Skip to Main content Skip to Navigation
Conference papers

Preventing Serialization Vulnerabilities through Transient Field Detection

Pierre Graux 1 Jean-François Lalande 1 Valérie Viet Triem Tong 1 Pierre Wilke 1
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Verifying Android applications' source code is essential to ensure users' security. Due to its complex architecture, Android has specific attack surfaces which the community has to investigate in order to discover new vulnerabilities and prevent as much as possible malicious exploitations. Communication mechanisms are one of the Android components that should be carefully checked and analyzed to avoid data leakage or code injections. Android software components can communicate together using serialization processes. Developers need thereby to indicate manually the transient keyword whenever an object field should not be part of the serialization. In particular, field values encoding memory addresses can leave severe vulnerabilities inside applications if they are not explicitly declared transient. In this study, we propose a novel methodology for automatically detecting, at compilation time, all missing transient keywords directly from Android applications' source code. Our method is based on taint analysis and its implementation provides developers with a useful tool which they might use to improve their code bases. Furthermore, we evaluate our method on a cryptography library as well as on the Telegram application for real world validation. Our approach is able to retrieve previously found vulnerabilities, and, in addition, we find non-exploitable flows hidden within Telegram's code base.
Document type :
Conference papers
Complete list of metadata

https://hal.inria.fr/hal-03066847
Contributor : Pierre Graux Connect in order to contact the contributor
Submitted on : Friday, February 5, 2021 - 11:31:34 AM
Last modification on : Friday, January 21, 2022 - 3:11:00 AM
Long-term archiving on: : Thursday, May 6, 2021 - 6:22:07 PM

File

SECSAC_Preventing_Serializatio...
Explicit agreement for this submission

Identifiers

  • HAL Id : hal-03066847, version 1

Citation

Pierre Graux, Jean-François Lalande, Valérie Viet Triem Tong, Pierre Wilke. Preventing Serialization Vulnerabilities through Transient Field Detection. SAC 2021 - 36th ACM/SIGAPP Symposium On Applied Computing, Mar 2021, Gwangju / Virtual, South Korea. pp.1-9. ⟨hal-03066847⟩

Share

Metrics

Les métriques sont temporairement indisponibles