Vývoj aplikace demonstrující zranitelnosti mobilních aplikací / Implementation of application that demonstrates mobile application vulnerabilities

Šrůtková, Karolína

January 2021

This master thesis is focused on an implementation of application for Android operating system that demonstrates mobile application vulnerabilities. Theoretical part contains security of mobile applications and its current state including a description of the biggest security risks and vulnerabilities. In addition, general development of mobile applications for Android is mentioned. In a practical part of the thesis a custom design of the application is described including vulnerabilities analysis, design of basic application blocks and selection of suitable tools for implementation. The section describing the implementation of the application describes the preparation of the environment, the structure of the created application and especially its implementation. The last part contains an example of implemented application vulnerabilities and also the result of its testing.

The Efficacy of Forward-Edge Control-Flow Integrity in Mitigating Memory Corruption Vulnerabilities : The Case of the Android Stack

Olofsson, Viktor

January 2023

Memory corruption is one of the oldest and most prominent problems in the field of computer security. In order to protect the vulnerabilities that arise from memory corruption, a mitigation technique called Control-flow Integrity (CFI) was developed. The Android Open Source Project utilizes a specific implementation of the CFI policy called forward-edge CFI in the compilation of the Android system. However, memory corruption vulnerabilities are still a problem for Android systems. This raises the question: Is forward-edge CFI really effective in mitigating memory corruption vulnerabilities? In this research, the efficacy of forward-edge CFI in terms of mitigating memory corruption vulnerabilities in Android systems is analyzed. This is done by analyzing nine Common Vulnerabilities and Exposures (CVE) in terms of how they can be exploited and whether forward-edge CFI could mitigate them. Additionally, the Android binaries containing the vulnerabilities are analyzed in an attempt to detect the presence of CFI instrumentation. CFI was detected in one of nine vulnerable Android binaries, implying that there exist memory corruption vulnerabilities that forward-edge CFI definitely can not protect. The analysis of nine CVEs showed that five CVEs could be mitigated by forward-edge CFI. These results indicate that forward-edge CFI could definitely mitigate a portion of the memory corruption vulnerabilities plaguing Android systems. However, in order to protect a greater portion of memory corruption vulnerabilities, forward-edge CFI should be combined with other mitigation techniques such as Shadow Stacks.

control-flow integrity

CFI

control-flow graph

CFG

memory corruption

Android

vulnerability

android vulnerability

computer security

Computer Sciences

Datavetenskap (datalogi)