Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
7-2019
Abstract
As a common platform for pervasive devices, Android has been targeted by numerous attacks that exploit vulnerabilities in its apps and the operating system. Compared to app vulnerabilities, systemlevel vulnerabilities in Android, however, were much less explored in the literature. In this paper, we perform the first systematic study of Android system vulnerabilities by comprehensively analyzing all 2,179 vulnerabilities on the Android Security Bulletin program over about three years since its initiation in August 2015. To this end, we propose an automatic analysis framework, upon a hierarchical database structure, to crawl, parse, clean, and analyze vulnerability reports and their publicly available patches. This framework includes (i) a lightweight technique to pinpoint the affected modules of given vulnerabilities; (ii) a robust method to study the complexity of patch code; and most importantly, (iii) a similarity-based algorithm to cluster patch code patterns. Our clustering algorithm first extracts patch code's essential changes that not only concisely reflect syntactic changes but also keep important semantics, and then leverages affinity propagation to automatically generate clusters based on their pairwise similarity. It allows us to obtain 16 vulnerability patterns, including six new ones not known in the literature, and we further analyze their characteristics via case studies. Besides identifying these useful patterns, we also find that 92% Android vulnerabilities are located in the low-level modules (mostly in native libraries and the kernel), whereas the framework layer causes only 5% vulnerabilities, and that half of the vulnerabilities can be fixed in fewer than 10 lines of code each, with 110 out of 1,158 cases requiring only one single line of code change. We further discuss the implications of all these results. Overall, we provide a clear overview and new insights about Android system vulnerabilities.
Keywords
Android Security, Patch Code Clustering, System Vulnerability
Discipline
Information Security | Software Engineering
Research Areas
Cybersecurity
Publication
AsiaCCS 2019: Proceedings of the 14th ACM ASIA Conference on Computer and Communications Security, Auckland, July 7-12
First Page
295
Last Page
306
ISBN
9781450367523
Identifier
10.1145/3321705.3329831
Publisher
ACM
City or Country
New York
Citation
WU, Daoyuan; GAO, Debin; CHENG, Eric K. T.; CAO, Yichen; JIANG, Jintao; and DENG, Robert H..
Towards understanding Android system vulnerabilities: Techniques and insights. (2019). AsiaCCS 2019: Proceedings of the 14th ACM ASIA Conference on Computer and Communications Security, Auckland, July 7-12. 295-306.
Available at: https://ink.library.smu.edu.sg/sis_research/4318
Copyright Owner and License
Publisher
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1145/3321705.3329831