Static Detection of Filesystem Vulnerabilities in Android Systems

TL;DR

PathSentinel tackles Android filesystem vulnerabilities by combining static program analysis with access control policy analysis to detect path traversal, hijacking, and luring attacks. It generates constrained input payloads through a solver and then leverages LLMs to craft executable exploits for validation, achieving 51 true vulnerabilities across 217 apps with only 2 false positives. The approach reduces search space via environmental constraints and demonstrates practical efficacy on Android 12 and 14 OEM apps, including a zero-day path traversal case and several hijacking cases. The work highlights the value of integrating static analysis with policy reasoning and LLM-assisted exploit generation for efficient vulnerability discovery and vulnerability validation in mobile ecosystems.

Abstract

Filesystem vulnerabilities persist as a significant threat to Android systems, despite various proposed defenses and testing techniques. The complexity of program behaviors and access control mechanisms in Android systems makes it challenging to effectively identify these vulnerabilities. In this paper, we present PathSentinel, which overcomes the limitations of previous techniques by combining static program analysis and access control policy analysis to detect three types of filesystem vulnerabilities: path traversals, hijacking vulnerabilities, and luring vulnerabilities. By unifying program and access control policy analysis, PathSentinel identifies attack surfaces accurately and prunes many impractical attacks to generate input payloads for vulnerability testing. To streamline vulnerability validation, PathSentinel leverages large language models (LLMs) to generate targeted exploit code based on the identified vulnerabilities and generated input payloads. The LLMs serve as a tool to reduce the engineering effort required for writing test applications, demonstrating the potential of combining static analysis with LLMs to enhance the efficiency of exploit generation and vulnerability validation. Evaluation on Android 12 and 14 systems from Samsung and OnePlus demonstrates PathSentinel's effectiveness, uncovering 51 previously unknown vulnerabilities among 217 apps with only 2 false positives. These results underscore the importance of combining program and access control policy analysis for accurate vulnerability detection and highlight the promising direction of integrating LLMs for automated exploit generation, providing a comprehensive approach to enhancing the security of Android systems against filesystem vulnerabilities.

Figures (7)

• Figure 1: Filesystem Hijacking Vulnerability Example: The file pathname used by a victim program to open a file uses an adversary-resource which redirects the victim to an adversary targeted file.
• Figure 2: Path Traversal Vulnerability Example: The victim uses malicious IPC input to construct a file pathname to a private victim file that the adversary can then read/write illicitly.
• Figure 3: Threat Model: Levels of privilege and corresponding Android permissions that each level can obtain.
• Figure 4: Filesystem Vulnerability Detection Problem: Attackers may attack at external sources and name resolution of file operations to direct the program to adversary targeted resources. Vulnerabilities are possible if the Android system's environmental constraints and the program's path constraints allow the generation of vulnerable pathnames at file operations.
• Figure 5: PathSentinel processes Android APK files (green) and sensitive filesystem operations (red, defined manually) to compute program (path) constraints and processes the Android access control policies (blue) and APKs (green) to compute environmental (entry point and file) constraints. Exploit programs are generated from solutions to this combined constraint set to test for each vulnerability dynamically.