Research identifies Android security weaknesses caused by performance design

Jun 19, 2014

Georgia Tech researchers have identified a weakness in one of Android's security features and will present their work at Black Hat USA 2014, which will be held August 6-7 in Las Vegas.

The research, titled Abusing Performance Optimization Weaknesses to Bypass ASLR, identifies an Android performance feature that weakens a software protection called Address Space Layout Randomization (ASLR), leaving software components vulnerable to attacks that bypass the protection. The work is aimed at helping practitioners identify and understand the future direction of such attacks.

The work was conducted at the Georgia Tech Information Security Center (GTISC) by Ph.D. students Byoungyoung Lee and Yeongjin Jang and research scientist Tielei Wang, and reveals that the introduction of performance optimization features can inadvertently harm the security guarantees of an otherwise vetted system. In addition to describing how vulnerabilities originate from such designs, they demonstrate real attacks that exploit them.

"To optimize object tracking for some programming languages, interpreters for the languages may leak address information," said Lee, lead researcher for the effort. "As a concrete example, we'll demonstrate how address information can be leaked in the Safari web browser by simply running some JavaScript."

Bypassing ASLR using hash table leaks was previously believed to be obsolete due to its complexity. By exhaustively investigating various language implementations and presenting concrete attacks, the research aims to show that the concern is still valid.

"As part of our talk, we'll present an analysis of the Android Zygote process creation model," Lee said. "The results show that Zygote weakens ASLR as all applications are created with largely identical memory layouts. To highlight the issue, we'll show two different ASLR bypass attacks using real applications – Google Chrome and VLC Media Player."

The Black Hat Briefings were created about 16 years ago to provide computer security professionals a place to learn the very latest in information security risks, research and trends. Presented by the brightest in the industry, the briefings cover everything from critical information infrastructure to widely used enterprise computer systems to the latest InfoSec research and development. These briefings are vendor-neutral, allowing the presenters to speak candidly about the real problems and potential solutions across both the public and private sectors.

Explore further: NIST seeks comments on major revision to industrial control systems security guide

add to favorites email to friend print save as pdf

Related Stories

Georgia Tech uncovers iOS security weaknesses

Jul 31, 2013

Researchers from the Georgia Tech Information Security Center (GTISC) have discovered two security weaknesses that permit installation of malware onto Apple mobile devices using seemingly innocuous applications ...

Web browsers and iPhone hacked at contest

Mar 26, 2010

(PhysOrg.com) -- Hackers had a field day on the first day of the Pwn2Own contest, successfully attacking Safari, iPhone, Internet Explorer, and Firefox. The Pwn2Own contest is an annual event that encourages ...

Recommended for you

Does your computer know how you're feeling?

2 hours ago

Researchers in Bangladesh have designed a computer program that can accurately recognize users' emotional states as much as 87% of the time, depending on the emotion.

Microsoft to unveil new Windows software

19 hours ago

A news report out Thursday indicated that Microsoft is poised to give the world a glimpse at a new-generation computer operating system that will succeed Windows 8.

Unlocking the potential of simulation software

Aug 21, 2014

With a method known as finite element analysis (FEA), engineers can generate 3-D digital models of large structures to simulate how they'll fare under stress, vibrations, heat, and other real-world conditions.

Indonesian capital threatens to ban Uber car app

Aug 20, 2014

The Indonesian capital is threatening to shut down controversial smartphone car-hailing service Uber due to licensing issues a week after it officially launched in the city, an official said Wednesday.

User comments : 0