Skip to main content
SpringerLink
Log in

Blender: Self-randomizing Address Space Layout for Android Apps

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

In this paper, we first demonstrate that the newly introduced Android RunTime (ART) in latest Android versions (Android 5.0 or above) exposes a new attack surface, namely, the “return-to-art” (ret2art) attack. Unlike traditional return-to-library attacks, the ret2art attack abuses Android framework APIs (e.g., the API to send SMS) as payloads to conveniently perform malicious operations. This new attack surface, along with the weakened ASLR implementation in the Android system, makes the successful exploiting of vulnerable apps much easier. To mitigate this threat and provide self-protection for Android apps, we propose a user-level solution called Blender, which is able to self-randomize address space layout for apps. Specifically, for an app using our system, Blender randomly rearranges loaded libraries and Android runtime executable code in the app’s process, achieving much higher memory entropy compared with the vanilla app. Blender requires no changes to the Android framework nor the underlying Linux kernel, thus is a non-invasive and easy-to-deploy solution. Our evaluation shows that Blender only incurs around 6 MB memory footprint increase for the app with our system, and does not affect other apps without our system. It increases 0.3 s of app starting delay, and imposes negligible CPU and battery overheads.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In early versions of Android without ASLR support, system libraries are pre-loaded into fixed locations.

  2. 2.

    Actually, the app’s bytecode in the file classes.dex is also compiled into the native code. However, this compiled native code is loaded into different places each time the app is started.

  3. 3.

    There is an experimental implementation of the ART runtime in Android 4.4 but is disabled by default.

References

  1. Adobe Flash Use-after-free Vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3108

  2. Android plugin for gradle. https://developer.android.com/intl/ru/tools/building/plugin-for-gradle.html

  3. Arm designs one of the world’s most-used products. http://www.bloomberg.com/bw/articles/2014-02-04/arm-chips-are-the-most-used-consumer-product-dot-where-s-the-money

  4. CVE-2013-0912. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0912

  5. CVE-2015-1233. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1233

  6. Distribution of android platform versions. https://developer.android.com/about/dashboards/index.html

  7. Ropgadget - gadgets finder and auto-roper. http://shell-storm.org/project/ROPgadget/

  8. Samsung galaxy KNOX android browser RCE. https://www.exploit-db.com/exploits/35282/

  9. Stagefright (bug). https://en.wikipedia.org/wiki/Stagefright_(bug)

  10. codegen_util.ccfile in AOSP. https://android.googlesource.com/platform/art/+/android-6.0.0_r26/compiler/dex/quick/codegen_util.cc

  11. dex_preopt_libart.mk file in AOSP. https://android.googlesource.com/platform/build/+/android-6.0.0_r26/core/dex_preopt_libart.mk#36

  12. quick_entrypoints_arm.S file in AOSP. https://android.googlesource.com/platform/art/+/android-6.0.0_r26/runtime/arch/arm/quick_entrypoints_arm.S

  13. VLC media player 2.0.4 suffers from buffer overflow. https://trac.videolan.org/vlc/ticket/7860

  14. Afonso, V., Bianchi, A., Fratantonio, Y., Doupé, A., Polino, M., de Geus, P., Kruegel, C., Vigna, G.: Going native: using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In: NDSS (2016)

    Google Scholar 

  15. Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app. is that? deception and countermeasures in the Android user interface. In: SP (2015)

    Google Scholar 

  16. Blazakis, D.: Interpreter exploitation. In: WOOT (2010)

    Google Scholar 

  17. Bojinov, H., Boneh, D., Cannings, R., Malchev, I.: Address space randomization for mobile devices. In: WiSec (2011)

    Google Scholar 

  18. Braden, K., Crane, S., Davi, L., Franz, M., Larsen, P., Liebchen, C., Sadeghi, A.-R.: Leakage-resilient layout randomization for mobile devices. In: NDSS (2016)

    Google Scholar 

  19. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: NDSS (2012)

    Google Scholar 

  20. Chamberlain, S., Taylor, I.L.: The GNU linker (1991)

    Google Scholar 

  21. Chen, Q.A., Qian, Z., Mao, Z.M.: Peeking into your App without actually seeing it: UI state inference and novel android attacks. In: USENIX Security (2014)

    Google Scholar 

  22. Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: CODASPY (2016)

    Google Scholar 

  23. Solar Designer: return-to-libc attack. Bugtraq, August 1997

    Google Scholar 

  24. Durden, T.: Bypassing PaX ASLR protection. Phrack Mag. 59, 9 (2002)

    Google Scholar 

  25. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: TOCS. ACM (2014)

    Google Scholar 

  26. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: USENIX Security (2011)

    Google Scholar 

  27. Enck, W., Ongtang, M., McDaniel, P.: Understanding Android security. IEEE Secur. Priv. 7(1), 50–57 (2009)

    Article  Google Scholar 

  28. Erlingsson, U.: Low-level software security: attacks and defenses. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2007. LNCS, vol. 4677, pp. 92–134. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  29. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: USENIX Security (2011)

    Google Scholar 

  30. Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Security (2012)

    Google Scholar 

  31. Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock android smartphones. In: NDSS (2012)

    Google Scholar 

  32. Lee, B., Lu, L., Wang, T., Kim, T., Lee, W.: From Zygote to Morula: Fortifying weakened ASLR on android. In: SP (2014)

    Google Scholar 

  33. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting Android apps for component hijacking vulnerabilities. In: CCS (2012)

    Google Scholar 

  34. Müller, T.: ASLR smack & laugh reference. In: Advanced Exploitation Techniques (2008)

    Google Scholar 

  35. Mulliner, C., Oberheide, J., Robertson, W., Kirda, E.: Patchdroid: scalable third-party security patches for android devices. In: ACSAC (2013)

    Google Scholar 

  36. Peles, O., Hay, R.: One class to rule them all: 0-day deserialization vulnerabilities in Android. In: WOOT (2015)

    Google Scholar 

  37. Razeen, A., Wu, B., Cheemalapati, S.: Spandex: Secure password tracking for Android. In: USENIX Security (2014)

    Google Scholar 

  38. Ren, C., Zhang, Y., Xue, H., Wei, T., Liu, P.: Towards discovering and understanding task hijacking in Android. In: USENIX Security (2015)

    Google Scholar 

  39. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. In: TISSEC. ACM (2012)

    Google Scholar 

  40. Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: ACSAC (2009)

    Google Scholar 

  41. Serna, F.J.: The info leak era on software exploitation. Black Hat USA (2012)

    Google Scholar 

  42. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS (2014)

    Google Scholar 

  43. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: SP (2013)

    Google Scholar 

  44. Sun, M., Li, M., Lui, J.C.S.: Droideagle: seamless detection of visually similar Android Apps. In: WiSec (2015)

    Google Scholar 

  45. Sun, M., Zheng, M., Lui, J.C.S., Jiang, X.: Design and implementation of an Android host-based intrusion prevention system. In: ACSAC (2014)

    Google Scholar 

  46. Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: Eternal war in memory. In: SP (2013)

    Google Scholar 

  47. Team, P.: Pax address space layout randomization (ASLR) (2003)

    Google Scholar 

  48. Thomas, D.R., Beresford, A.R., Rice, A.: Security metrics for the Android ecosystem. In: SPSM (2015)

    Google Scholar 

  49. van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  50. Vidas, T., Votipka, D., Christin, N.: All your droid are belong to us: a survey of current android attacks. In: WOOT (2011)

    Google Scholar 

  51. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ASIACCS (2012)

    Google Scholar 

  52. Winsniewski, R.: Android-apktool: a tool for reverse engineering Android apk files (2012)

    Google Scholar 

  53. Wojtczuk, R.N.: The advanced return-into-lib(c) exploits: PaX case study. Mag. 0x0b(0x3a) (2001)

    Google Scholar 

  54. Xu, R., Saidi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: USENIX Security (2012)

    Google Scholar 

  55. Yan, L.-K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In: USENIX Security (2012)

    Google Scholar 

  56. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: CCS (2014)

    Google Scholar 

  57. Zheng, M., Sun, M., Lui, J.: Droidray: a security evaluation system for customized Android firmwares. In: ASIACCS (2014)

    Google Scholar 

  58. Zheng, M., Sun, M., Lui, J.C.: Droidanalytics: a signature based analytic system to collect, extract, analyze and associate Android malware. In: TrustCom (2013)

    Google Scholar 

  59. Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: SP (2012)

    Google Scholar 

  60. Zhou, Y., Patel, K., Wu, L., Wang, Z., Jiang, X.: Hybrid user-level sandboxing of third-party Android Apps. In: ASIACCS (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The Chinese University of Hong Kong, Hong Kong, China

    Mingshen Sun & John C. S. Lui

  2. Qihoo 360 Technology Co. Ltd., Beijing, China

    Yajin Zhou

Authors
  1. Mingshen Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John C. S. Lui
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yajin Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mingshen Sun .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Sun, M., Lui, J.C.S., Zhou, Y. (2016). Blender: Self-randomizing Address Space Layout for Android Apps. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation