Addressing JNI Global Reference Vulnerabilities in Android
Examining the risks and defenses against JNI Global Reference attacks in Android.
― 6 min read
Table of Contents
Android is the most popular mobile operating system today. This popularity makes it a target for various attacks. One significant type of attack is related to how Android handles Java Native Interface (JNI) Global References (JGR). These references are crucial for managing interactions between Java and native code but can be manipulated to cause problems. This article focuses on the Vulnerabilities of JNI Global References in Android, how these vulnerabilities can be exploited, and what can be done to protect against such attacks.
What are JNI Global References?
JNI is a framework that allows Java code to interact with code written in other programming languages, mainly C and C++. In JNI, Global References are used to maintain a link to Java objects so that they can be accessed by native code. Unlike local references, which can be garbage collected (deleted when no longer needed), Global References stay in memory until explicitly removed. This can lead to issues if many Global References are created without being deleted, as they consume memory and can eventually cause the system to crash.
The Vulnerability: JGRE Attacks
A particular kind of attack known as the Java Global Reference Exhaustion (JGRE) attack can occur when an application continuously creates Global References. This attack can lead to a denial-of-service (DoS) situation, where the system runs out of memory and crashes or forces a reboot.
How JGRE Attacks Work
In a JGRE attack, a malicious app can target vulnerable system services. These services expose certain APIs (Application Programming Interfaces) that can be called by other apps. When a vulnerable API creates a Global Reference each time it is called, a malicious app can invoke the API repeatedly to generate a large number of Global References. Eventually, the system’s memory reserved for these references gets exhausted, causing a crash or reboot.
For example, if the malicious app targets a critical service, it could create enough Global References to crash the service, leading to a system reboot. Such attacks can often be launched without needing special permissions, making them even more dangerous.
Past Defense Attempts
Google, the company behind Android, has recognized the issue and applied various patches over the years to reduce the risks related to JGRE attacks. These patches have included:
Removing Vulnerable Interfaces: Google has taken some APIs that were found to be vulnerable out of circulation altogether.
Permission Elevation: For some APIs, Google has increased the permissions required to access them, making it harder for malicious apps to exploit them.
Threshold Limitations: In newer Android versions, Google has implemented checks that stop processes from creating too many Global References, enforcing a cap to control memory usage.
Despite these measures, new vulnerabilities have continued to surface due to system updates and changes in how Android operates, leading to concerns that previous defenses may not be sufficient.
The Discovery of New Vulnerabilities
In recent studies, it was discovered that even the latest versions of Android still have vulnerable APIs related to Global References. For instance, research found multiple hidden vulnerabilities in Android 10 that could still be exploited, confirming that the JGRE threat is ongoing.
Vulnerability Findings
The research revealed:
- In Android 10, 12 system services contained 21 vulnerabilities.
- Some of these vulnerabilities could be exploited without needing any permissions.
- Previous defenses do not adequately cover the ways these vulnerabilities can be abused.
This indicates that while efforts have been made to strengthen security, gaps remain that could be exploited by malicious actors.
The Role of JGREAnalyzer
To address these vulnerabilities, a tool called JGREAnalyzer was developed. This tool systematically detects services and APIs that are vulnerable to JGRE attacks by analyzing the code in Android's system services.
How JGREAnalyzer Works
Static Analysis: This phase involves reviewing the code without executing it. JGREAnalyzer scans the source code to identify potential vulnerabilities by examining how Global References are created and used.
Dynamic Analysis: Once potential vulnerabilities are identified, the tool tests these vulnerabilities in a controlled environment. It automatically generates small test apps to see if the vulnerabilities can be exploited in real-world scenarios.
Findings from JGREAnalyzer
Through the use of JGREAnalyzer, several vulnerabilities were identified across different Android versions:
- A total of 277 vulnerabilities were reported from various versions of Android.
- Most vulnerabilities could create excessive Global References, leading to system crashes.
- The effectiveness of existing defenses was called into question, revealing that many vulnerabilities still allowed for exploitation.
Proposing New Defenses
Given the ongoing vulnerabilities, new strategies for defense are required. One such proposed defense is called JGRE Purger.
What is JGRE Purger?
JGRE Purger is designed to monitor and limit the creation of Global References within the Android framework. The approach aims to enforce a control mechanism directly at the source of the problem by wrapping the function responsible for creating Global References.
Benefits of JGRE Purger
Real-time Monitoring: JGRE Purger tracks how many Global References an application can create, allowing it to detect potential abuse before it leads to a crash.
Threshold Limitation: If the number of created Global References exceeds a set limit, the system can deny further creation, effectively stopping the attack in its tracks.
Compatibility: This defense is designed to be flexible and can function across different Android versions, making it suitable for a variety of devices.
Conclusion
The vulnerabilities associated with JNI Global References in Android are significant and present ongoing risks. Despite Google’s efforts to patch vulnerabilities in the system, new issues have arisen as Android evolves. Tools like JGREAnalyzer play a critical role in identifying these vulnerabilities, demonstrating that continuous monitoring and improvement in security is essential.
To better protect users and devices, new defensive strategies like JGRE Purger need to be implemented. Such measures will help to ensure that the Android ecosystem remains secure against the evolving threats posed by malicious apps seeking to exploit these vulnerabilities.
Overall, as technology advances, so must our approach to security, ensuring that users can safely enjoy the benefits that smartphones and apps offer without fear of falling victim to attacks.
Title: JNI Global References Are Still Vulnerable: Attacks and Defenses
Abstract: System services and resources in Android are accessed through IPC based mechanisms. Previous research has demonstrated that they are vulnerable to the denial-of-service attack (DoS attack). For instance, the JNI global reference (JGR), which is widely used by system services, can be exhausted to cause the system reboot (hence the name JGRE attack). Even though the Android team tries to fix the problem by enforcing security checks, we find that it is still possible to construct a JGR exhaustion DoS attack in the latest Android system. In this paper, we propose a new JGR exhaustion DoS attack, which is effective in different Android versions, including the latest one (i.e., Android 10). Specifically, we developed JGREAnalyzer, a tool that can systematically detect JGR vulnerable services APIs via a call graph analysis and a forwarding reachability analysis. We applied this tool to different Android versions and found multiple vulnerabilities. In particular, among 148 system services in Android 10, 12 of them have 21 vulnerabilities. Among them, 9 can be successfully exploited without any permissions. We further analyze the root cause of the vulnerabilities and propose a new defense to mitigate the JGRE attack by restricting resource consumption via global reference counting.
Authors: Yi He, Yuan Zhou, Yacong Gu, Purui Su, Qi Li, Yajin Zhou, Yong Jiang
Last Update: 2024-05-01 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2405.00526
Source PDF: https://arxiv.org/pdf/2405.00526
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.