• Refine Query
  • Source
  • Publication year
  • to
  • Language
  • No language data
  • Tagged with
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.
1

Analysis and Prevention of Code-Injection Attacks on Android OS

Smith, Grant Joseph 22 October 2014 (has links)
Injection attacks are the top two causes of software errors and vulnerabilities, according to the MITRE Common Vulnerabilities list [1]. This thesis presents a threat analysis of injection attacks on applications built for Android, a popular but not rigorously studied operating system designed for mobile devices. The following thesis is argued: Injection attacks are possible on off-the-shelf Android systems, and such attacks have the capacity to compromise the device through resource denial and leaking private data. Specifically, we demonstrate that injection attacks are possible through the OS shell and through the SQLite API. To mitigate these attacks, we augment the Android OS with a taint-tracking mechanism to monitor the flow of untrusted character strings through application execution. We use this taint information to implement a mechanism to detect and prevent these injection attacks. A good denition of an attack being critical to preventing it, our mechanism is based on Ray and Ligatti's formalized “NIE" property, which states that untrusted inputs must only insert or expand noncode tokens in output programs. If this property is violated, an injection attack has occurred. This definition's detection algorithm, in combination with our taint tracker, allow our mechanism to defend against these attacks.

Page generated in 0.0955 seconds