Towards Understanding Android System Vulnerabilities

Wu, Daoyuan; Gao, Debin; Cheng, Eric; Cao, Yuntai; Jiang, Jintao; Deng, Robert H.

doi:10.1145/3321705.3329831

Cited by 10 publications

(10 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There can be various ways to collect vulnerability data from project outsiders' perspectives. One is to leverage the CVE (Common Vulnerabilities and Exposures) or Bulletin (i.e., bug bounty) information in a way similar to some other vulnerability studies [35,56,65]. However, we found that there is very little CVE/Bulletin information about most blockchains because blockchain vulnerabilities are critical and often patched directly via the reports from bug bounty programs without releasing a CVE.…”

Section: Systematic Data Collectionmentioning

confidence: 88%

“…As depicted in Figure 1, the first step and challenge of our study is to effectively collect vulnerable issues and their patches of those four blockchains. This is difficult because there is very little CVE information associated with blockchain projects (unlike other vulnerability mining studies [35,56,65]), and the large number (over 34K) of raw blockchain bugs in our crawled database makes manual vulnerability filtering 1 ineffective. To address this, we propose a vulnerability filtering framework based on the intuition that vulnerabilities have unique characteristics at different levels of bug attributes, and we can gradually identify candidate vulnerabilities by analyzing bug attributes from coarse-grained to fine-grained levels.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Diving Into Blockchain's Weaknesses: An Empirical Study of Blockchain System Vulnerabilities

Xiao¹,

Jiang³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Blockchain is an emerging technology for its decentralization and the capability of enabling cryptocurrencies and smart contracts. However, as a distributed ledger software by nature, blockchain inevitably has software issues. While application-level smart contracts have been extensively investigated, the underlying system-level security bugs of blockchain are much less explored. In this paper, we conduct an empirical study of blockchain's system vulnerabilities using four representative blockchains, Bitcoin, Ethereum, Monero, and Stellar. Due to the lack of CVE information associated with these blockchain projects, we first design a systematic process to effectively identify 1,037 vulnerabilities and their 2,317 patches from 34,245 issues/PRs (pull requests) and 85,164 commits on GitHub. This allows us to build the first blockchain vulnerability dataset, which will be released to the community as a part of our contributions. Atop this unique dataset, we perform three levels of analyses, including (i) file-level vulnerable module categorization by identifying and correlating module paths across projects, (ii) text-level vulnerability type clustering by combining natural language processing with similarity-based sentence clustering, and (iii) code-level vulnerability pattern analysis by generating and clustering the code change signatures that concisely capture both syntactic and semantic information of patch code fragments.Among detailed results, our analysis reveals three key findings, including (i) some blockchain modules are more susceptible than the others; notably, the modules related to consensus, wallet, and networking are highly susceptible, each with over 200 issues; (ii) around 70% of blockchain vulnerabilities are in traditional types, but we also identify four new types specific to blockchains; and (iii) we obtain 21 blockchain-specific vulnerability patterns that check unique blockchain attributes and validate various blockchain statuses, and demonstrate that they can be used to detect similar vulnerabilities in other top blockchains (e.g., Dogecoin and Bitcoin SV).

show abstract

Section: Systematic Data Collectionmentioning

confidence: 88%

Section: Introductionmentioning

confidence: 99%

Diving Into Blockchain's Weaknesses: An Empirical Study of Blockchain System Vulnerabilities

Xiao¹,

Jiang³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…5, we try to uncover the root causes underneath those vulnerabilities. Among the nine vulnerabilities we discovered, three of them have previously known root causes, i.e., no protection of exported components in V1 [13,15], no checking of system APIs in V2 [26,27], and missed error handling in V4 [28]. For the rest of six vulnerabilities, we identify a new root cause that is dedicated to Android VoIP and not known before.…”

Section: A New Root Causementioning

confidence: 95%

Understanding Android VoIP Security: A System-Level Vulnerability Assessment

En¹,

Deng

2020

Detection of Intrusions and Malware, and Vulnerability Assessment

Self Cite

View full text Add to dashboard Cite

VoIP is a class of new technologies that deliver voice calls over the packet-switched networks, which surpasses the legacy circuitswitched telecom telephony. Android provides the native support of VoIP, including the recent VoLTE and VoWiFi standards. While prior works have analyzed the weaknesses of VoIP network infrastructure and the privacy concerns of third-party VoIP apps, no efforts were attempted to investigate the (in)security of Android's VoIP integration at the system level. In this paper, we first demystify Android VoIP's protocol stack and all its four attack surfaces. We then propose a novel vulnerability assessment approach that assembles on-device Intent/API fuzzing, networkside packet fuzzing, and targeted code auditing. By testing Android from version 7.0 to the recent 9.0, we have discovered 8 zero-day Android VoIP vulnerabilities, all of which were confirmed by Google with bug bounty awards. The security consequences are serious, including denying voice calls, caller ID spoofing, unauthorized call operations, and remote code execution. To mitigate these vulnerabilities and further improve Android VoIP security, we uncover a new root cause that requires developers' attention during their design and implementation.

show abstract

“…Existing code defects or issues provide attackers an attack surface to launch their attacks. Research in the direction of malware analysis includes studying the different components of Android OS and an Android application [4]. The analysis encompasses the usage of features obtained statically or dynamically and then using state of art technologies, to name a few, machine learning algorithms, or deep learning [5].…”

Section: Introductionmentioning

confidence: 99%

A Review and Case Study on Android Malware: Threat Model, Attacks, Techniques and Tools

Negi

Mishra

Chaudhary

et al. 2021

JCSANDM

View full text Add to dashboard Cite

As android devices have increased in number in the past few years, the android operating system has started dominating the smartphone market. The vast spread of android across all the devices has made security an important issue as the android users continue to grow exponentially. The security of android platform has become the need of the hour in view of increase in the number of malicious apps and thus several studies have emerged to present the detection approaches. In this paper, we review the android components to propose a threat model that illustrates the possible threats that are present in the android. We also present the attack taxonomy to illustrate the possible attacks at various layers of the android architecture. Experiments demonstrating the feature extraction and classification using machine earning algorithms have also been performed.

show abstract

Towards Understanding Android System Vulnerabilities

Cited by 10 publications

References 43 publications

Diving Into Blockchain's Weaknesses: An Empirical Study of Blockchain System Vulnerabilities

Diving Into Blockchain's Weaknesses: An Empirical Study of Blockchain System Vulnerabilities

Understanding Android VoIP Security: A System-Level Vulnerability Assessment

A Review and Case Study on Android Malware: Threat Model, Attacks, Techniques and Tools

Contact Info

Product

Resources

About