Uncovering Cross-Context Inconsistent Access Control Enforcement in Android

Hao Zhou, Haoyu Wang, Xiapu Luo, Ting Chen, Yajin Zhou, Ting Wang

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

Abstract

Due to the complexity resulted from the huge code base and the multi-context nature of Android, inconsistent access control enforcement exists in Android, which can be exploited by malware to bypass the access control and perform unauthorized security-sensitive operations. Unfortunately, existing studies only focus on the inconsistent access control enforcement in the Java context of Android. In this paper, we conduct the first systematic investigation on the inconsistent access control enforcement across the Java context and native context of Android. In particular, to automatically discover cross-context inconsistencies, we design and implement IAceFinder, a new tool that extracts and contrasts the access control enforced in the Java context and native context of Android. Applying IAceFinder to 14 open-source Android ROMs, we find that it can effectively uncover their cross-context inconsistent access control enforcement. Specifically, IAceFinder discovers 23 inconsistencies that can be abused by attackers to compromise the device and violate user privacy.
Original languageEnglish
Title of host publicationProceedings of the 29th Network and Distributed System Security Symposium (NDSS)
Pages1-18
Publication statusPublished - 27 Feb 2022
Event29th Network and Distributed System Security Symposium (NDSS) - San Diego, California, United States
Duration: 27 Feb 202227 Feb 2022
https://www.ndss-symposium.org/ndss2022/

Conference

Conference29th Network and Distributed System Security Symposium (NDSS)
Country/TerritoryUnited States
CityCalifornia
Period27/02/2227/02/22
Internet address

Fingerprint

Dive into the research topics of 'Uncovering Cross-Context Inconsistent Access Control Enforcement in Android'. Together they form a unique fingerprint.

Cite this