Abstract

The Android operating system is currently the most popular mobile operating system in the world. Android is based on Linux and therefore inherits its features including its Inter-process Communication (IPC) mechanisms. These mechanisms are used by processes to communicate with one another and are extensively used in Android. Although the Android-specific IPC mechanisms have been studied extensively, Unix domain sockets have not been studied as much despite playing a crucial role in the IPC of highly privileged system daemons. In this thesis, we propose SAUSAGE, an efficient novel static analysis framework to study the security properties of these sockets. SAUSAGE considers access control policies implemented in the Android security model as well as authentication checks implemented by the daemon binaries. It is a fully static large-scale analysis framework specifically designed to analyze Unix domain socket usage in Android system daemons. We use this framework to analyze 200 Android images across eight popular smartphone vendors spanning Android versions 7-9. As a result, we uncover multiple access control misconfigurations and insecure authentication checks introduced by vendor customization. Our notable findings include a permission bypass in highly privileged Qualcomm system daemons and a vendor-specific daemon exposing an unprotected socket that allows an untrusted app to set the scheduling priority of other processes running on the system.