Mutian Yang

Exception beyond Exception: Crashing Android System by Trapping in "Uncaught Exception"

Android is characterized as a complicated open source software stack created for a wide array of devices with different form of factors, whose latest release has over one hundred million lines of code. Such code is mainly developed with the Java language, which builds complicated logic and brings implicit information flows among components and the inner framework. By studying the source code of system service interfaces, we discovered an unknown type of code flaw, which is named uncaughtException flaw, caused by un-well implemented exceptions that could crash the system and be further vulnerable to system level Denial-of-Service (DoS) attacks. We found that exceptions are used to handle the errors and other exceptional events but sometimes they would kill some critical system services exceptionally. We designed and implemented ExHunter, a new tool for automatic detection of this uncaughtException flaw by dynamically reflecting service interfaces, continuously fuzzing parameters and verifying the running logs. On 11 new popular Android devices, ExHunter extracted 1045 system services, reflected 758 suspicious functions, discovered 132 uncaughtException flaws which are 0-day vulnerabilities that have never been known before and generated 275 system DoS attack exploitations. The results showed that: (1) almost every type of Android phone suffers from this flaw, (2) the flaws are different from phone by phone, and (3) all the vulnerabilities can be exploited by direct/indirect trapping. To mitigate uncaughtException flaws, we further developed ExCatcher to re-catch the exceptions. Finally, we informed four internationally renowned manufacturers and provided secure improvements in their commercial phones.

Vulnerability Detection of Android System in Fuzzing Cloud

The rapid growth of Android system has encountered enormous security challenges. The vulnerabilities caused by the limited security models, coarse permission system and code flaws lead to private information leakage, deny of service, potential costs, etc. To detect these vulnerabilities, some analysis and security testing methods have been presented. However, most of these methods focus on certain aspects, for example, applications, permission, or capability leakage. In this paper, we propose a new detection paradigm named Fuzzing Cloud to detect vulnerabilities in Android system. Firstly, the architecture of fuzzing cloud is introduced, and the fuzzing nodes are investigated. Then, each layer of the Android system is decomposed into separated modules, and the fuzzing test cases are created with the endless capacity of processing power and storage in fuzzing cloud. Finally, the prototype of fuzzing cloud has been implemented, and some separated modules have been tested. The experiment results show that some vulnerabilities can be detected by the fuzzing cloud. It is also believed that after small extension, fuzzing cloud can detect vulnerabilities in other systems.

Vulcloud: Scalable and Hybrid Vulnerability Detection in Cloud Computing

Vulnerability exploits will result in security breaches or violations of the systems security policy causing information leakage or economic losses. Although many detection methods such as static analysis, dynamic analysis and fuzz testing have been presented, the vulnerabilities are still difficult to detect. In this paper, we propose a new detection cloud service Vulcloud, which is scalable and hybrid combining the static, dynamic and fuzzing into cloud computing. Vulcloud first statically analyzes the objects and reports the potential vulnerable items. And then, the fuzzing cases for the items are semi-automated created, and tested under the dynamic monitoring. Finally, the source code of the results are statically analyzed again to determine whether they are vulnerabilities or not. The prototype of Vulcloud is implemented, and the performance is evaluated by Mplayer source code. The experiment results show that Vulcloud can detect vulnerabilities in software, and the challenges of storage and processing capabilities are resolved by cloud computing.

Pre-Patch: Find Hidden Threats in Open Software Based on Machine Learning Method

The details of vulnerabilities are always kept confidential until fixed, which is an efficient way to avoid the exploitations and attacks. However, the Security Related Commits (SRCs), used to fix the vulnerabilities in open source software, usually lack proper protections. Most SRCs are released in code repositories such as Git, Github, Sourceforge, etc. earlier than the corresponding vulnerabilities published. These commits often previously disclose the vital information which can be used by the attackers to locate and exploit the vulnerable code. Therefore, we defined the pre-leaked SRC as the Pre-Patch problem and studied its hidden threats to the open source software. In this paper, we presented an Automatic Security Related Commits Detector (ASRCD) to rapidly identify the Pre-Patch problems from the numerous commits in code repositories by learning the features of SRCs. We implemented ASRCD and evaluated it with 78,218 real-world commits collected from Linux Kernel, OpenSSL, phpMyadmin and Mantisbt released between 2016 to 2017, which contain 227 confirmed SRCs. ASRCD successfully identified 206 SRCs from the 4 projects, including 140 known SRCs (recall rate: 61.7% on average) and 66 new high-suspicious. In addition, 5 of the SRCs have been published after our prediction. The results show that: (1) the Pre-Patch is really a hidden threat to open source software; and (2) the proposed ASRCD is effective in identifying such SRCs. Finally, we recommended the identified SRCs should be fixed as soon as possible.

MAD-API: Detection, Correction and Explanation of API Misuses in Distributed Android Applications

Android API is evolving continuously, including API updates, deletion, addition and changes. Unfortunately, we find that the distributed Android applications (apps) often fail to keep pace with the API evolution. Specifically, the apps usually involve the APIs that are out of date, which potentially cause the apps or Android system to behave abnormally, leak sensitive information or crash down. We call this issue that making the Android phones unreliable as API misuse. To investigate the universality of this issue and detect the defective apps in the wild, we propose an automated framework MAD-API that consists of a detection method that identifies API misuses in apps and a recommendation method to trace the latest API status and correct the misuses. We implement MAD-API based on 13 Android versions, and evaluate it with the top 10,000 Android apps. According to the evaluation, 93.13% of the evaluated apps suffer from API misuse problems, and the total number of API misuses is 1,241,831. In addition, apps with larger size have more API misuses. Worst of all, some APIs are misused all the time. The results indicate that (1) the API misuse issue widely exists in distributed apps, (2) MAD-API is able to detect API misuses in Android apps effectively, and (3) MAD-API also help developers trace the defective APIs in their distributed apps conveniently and correct them immediately.

Droidrevealer: Automatically detecting Mysterious Codes in Android applications

The state-of-the-art Android malware often encrypts or encodes malicious code snippets to evade malware detection. In this paper, such undetectable codes are called Mysterious Codes. To make such codes detectable, we design a system called Droidrevealer to automatically identify Mysterious Codes and then decode or decrypt them. The prototype of Droidrevealer is implemented and evaluated with 5,600 malwares. The results show that 257 samples contain the Mysterious Codes and 11,367 items are exposed. Furthermore, several sensitive behaviors hidden in the Mysterious Codes are disclosed by Droidrevealer.

Policykeeper: Recommending Proper Security Mechanisms Based on the Severity of Vulnerability Considering User Experience

The current statistics of vulnerability indicates that the security mechanisms become more important to protect the security of operating system than before. The security mechanism is regarded as an effective method of defence. However it is a great challenge to balance the security assurance and the user experience. In this paper, we propose the Policy keeper, which is a method of recommending the security mechanisms based on the severity of vulnerability, referencing the Common Vulnerability Scoring System (CVSS), considering the user experience. An algorithm is designed to transform the adaptability of a security mechanism into the numeric values which are easy to calculate and mine. The prototype is implemented. The experiment results show that Policy keeper can effectively balance the strength of security mechanisms and the user experience, recommend the appropriate security mechanisms to the operating systems.