| HAL-Inria | Publications, software ... of Inria's scientists |
Conference papers
Preventing Serialization Vulnerabilities through Transient Field Detection
Abstract : Verifying Android applications' source code is essential to ensure users' security. Due to its complex architecture, Android has specific attack surfaces which the community has to investigate in order to discover new vulnerabilities and prevent as much as possible malicious exploitations. Communication mechanisms are one of the Android components that should be carefully checked and analyzed to avoid data leakage or code injections. Android software components can communicate together using serialization processes. Developers need thereby to indicate manually the transient keyword whenever an object field should not be part of the serialization. In particular, field values encoding memory addresses can leave severe vulnerabilities inside applications if they are not explicitly declared transient. In this study, we propose a novel methodology for automatically detecting, at compilation time, all missing transient keywords directly from Android applications' source code. Our method is based on taint analysis and its implementation provides developers with a useful tool which they might use to improve their code bases. Furthermore, we evaluate our method on a cryptography library as well as on the Telegram application for real world validation. Our approach is able to retrieve previously found vulnerabilities, and, in addition, we find non-exploitable flows hidden within Telegram's code base.
https://hal.inria.fr/hal-03066847
Contributor : Pierre Graux Connect in order to contact the contributor
Submitted on : Friday, February 5, 2021 - 11:31:34 AM
Last modification on : Friday, January 21, 2022 - 3:11:00 AM
Long-term archiving on: : Thursday, May 6, 2021 - 6:22:07 PM
Contributor : Pierre Graux Connect in order to contact the contributor
Submitted on : Friday, February 5, 2021 - 11:31:34 AM
Last modification on : Friday, January 21, 2022 - 3:11:00 AM
Long-term archiving on: : Thursday, May 6, 2021 - 6:22:07 PM
File
SECSAC_Preventing_Serializatio...
Explicit agreement for this submission