Towards understanding Android system vulnerabilities: Techniques and insights

Author

Daoyuan WU, Singapore Management UniversityFollow
Debin GAO, Singapore Management UniversityFollow
Eric K. T. CHENG, Hong Kong Polytechnic University
Yichen CAO, SOBUG
Jintao JIANG, SOBUG
Robert H. DENG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

7-2019

Abstract

As a common platform for pervasive devices, Android has been targeted by numerous attacks that exploit vulnerabilities in its apps and the operating system. Compared to app vulnerabilities, systemlevel vulnerabilities in Android, however, were much less explored in the literature. In this paper, we perform the first systematic study of Android system vulnerabilities by comprehensively analyzing all 2,179 vulnerabilities on the Android Security Bulletin program over about three years since its initiation in August 2015. To this end, we propose an automatic analysis framework, upon a hierarchical database structure, to crawl, parse, clean, and analyze vulnerability reports and their publicly available patches. This framework includes (i) a lightweight technique to pinpoint the affected modules of given vulnerabilities; (ii) a robust method to study the complexity of patch code; and most importantly, (iii) a similarity-based algorithm to cluster patch code patterns. Our clustering algorithm first extracts patch code's essential changes that not only concisely reflect syntactic changes but also keep important semantics, and then leverages affinity propagation to automatically generate clusters based on their pairwise similarity. It allows us to obtain 16 vulnerability patterns, including six new ones not known in the literature, and we further analyze their characteristics via case studies. Besides identifying these useful patterns, we also find that 92% Android vulnerabilities are located in the low-level modules (mostly in native libraries and the kernel), whereas the framework layer causes only 5% vulnerabilities, and that half of the vulnerabilities can be fixed in fewer than 10 lines of code each, with 110 out of 1,158 cases requiring only one single line of code change. We further discuss the implications of all these results. Overall, we provide a clear overview and new insights about Android system vulnerabilities.

Keywords

Android Security, Patch Code Clustering, System Vulnerability

Discipline

Information Security | Software Engineering

Research Areas

Cybersecurity

Publication

AsiaCCS 2019: Proceedings of the 14th ACM ASIA Conference on Computer and Communications Security, Auckland, July 7-12

First Page

295

Last Page

306

ISBN

9781450367523

Identifier

10.1145/3321705.3329831

Publisher

ACM

City or Country

New York

Citation

WU, Daoyuan; GAO, Debin; CHENG, Eric K. T.; CAO, Yichen; JIANG, Jintao; and DENG, Robert H.. Towards understanding Android system vulnerabilities: Techniques and insights. (2019). AsiaCCS 2019: Proceedings of the 14th ACM ASIA Conference on Computer and Communications Security, Auckland, July 7-12. 295-306.
Available at: https://ink.library.smu.edu.sg/sis_research/4318

Copyright Owner and License

Publisher

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3321705.3329831