ACMiner

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android’s permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. Authorization Check Miner (ACMiner) provides system developers and researchers with a framework for evaluating the correctness of Android’s access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities.

Publications

Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden, and Alexandre Bartel, ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware, in Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY), Dallas, TX, Mar. 2019.
[PDF] (acceptance rate=23.5%)
Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden, and Alexandre Bartel, ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware, arXiv:1901.03603, Jan. 2019.
[PDF] (extends gan+19)

Downloading the Source Code

The source code for ACMiner is available on GitHub.

Required Input Files Examples

These are examples of the input files required to run ACMiner. All input files are for AOSP 7.1.1_r1.

Intermediate Data Examples

These are examples of the intermediate files and data that ACMiner generates as it runs. All files were generated using the above required input file examples for AOSP 7.1.1_r1.

Output Data Examples

These are examples of the output files and data generated by ACMiner. All files were generated using the above required input file examples for AOSP 7.1.1_r1.

Running ACMiner

Building the Android Open Source Project

First, establish the AOSP build environment as described here.

Then, create a working directory for the build and download the AOSP source code inside it.

Optional Note: Syncing the AOSP code will take significant time, so start syncing in a screen to be safe.

$ mkdir android_7.1.1_r1
$ cd android_7.1.1_r1
$ repo init -u https://android.googlesource.com/platform/manifest -b android-7.1.1_r1
$ repo sync

Next, download the proprietary binaries needed for building for the Nexus 5X, as shown here.

Then, inside the working directory (i.e., “android_7.1.1_r1”), execute the following commands:

$ source build/envsetup.sh
$ lunch aosp_bullhead-user
$ make -j8

Finally, inside the working directory (i.e., “android_7.1.1_r1”), locate the system image at path “out/target/product/bullhead/system.img”.

Note: A prebuilt image of AOSP 7.1.1_r1 can be found here.

Extracting the System Image

After the system image has been built, it needs to be extracted to a ZIP file. To do this, we first need to determine if the system image is a sparse file. This can generally be determined by running the following command:

$ if [ "$((`stat -c "%b*%B-%s" -- "./out/target/product/bullhead/system.img"`))" -lt 0 ]; then echo "sparse"; else echo "not sparse"; fi

If it is not a sparse file you can skip this step. Otherwise, run the command:

$ simg2img ./out/target/product/bullhead/system.img ./out/target/product/bullhead/system.raw.img

Next, we want to extract the system image to a ZIP file. To do this, we have created a script located in the source code of ACMiner. Execute the following command to run the script, replacing “[path_to_acminer_source]” with the path to the ACMiner source code in your system, “[path_to_output_directory]” with a path to an output directory of your choosing, and “system.img” with “system.raw.img” if the original file was sparse.

$ perl [path_to_acminer_source]/scripts/mksyszip/mk_system_img_zip.pl -i ./out/target/product/bullhead/system.img -o [path_to_output_directory]

Note: For an example of the ZIP file created for AOSP 7.1.1_r1 see the extracted system image.

Compiling ACMiner

This section will be updated when the source code for ACMiner is released.

Mining Authorization Checks with ACMiner

This section will be updated when the source code for ACMiner is released.

Create a new working directory for ACMiner and inside create two more directories as follows:

$ mkdir acminer
$ mkdir acminer/input
$ mkdir acminer/output

Next, inside “acminer/input” place the extracted system image ZIP file you created and the remaining files listed here. All input files are tuned for AOSP 7.1.1_r1 but may be modified as needed. See the extended version of the ACMiner paper for details on how to modify each file.

Finally, run ACMiner with the following command:

$ LD_LIBRARY_PATH=/path/to/z3_native/bin java -Xms118784m -Xmx118784m -jar /path/to/ACMiner/ACMiner-fat.jar -m -i ./acminer/input -o ./acminer/output -pp SimpleMiner enabled:true

Note: ACMiner requires a large amount of memory to run because it is analyzing the entire Android system at once. As such, we recommend running it on a system with no less than 128GB of memory and at least 30GB of hard drive space.

Association Rule Generation

This section will be updated when the source code for ACMiner is released.