Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

JNI Global References Are Still Vulnerable: Attacks and Defenses

Yi He, Yuan Zhou, Yacong Gu, Purui Su, Qi Li, Yajin Zhou, Yong Jiang

TL;DR

Android's JNI Global Reference Exhaustion (JGRE) enables malicious DoS by exhausting Java Global References through IPC interfaces. The authors introduce JGREAnalyzer, a static+dynamic analysis pipeline that identifies JGR-creating paths across Android versions and validates them with automatically generated PoCs, revealing persisting vulnerabilities even on Android 10. They also propose a global reference counting defense and a practical implementation, JGRE Purger, to curb JGR creation at the framework level. Collectively, the work demonstrates the need for systematic vulnerability assessment and robust defenses that adapt to Android's evolving service and IPC landscape, with tangible implications for Android security practices.

Abstract

System services and resources in Android are accessed through IPC based mechanisms. Previous research has demonstrated that they are vulnerable to the denial-of-service attack (DoS attack). For instance, the JNI global reference (JGR), which is widely used by system services, can be exhausted to cause the system reboot (hence the name JGRE attack). Even though the Android team tries to fix the problem by enforcing security checks, we find that it is still possible to construct a JGR exhaustion DoS attack in the latest Android system. In this paper, we propose a new JGR exhaustion DoS attack, which is effective in different Android versions, including the latest one (i.e., Android 10). Specifically, we developed JGREAnalyzer, a tool that can systematically detect JGR vulnerable services APIs via a call graph analysis and a forwarding reachability analysis. We applied this tool to different Android versions and found multiple vulnerabilities. In particular, among 148 system services in Android 10, 12 of them have 21 vulnerabilities. Among them, 9 can be successfully exploited without any permissions. We further analyze the root cause of the vulnerabilities and propose a new defense to mitigate the JGRE attack by restricting resource consumption via global reference counting.

JNI Global References Are Still Vulnerable: Attacks and Defenses

TL;DR

Android's JNI Global Reference Exhaustion (JGRE) enables malicious DoS by exhausting Java Global References through IPC interfaces. The authors introduce JGREAnalyzer, a static+dynamic analysis pipeline that identifies JGR-creating paths across Android versions and validates them with automatically generated PoCs, revealing persisting vulnerabilities even on Android 10. They also propose a global reference counting defense and a practical implementation, JGRE Purger, to curb JGR creation at the framework level. Collectively, the work demonstrates the need for systematic vulnerability assessment and robust defenses that adapt to Android's evolving service and IPC landscape, with tangible implications for Android security practices.

Abstract

System services and resources in Android are accessed through IPC based mechanisms. Previous research has demonstrated that they are vulnerable to the denial-of-service attack (DoS attack). For instance, the JNI global reference (JGR), which is widely used by system services, can be exhausted to cause the system reboot (hence the name JGRE attack). Even though the Android team tries to fix the problem by enforcing security checks, we find that it is still possible to construct a JGR exhaustion DoS attack in the latest Android system. In this paper, we propose a new JGR exhaustion DoS attack, which is effective in different Android versions, including the latest one (i.e., Android 10). Specifically, we developed JGREAnalyzer, a tool that can systematically detect JGR vulnerable services APIs via a call graph analysis and a forwarding reachability analysis. We applied this tool to different Android versions and found multiple vulnerabilities. In particular, among 148 system services in Android 10, 12 of them have 21 vulnerabilities. Among them, 9 can be successfully exploited without any permissions. We further analyze the root cause of the vulnerabilities and propose a new defense to mitigate the JGRE attack by restricting resource consumption via global reference counting.
Paper Structure (30 sections, 9 figures, 5 tables)

This paper contains 30 sections, 9 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background And Motivation
  3. JNI Global Reference
  4. A Real World Example
  5. JGRE Attacks
  6. Simple JGRE Attack
  7. Service Based JGRE Attack
  8. One Binder JGRE Attack
  9. Design
  10. Overview
  11. Static Analysis Module
  12. Processing the Android Source Code
  13. Static Analysis for Native Code
  14. Identify JGR Creating Methods
  15. Static Analysis for Java Code
  16. ...and 15 more sections

Figures (9)

  • Figure 1: The JGRE attack pattern
  • Figure 2: Calling path from linkToDeath(Java) to newGlobalRef(Native)
  • Figure 3: Code snippet for the Binder number limit.
  • Figure 4: Code snippet for One-Binder attack.
  • Figure 5: The architecture of JGREAnalyzer
  • ...and 4 more figures