Abstract
Component hijacking is a class of vulnerabilities commonly appearing in Android applications. When these vulnerabilities are triggered by attackers, the vulnerable apps can exfiltrate sensitive information and compromise the data integrity on Android devices, on behalf of the attackers. It is often unrealistic to purely rely on developers to fix these vulnerabilities for two reasons: (1) it is a time-consuming process for the developers to confirm each vulnerability and release a patch for it; and (2) the developers may not be experienced enough to properly fix the problem. In this paper, we propose a technique for automatic patch generation. Given a vulnerable Android app (without source code) and a discovered component hijacking vulnerability, we automatically generate a patch to disable this vulnerability. We have implemented a prototype called AppSealer and evaluated its efficacy on apps with component hijacking vulnerabilities. Our evaluation on 16 real-world vulnerable Android apps demonstrates that the generated patches can effectively track and mitigate component hijacking vulnerabilities. Moreover, after going through a series of optimizations, the patch code only represents a small portion (15.9 % on average) of the entire program. The runtime overhead introduced by AppSealer is also minimal, merely 2 % on average.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Davi L, Dmitrienko A, Sadeghi AR, Winandy M (2011) Privilege escalation attacks on Android. In: Proceedings of the 13th international conference on Information security, (Berlin, Heidelberg), 2011
Grace M, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th network and distributed system security symposium, 2012
Felt AP, Wang HJ, Moshchuk A, Hanna S, Chin E (2011) Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX security symposium, 2011
Zhou Y, Jiang X (2013) Detecting passive content leaks and pollution in Android applications. In: Proceedings of the 20th network and distributed system security symposium, 2013
Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) CHEX: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on computer and communications security (CCS’12), October 2012
Cui W, Peinado M, Wang HJ (2007) Shieldgen: automatic data patch generation for unknown vulnerabilities with informed probing. In: Proceedings of 2007 IEEE symposium on security and privacy, 2007
Brumley D, Newsome J, Song D, Wang H, Jha S (2006) Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 2006 IEEE symposium on security and privacy (Oakland’06), May 2006
Costa M, Crowcroft J, Castro M, Rowstron A, Zhou L, Zhang L, Barham P (2005) Vigilante: end-to-end containment of internet worms. In: Proceedings of the twentieth ACM symposium on systems and operating systems principles (SOSP’05), October 2005
Costa M, Castro M, Zhou L, Zhang L, Peinado M (2007) Bouncer: securing software by blocking bad input. In: Proceedings of 21st ACM SIGOPS symposium on operating systems principles (SOSP’07), October 2007
Caballero J, Liang Z, Poosankam, Song D (2009) Towards generating high coverage vulnerability-based signatures with protocol-level constraint-guided exploration. In: Proceedings of the 12th international symposium on recent advances in intrusion detection (RAID’09), September 2009
Lin Z, Jiang X, Xu D, Mao B, Xie L (2007) AutoPAG: towards automated software patch generation with source code root cause identification and repair. In: Proceedings of the 2nd ACM symposium on information, computer and communications security, 2007
Zhang C, Wang T, Wei T, Chen Y, Zou W (2010) IntPatch: automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In: Proceedings of the 15th European conference on research in computer security, 2010.
Sidiroglou S, Keromytis AD (2005) Countering network worms through automatic patch generation. In: IEEE security and privacy, Nov 2005, vol 3, pp 41–49
Newsome J (2006) Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th symposium on network and distributed system security (NDSS), 2006
Soot: A Java Optimization Framework (2016) http://www.sable.mcgill.ca/soot/
dex2jar (2016) http://code.google.com/p/dex2jar/
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2016 The Author(s)
About this chapter
Cite this chapter
Zhang, M., Yin, H. (2016). Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks. In: Android Application Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-47812-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-47812-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47811-1
Online ISBN: 978-3-319-47812-8
eBook Packages: Computer ScienceComputer Science (R0)