Privilege escalation attacks on android

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6531 LNCS, Issue , 2011, Pages 346-360

  Davi, Lucas ^a   Dmitrienko, Alexandra ^a   Sadeghi, Ahmad Reza ^b   Winandy, Marcel ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

^b DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; ANDROID (OPERATING SYSTEM); APPLICATION PROGRAMS; MALWARE; SECURITY OF DATA;

APPLICATION-ORIENTED; INSTALLATION TIME; MANDATORY ACCESS CONTROL; PROGRAM CODE; RUNTIMES; SANDBOXING; SECURITY MODEL; SOFTWARE PLATFORMS;

MOBILE SECURITY;

EID: 85037073388     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-18178-8_30     Document Type: Conference Paper

References (32)

1. One, A.: Smashing the stack for fun and profit. Phrack Magazine 49(14) (1996)
2. Barrera, D., Kayacik, H.G., van Oorschot, P., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: ACM CCS 2010 (October 2010)
3. Chaudhuri, A.: Language-based security on Android. In: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS 2009, pp. 1-7 (2009)
4. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM CCS 2010 (October 2010)
5. Chiueh, T., Hsu, F.-H.: RAD: A compile-time solution to buffer overflow attacks. In: International Conference on Distributed Computing Systems, pp. 409-417. IEEE Computer Society, Los Alamitos (2001)
6. cnet news. First SMS-sending Android Trojan reported (August 2010), http://news.cnet.com/8301-27080-3-20013222-245.html
7. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Return-oriented programming without returns on ARM. Technical Report HGI-TR-2010-002, Ruhr-University Bochum (July 2010)
8. Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks (March 2010), http://www.trust.rub.de/media/trust/veroeffentlichungen/2010/03/20/ROPdefender. pdf
9. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: USENIX Symposium on Operating Systems Design and Implementation (October 2010)
10. Enck, W., Ongtang, M., McDaniel, P.: Mitigating Android software misuse before it happens. Technical Report NAS-TR-0094-2008, Pennsylvania State University (September 2008)
11. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: ACM CCS 2009, pp. 235-245. ACM, New York (2009)
12. Enck, W., Ongtang, M., McDaniel, P.: Understanding Android security. IEEE Security and Privacy 7(1), 50-57 (2009)
13. Gupta, S., Pratap, P., Saran, H., Arun-Kumar, S.: Dynamic code instrumentation to detect and recover from return address corruption. In: WODA 2006, pp. 65-72. ACM, New York (2006)
14. Lineberry, A., Richardson, D.L., Wyatt, T.: These aren't the permissions you're looking for. In: BlackHat USA 2010 (2010), http://dtors.files.wordpress. com/2010/08/blackhat-2010-slides.pdf
15. Microsoft. A detailed description of the data execution prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 (2006), http://support.microsoft.com/kb/875352/EN-US/
16. Moore, H.D.: Cracking the iPhone (2007), http://blog.metasploit.com/2007/ 10/cracking-iphone-part-1.html
17. Mulliner, C.: Fuzzing the phone in your phones. In: Black Hat USA (June 2009), http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller- FuzzingPhone-PAPER.pdf
18. Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android permission model and enforcement with user-defined runtime constraints. In: ASIACCS 2010, pp. 328-332. ACM, New York (2010)
19. Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in Android. In: ACSAC 2009, pp. 340-349. IEEE Computer Society, Los Alamitos (2009)
20. Palm Source, Inc. Open Binder. Version 1 (2005), http://www. angryredplanet.com/~hackbod/openbinder/docs/html/index.html
21. PaX Team, http://pax.grsecurity.net/
22. Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2(4), 20-27 (2004)
23. Schmidt, A.-D., Schmidt, H.-G., Batyuk, L., Clausen, J.H., Camtepe, S.A., Albayrak, S., Yildizli, C.: Smartphone malware evolution revisited: Android next target? In: Proceedings of the 4th IEEE International Conference on Malicious and Unwanted Software (Malware 2009), pp. 1-7 (2009)
24. Schmidt, A.-D., Schmidt, H.-G., Clausen, J., Yuksel, K.A., Kiraz, O., Camtepe, A., Albayrak, S.: Enhancing security of Linux-based Android devices. In: 15th International Linux Kongress, Lehmann (October 2008)
25. Shabtai, A., Fledel, Y., Elovici, Y.: Securing Android-powered mobile devices using SELinux. IEEE Security and Privacy 8, 36-44 (2010)
26. Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S.: Google Android: A state-of-the-art review of security mechanisms. CoRR, abs/0912.5101 (2009)
27. Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: A comprehensive security assessment. IEEE Security and Privacy 8(2), 35-44 (2010)
28. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM CCS 2007, pp. 552-561 (2007)
29. Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the Android framework. Invited paper. In: SecureCom 2010 (2010)
30. Tan, G., Croft, J.: An empirical security study of the native code in the JDK. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 365-377. USENIX Association, Berkeley (2008)
31. Vendicator. Stack Shield: A "stack smashing" technique protection tool for Linux, http://www.angelfire.com/sk/stackshield
32. Vennon, T.: Android malware. A study of known and potential malware threats. Technical report, SMobile Global Threat Center (February 2010)