Android is a complex platform with diverse, concurrently running services. In the past, we focused on privileged components such as fuzzing the secure monitor with EL3XIR, targeting trusted applications, or even surveying the use of rollback counters in trusted applications.
As more and more components get secured and hardened, we wanted to look at the remaining attack surface. The assumption is that an attacker has code execution in user space as part of an untrusted app and they try to escalate their privileges to a system service. In the past, exploitation often involved triggering kernel bugs. As more and more services are rewritten in Rust, this attack vector is increasingly mitigated. For example, the Binder IPC interface in the kernel is now largely written in Rust and therefore no longer exposed to memory safety corruption.
Attackers are therefore increasingly targeting system services through the Binder interface. While previous work identified this attack surface, they did not support proprietary services, i.e., services without source code, running natively on a device. These services are still written in C/C++ and therefore vulnerable to memory corruption.
We therefore analyzed this new privilege layer of native system services and worked on a static analysis that recovers the binder interface and creates fuzzing harnesses for on-device fuzzing of these custom privileged services. NASS introduces deserialization-guided interface extraction to analyze the underlying binder interface exposed in the native system services and automatically creates fuzzing harnesses. Through our design, we address two key challenges: interface awareness (i.e., we know how to interact with the service) and coverage (i.e., we can give the fuzzer feedback on what functionality it already explored). Effectively fuzzing RPC servers is only possible with awareness of the exposed interface such as the API calls and the expected data format/data.
The key idea behind NASS is that RPC frameworks generally leverage a compiler to translate the interface description into native code. This automatically generated code follows a clear translation pattern that we reverse to recover the interface description. Applied to native services, this gives us a grammar to fuzz the broad RPC interface.
In our evaluation, we explored a broad range of 528 proprietary system services on five recent devices from Google, Xiaomi, Samsung, and OnePlus. We managed to target diverse services on proprietary devices resulting in 12 vulnerabilities and 5 CVEs. NASS is open-source and we invite you to play with it!
This work was a collaboration among Philipp Mao, Marcel Busch, and Mathias Payer. Philipp handled all the heavy lifting and, together with Marcel deserves the main credit for this work.