Name
Abstract | ||
|---|---|---|
Android system applies a permission-based security model to restrict unauthorized apps from accessing system services, however, this security model cannot constrain authorized apps from sending excessive service requests to exhaust the limited system resource allocated for each system service. As references from native code to a Java object, JNI Global References (JGR) are prone to memory leaks, since they are not automatically garbage collected. Moreover, JGR exhaustion may lead to process abort or even Android system reboot when the victim process could not afford the JGR requests triggered by malicious apps through inter-process communication. In this paper, we perform a systematic study on JGR exhaustion (JGRE) attacks against all system services in Android. Our experimental results show that among the 104 system services in Android 6.0.1, 32 system services have 54 vulnerabilities. Particularly, 22 system services can be successfully attacked without any permission support. After reporting those vulnerabilities to Android security team and getting confirmed, we study the existing ad hoc countermeasures in Android against JGRE attacks. Surprisingly, among the 10 system services that have been protected, 8 system services are still vulnerable to JGRE attacks. Finally, we develop an effective defense mechanism to defeat all identified JGRE attacks by adopting Android's low memory killer (LMK) mechanism. |
Year | DOI | Venue |
|---|---|---|
2017 | 10.1109/DSN.2017.40 | 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) |
Keywords | Field | DocType |
Android LMK mechanism,Android low memory killer mechanism,interprocess communication,malicious apps,JGR exhaustion attacks,memory leaks,Java object,native code,limited system resource allocation,excessive service requests,system services,unauthorized apps,permission-based security model,Android 6.0.1, 32 system services,JNI global reference exhaustion vulnerabilities,JGRE attacks | Reboot,Permission,Internet privacy,Garbage,Android (operating system),Computer security,Computer science,Machine code,Memory leak,Java,Computer security model | Conference |
ISSN | ISBN | Citations |
1530-0889 | 978-1-5386-0543-1 | 2 |
PageRank | References | Authors |
0.39 | 16 | 7 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Yacong Gu | 1 | 5 | 1.78 |
| Sun Kun | 2 | 559 | 52.07 |
| Purui Su | 3 | 94 | 13.71 |
| Li Qi | 4 | 345 | 67.01 |
| Yemian Lu | 5 | 5 | 1.44 |
| Deng-Guo Feng | 6 | 1991 | 190.95 |
| Lingyun Ying | 7 | 24 | 3.41 |