Design And Implementation Of Android System Service Vulnerability Mining System Based On Fuzzing

As a core component of the Android framework,Android system services provide basic and core functional services for the Android system.Android system services has more resources and higher system permissions,which is a very important attack surface in the Android system.Attackers can use Android system service vulnerabilities to steal user privacy,cause Android applications or Android system denial of service,and execute remote malicious code,which will seriously affect the safe use of Android users.In order to better protect the ecological security of the Android system and reduce the harm caused by Android system service vulnerabilities,this paper develops two Android system service vulnerability mining systems based on fuzzing technology.The two vulnerability mining systems optimize and improve the fuzzing technology to improve the speed and effectiveness of vulnerability mining.Finally,the vulnerabilities found in this paper are submitted to the corresponding manufacturers and security agencies in time to help Android manufacturers fix the vulnerabilities in time.The main work of this paper is as follows:Firstly,an automated fast mining system FASSFuzzer is designed and implemented for the null pointer reference vulnerability of Android system services.FASSFuzzer can quickly detect null pointer reference vulnerabilities in Android system services based on adb.At the same time,FASSFuzzer has added an automated design that can automatically sense the occurrence of vulnerabilities and ensure the full automation of the entire vulnerability mining process.FASSFuzzer will also automatically generate a vulnerability mining report after the vulnerability mining is completed.Secondly,an intelligent fuzzing system IASSFuzzer is designed and implemented for memory-related vulnerabilities in Android system services.IASSFuzzer is more intelligent in input generation.It can adopt a variety of data generation and data mutation strategies according to the input format of the system service interface to ensure the validity and comprehensiveness of the input data.Therefore,IASSFuzzer can do a comprehensive and effective security check on Android system services.Testers can use IASSFuzzer to conduct semi-automatic,intelligent and comprehensive vulnerability mining on Android system services.Finally,this paper designs a vulnerability mining platform for Android system service vulnerabilities based on FAS SFuzzer and IAS SFuzzer.The platform takes Xiaomi’s latest MIUI 12 system as the target of vulnerability mining.Finally,19 latest security vulnerabilities were discovered on the platform,15 of which have been certified by Xiaomi SRC and CNVD,which successfully helped manufacturers discover and fix the latest security vulnerabilities in a timely manner.Therefore,the Android system service vulnerability mining platform designed in this paper is practical and feasible.It can make effective guarantee for the ecological security of Android system.