The Misuse of Android Unix Domain Sockets and Security Implications
Shao et al. CCS'16
Introduction
Besides Android-specific IPC mechanisms, i.e., Intents, Binder and Messenger, traditional/native Linux IPCs, such as signals, Netlink sockets, and Unix domain sockets, are heavily used by native layer of the Android runtime.
Exposed Linux IPC channels, if not properly protected, could be abused by adversaries to exploit vulnerabilities within privileged system daemons and the kernel.
In addition to the Android system, apps also have access to the Linux IPCs implemented within Android. Among them, Unix domain sockets are the only one apps can easily make use of: signals are not capable of carrying data and not suitable for bidirectional communications; Netlink sockets are geared for communications across the kernel space and the user space.
Android SDK provides Java APIs for using Unix domain sockets. Meanwhile, NDK provides native APIs for accessing low-level Linux features, including Unix domain sockets. Developers use Unix domain sockets to communicate with native processes/threads from apps since Android IPCs do not support that.
SInspector first identifies ones that use Unix domain sockets based on API signatures and permissions. SInspector then filters out apps that use Unix domain sockets seccurely and thus are not vulnerable. We develop several techniques to achieve this, such as socket address analysis and authentication check detection. For system daemons, SInspector collects runtime information to assist static analysis. SInspector reports potentially vulnerable apps and system daemons for manual examination.
Background
Android apps are isolated and run in their own processes. However, Unix domain sockets cannot achieve the same guarantees as Android IPCs.
In particular, according to our analysis, Android APIs for using Unix domain sockets expose unprotected socket channels by default.
Unix Domain Sockets
A Unix domain socket is a data communications endpoint for exchanging data between processes executing within the same host operating system.
Unix domain sockets differ from Internet sockets in that (1) rather than using an underlying network protocol, all communication occurs entirely within the operating system kernel; and (2) servers listen on addresses in Unix domain socket namespaces, instead of IP addresses with port numbers.
Android framework provides both Java and native APIs for Unix domain sockets. By default, these APIs use ABSTRACT namespace, which is less secure yet more reliable than FILESYSTEM sockets.
All Unix domain socket addresses are publicly accessible from file
/proc/net/unix/.