ACMiner
Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android’s permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. Authorization Check Miner (ACMiner) provides system developers and researchers with a framework for evaluating the correctness of Android’s access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities.
Publications
- Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden, and Alexandre Bartel, ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware, in Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY), Dallas, TX, Mar. 2019.
[PDF] (acceptance rate=23.5%) - Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden, and Alexandre Bartel, ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware, arXiv:1901.03603, Jan. 2019.
[PDF] (extends gan+19)
Downloading the Source Code
The source code for ACMiner is available on GitHub.
Required Input Files Examples
These are examples of the input files required to run ACMiner. All input files are for AOSP 7.1.1_r1.
- Extracted System Image (ZIP)
- System Image Description (XML)
- Exclude List Specification (TXT)
- Context Query Expressions (XML)
- Control Predicate Filter (XML)
Intermediate Data Examples
These are examples of the intermediate files and data that ACMiner generates as it runs. All files were generated using the above required input file examples for AOSP 7.1.1_r1.
- JAR and APK Files of the System Image (ZIP)
- Framework Packages (TXT)
- Class Files from the Framework as Java Bytecode (JAR)
- Class Files from the Framework as Jimple (JAR)
- Entry Points (XML)
- Binder Interface, Proxy, and Stub Relationships (XML)
- Exclude List (XML)
- Context Queries (XML)
- Context Queries (TXT)
- Statements Throwing A Security Exception (XML)
- Potential Control Predicates (XML)
- Control Predicates (XML)
- Def-Use Graph for All Authorization Checks (ZIP)
- Methods, Files, and Strings Used in Authorization Checks (ZIP)
Output Data Examples
These are examples of the output files and data generated by ACMiner. All files were generated using the above required input file examples for AOSP 7.1.1_r1.
- Authorization Checks for Each Entry Point as XML (ZIP)
- Authorization Checks for Each Service as CSV (ZIP)
- Association Rules Generated from the Authorization Checks (ZIP)
Running ACMiner
Building the Android Open Source Project
First, establish the AOSP build environment as described here.
Then, create a working directory for the build and download the AOSP source code inside it.
Optional Note: Syncing the AOSP code will take significant time, so start syncing in a screen to be safe.
Next, download the proprietary binaries needed for building for the Nexus 5X, as shown here.
Then, inside the working directory (i.e., “android_7.1.1_r1”), execute the following commands:
Finally, inside the working directory (i.e., “android_7.1.1_r1”), locate the system image at path “out/target/product/bullhead/system.img”.
Note: A prebuilt image of AOSP 7.1.1_r1 can be found here.
Extracting the System Image
After the system image has been built, it needs to be extracted to a ZIP file. To do this, we first need to determine if the system image is a sparse file. This can generally be determined by running the following command:
If it is not a sparse file you can skip this step. Otherwise, run the command:
Next, we want to extract the system image to a ZIP file. To do this, we have created a script located in the source code of ACMiner. Execute the following command to run the script, replacing “[path_to_acminer_source]” with the path to the ACMiner source code in your system, “[path_to_output_directory]” with a path to an output directory of your choosing, and “system.img” with “system.raw.img” if the original file was sparse.
Note: For an example of the ZIP file created for AOSP 7.1.1_r1 see the extracted system image.
Compiling ACMiner
This section will be updated when the source code for ACMiner is released.
Mining Authorization Checks with ACMiner
This section will be updated when the source code for ACMiner is released.
Create a new working directory for ACMiner and inside create two more directories as follows:
Next, inside “acminer/input” place the extracted system image ZIP file you created and the remaining files listed here. All input files are tuned for AOSP 7.1.1_r1 but may be modified as needed. See the extended version of the ACMiner paper for details on how to modify each file.
Finally, run ACMiner with the following command:
Note: ACMiner requires a large amount of memory to run because it is analyzing the entire Android system at once. As such, we recommend running it on a system with no less than 128GB of memory and at least 30GB of hard drive space.
Association Rule Generation
This section will be updated when the source code for ACMiner is released.