Fuzzing Android System Service by Binder Call to Escalate Privilege presented at SyScan360 2015

by Guang Gong,

Summary : Binder is the IPC Mechanism in Android. It's used in Communication not only between processes with the same privilege but also between low privileged Apps and high privileged system services. The system services is a juicy attack surface to escalate privileges because parameters passed to it through binder call lack sanitization, but until now there are little disclosed vulnerabilities of this type.
In this presentation, the author will first introduce this attack surface and then demonstrate the first fuzzing tools to find this kind of vulnerabilities. The tool take the binder interfaces exported from system services as attacked targets. This tool is simple but efficient. Through this tool he has found 8 vulnerabilities with CVE-IDs got from Android Security Team and dozens of crashes of system services. At last, he will detail how to exploit this type of vulnerability to get Android's system_server permission by an vulnerability.