Preventing Serialization Vulnerabilities through Transient Field Detection - Archive ouverte HAL Access content directly
Conference Papers Year :

Preventing Serialization Vulnerabilities through Transient Field Detection

(1) , (1) , (1) , (1)
1

Abstract

Verifying Android applications' source code is essential to ensure users' security. Due to its complex architecture, Android has specific attack surfaces which the community has to investigate in order to discover new vulnerabilities and prevent as much as possible malicious exploitations. Communication mechanisms are one of the Android components that should be carefully checked and analyzed to avoid data leakage or code injections. Android software components can communicate together using serialization processes. Developers need thereby to indicate manually the transient keyword whenever an object field should not be part of the serialization. In particular, field values encoding memory addresses can leave severe vulnerabilities inside applications if they are not explicitly declared transient. In this study, we propose a novel methodology for automatically detecting, at compilation time, all missing transient keywords directly from Android applications' source code. Our method is based on taint analysis and its implementation provides developers with a useful tool which they might use to improve their code bases. Furthermore, we evaluate our method on a cryptography library as well as on the Telegram application for real world validation. Our approach is able to retrieve previously found vulnerabilities, and, in addition, we find non-exploitable flows hidden within Telegram's code base.
Fichier principal
Vignette du fichier
SECSAC_Preventing_Serialization_Vulnerabilities.pdf (632.36 Ko) Télécharger le fichier
Origin : Explicit agreement for this submission

Dates and versions

hal-03066847 , version 1 (05-02-2021)

Identifiers

  • HAL Id : hal-03066847 , version 1

Cite

Pierre Graux, Jean-François Lalande, Valérie Viet Triem Tong, Pierre Wilke. Preventing Serialization Vulnerabilities through Transient Field Detection. SAC 2021 - 36th ACM/SIGAPP Symposium On Applied Computing, Mar 2021, Gwangju / Virtual, South Korea. pp.1-9. ⟨hal-03066847⟩
99 View
242 Download

Share

Gmail Facebook Twitter LinkedIn More