26. MESSENGER & HANDLER
App A App B
Activity
ServiceMessenger
Handler
call back
start
pass by
reference
call back
reference / call
26
27. MESSENGER & HANDLER
• 和 Intent 很像
• 但提供了雙向溝通!
• Android Developer 網站說明:
Reference to a Handler, which others can use to send
messages to it. This allows for the implementation of
message-based communication across processes, by
creating a Messenger pointing to a Handler in one
process, and handing that Messenger to another
process.
27
34. BINDER !
• 超重要的!
In the Android platform, the binder is used for
nearly everything that happens across processes
in the core platform. - Dianne Hackborn!
[https://lkml.org/lkml/2009/6/25/3]
34
44. BINDER_WRITE_READ
• read_buffer 和 write_buffer 是⼀一
個指標(指向 user space 的
buffer)
• BC_TRANSACTION
• 解析將要被處理的資料
• BC_REPLY
• 回傳結果資料
struct binder_write_read {
signed long write_size;
signed long write_consumed;
unsigned long write_buffer;
signed long read_size;
signed long read_consumed;
unsigned long read_buffer;
}
44
59. BINDER COMMUNICATION
Binder Service
Kernel Process B
Service
Manager
Proxy
Client
Process A
Manager Proxy Context Manager
Framework
register CM
await reqs
get CM register
service
registered
service
register svc tx
get CM
get svc tx
init manager
get service
got service
59
74. THREAT !
App A App B Malicious App
Activity
Service
Broadcast
Receiver
Activity
Service
Broadcast
Receiver
Activity
Service
Broadcast
Receiver
Intent Intent Intent
Intent
System Intent
System Intent
74
76. QUESTIONS?
• How well does an Android component behave in the
presence of a semi-valid or random Intent?
• How robust are Android’s ICC primitives?
• How can we refine the implementation of Intents so that inpt
validation can be improved?
76
79. SEMI-MANUAL ...
• finishActivity() did not work in two situations
• System alert was generated (crash or exception)
• Activity was started as a new task
Calling startActivity() from outside of an Activity context
requires the FLAG_ACTIVITY_NEW_TASK flag.
79
80. GENERATING INTENTS
• { Action / Data / Component / Extras }
• Data URI := scheme/path?query
80
82. IMPLICIT INTENT
• A.Valid Intent, unrestricted fields null:
• Match only the restricted attributes of the Intent-filter
• B. Semi-valid Intent:
• Fuzz at least one fileds
82
85. EXPLICIT INTENT
• FIC A. Semi-valid Action and Data
• FIC B. Blank Action or Data
• FIC C. Random Action or Data
• FIC D. Random Extras
* FIC : fuzz injection campaigns
robustness of callee
potential adversary
85
86. SEMI-VALID ACTION AND
DATA
• Total Intents: |Action|x|Data| for each component
!
{ act=ACTION_EDIT
data=http://www.google.com
comp=com.android.someCompon
ent }
Meaningless
86
87. BLANK DATA OR ACTION
• Total Intents: |Action|+|Data| for each component
!
{ data=http://www.google.com
comp=com.android.someCompon
ent }
No Action
87
88. RANDOM ACTION OR DATA
{ act=ACTION_EDIT
data=a1b2c3d4
comp=com.android.someCompon
ent }
Random
88
96. RESULTS FOR EXPLICIT
INTENTS
• 2148 crashes in Android 2.2
• 641 crashes in Android 4.0
• 152 crashes for Apps from Market
96
97. FAILED COMPONENTS
!
• Many Android components do not perform null checks
• 3 of the apps (from Market) had at least one component
failed one or more experiments
97
100. SYSTEM CRASH
• 3 Activities in built-in apps caused system_server to restart
• Did not catch NullPointerExceptions
• Need no extra permissions
100
102. RESULTS FORVALID INTENTS
• In HTC Evo 3D ...
• 1910 Intent-filters startActivity()
• Some of them is registered by Services
• ActivityNotFoundException
• Crashed 5 components
• 12 unexpected exceptions
1. NullPointerException
2. IOException
3. Resource
$NotFoundException
102