Abstract

The Android operating system is characterized by the many variants of its kernel, each variant being specific to the manufacturer and the hardware it is running on. At scale, this makes emulating these kernels highly challenging, as existing emulators implement only a handful of hardware boards, and extending them is impractical due to the plethora of devices in existence today. Inability to emulate Android kernels means that dynamic analysis, which can be very effective in finding security vulnerabilities, is only possible on the device itself. This not only makes such analysis more expensive, as one needs to purchase physical copies of the device, but it also limits its usefulness, as some techniques require fine-grained monitoring of the internal state, which can only be achieved in an emulated environment.

In this thesis, we present LiLi, a framework that allows security analysts to emulate selected bug-prone parts of an Android kernel. This limits the number of hardware peripherals that we need to deal with, and also allows for a more targeted analysis. It takes advantage of the fact that the Android OS is based on Linux, whose default configuration is supported by existing emulators. LiLi executes a modified stock Linux kernel within an emulator, wraps and injects the Android kernel under test into the same memory space, connects the two kernels, and successfully redirects execution to any portion of the Android kernel, while providing it a valid execution context.

We evaluate our approach by further extending LiLi with coverage-based fuzzing and testing 57 Android device drivers from ten different Android kernels, from a total of four vendors. For 40\% of the drivers, LiLi is able to successfully restore a valid execution context and enable correct emulation. Using LiLi, we were able to discover 4 zero-day vulnerabilities (2 of which are high-severity) which were confirmed by the Google security team and were awarded bounties totaling 6,000 USD.