htm
72

73. SECURITY
• IPC 可能造成⼀一些安全問題
• 因為 Intent 可以是惡意的！
73

74. THREAT !
App A App B Malicious App
Activity
Service
Broadcast
Receiver
Activity
Service
Broadcast
Receiver
Activity
Service
Broadcast
Receiver
Intent Intent Intent
Intent
System Intent
System Intent
74

75. REFTO COMDROID
• 請⾒見 ComDroid 投影⽚片 !
75

76. QUESTIONS?
• How well does an Android component behave in the
presence of a semi-valid or random Intent?
• How robust are Android’s ICC primitives?
• How can we refine the implementation of Intents so that inpt
validation can be improved?
76

77. TESTINGTOOL
Package Manager
startActivityForResult
startService
sendBroadcast
Get a list of components
77

78. AVOID MANUAL
INTERVENTION
• startActivityForResult() and finishActivity()
• Pause 100ms between sending of each successive Intent
78

79. SEMI-MANUAL ...
• finishActivity() did not work in two situations
• System alert was generated (crash or exception)
• Activity was started as a new task
Calling startActivity() from outside of an Activity context
requires the FLAG_ACTIVITY_NEW_TASK flag.
79

80. GENERATING INTENTS
• { Action / Data / Component / Extras }
• Data URI := scheme/path?query
80

81. DATA URI SCHEME
• content://
• file://
• folder://
• directory://
• geo:
• google.streeview:
• http://
• https://
• mailto:
• ssh:
• tel:
• voicemail:
81

82. IMPLICIT INTENT
• A.Valid Intent, unrestricted fields null:
• Match only the restricted attributes of the Intent-filter
• B. Semi-valid Intent:
• Fuzz at least one fileds
82

83. VALID INTENT
• Intent filter
• Intent
<intent-filter>
<action
android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" />
</intent-filter>
Intent i = new Intent();
i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE");
sendBroadcast(i);
83

84. SEMI-VALID INTENT
• Intent filter
• Intent
<intent-filter>
<action
android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" />
</intent-filter>
Intent i = new Intent();
i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE");
i.addCategory("CATEGORY_ALTERNATIVE");
sendBroadcast(i);
84

85. EXPLICIT INTENT
• FIC A. Semi-valid Action and Data
• FIC B. Blank Action or Data
• FIC C. Random Action or Data
• FIC D. Random Extras
* FIC : fuzz injection campaigns
robustness of callee
potential adversary
85

86. SEMI-VALID ACTION AND
DATA
• Total Intents: |Action|x|Data| for each component
!
{ act=ACTION_EDIT
data=http://www.google.com
comp=com.android.someCompon
ent }
Meaningless
86

87. BLANK DATA OR ACTION
• Total Intents: |Action|+|Data| for each component
!
{ data=http://www.google.com
comp=com.android.someCompon
ent }
No Action
87

88. RANDOM ACTION OR DATA
{ act=ACTION_EDIT
data=a1b2c3d4
comp=com.android.someCompon
ent }
Random
88

89. RANDOM EXTRAS
{ act=ACTION_DIAL
data=tel:123-456-789
comp=com.android.someComponent has
Extras }
89

90. MACHINE
• Moto Droid - Android 2.2
• HTC Evo 3D - Android 2.3.4
• Emulator - Android 4.0
90

91. FIRMWARE
• com.android.* package
• In Droid ...
• 297 activities
• 42 services
• 59 receivers
!
!
• In Emulator ...
• 332 activities
• 54 services
• 69 receivers
91

92. MOST POPULAR FREE APPS
• 3 Dec, 2011
• Facebook
• Pandora Radio
• Voxer WalkieTalkie
• Angry Birds
• Skype
!
!
!
• 103 activities
• 11 services
92

93. EXPERIMENTAL RESULTS
93

94. FAULT INJECTION
• Choose one particular component and inject all the Intents
targeted to that component
94

95. COLLECT LOGS
• logcat
• “Force Close”
• “Application x stopped unexpectedly”
• “FATAL EXCEPTION: main”
95

96. RESULTS FOR EXPLICIT
INTENTS
• 2148 crashes in Android 2.2
• 641 crashes in Android 4.0
• 152 crashes for Apps from Market
96

97. FAILED COMPONENTS
!
• Many Android components do not perform null checks
• 3 of the apps (from Market) had at least one component
failed one or more experiments
97

98. EXCEPTIONTYPES
Should be handled
by the calling
function
98

99. IN ANDROID 4.0 ...
• Unpredictable environment-dependent errors in Android 4.0
• WindowManager$BadTokenException (26.83%)
• IllegalStateException (23.56%)
• RuntimeException (3.12%)
• system_server restarts (GC)
99

100. SYSTEM CRASH
• 3 Activities in built-in apps caused system_server to restart
• Did not catch NullPointerExceptions
• Need no extra permissions
100

101. SYSTEM CRASH
101

102. RESULTS FORVALID INTENTS
• In HTC Evo 3D ...
• 1910 Intent-filters startActivity()
• Some of them is registered by Services
• ActivityNotFoundException
• Crashed 5 components
• 12 unexpected exceptions
1. NullPointerException
2. IOException
3. Resource
$NotFoundException
102

103. RESULTS FOR SEMI-VALID
• From Intent-filters
• 643 distinct Actions
• 37 Categories
103

104. DISCUSSIONS
• Poor exception handling
• Environment-dependent errors in Android 4.0
• Privileged components with unrestricted access
104