Large-scale Security Measurements on the Android Firmware Ecosystem
Wed 11 May 2022 20:25 - 20:30 at ICSE room 2-even hours - Software Security 5 Chair(s): Nancy Mead
Android is the most popular smartphone platform with over 85% market share. Its success is built on openness, and phone vendors can utilize the Android source code to make products with unique software/hardware features. On the other hand, the fragmentation and customization of Android also bring many security risks that have attracted the attention of researchers. Many efforts were put in to investigate the security of customized Android firmware. However, most of the previous work focuses on designing efficient analysis tools or analyzing particular aspects of the firmware. There still lacks a panoramic view of Android firmware ecosystem security and the corresponding understandings based on large-scale firmware datasets. In this work, we made a large-scale comprehensive measurement of the Android firmware ecosystem security. Our study is based on 6,261 firmware images from 153 vendors and 602 Android-related CVEs, which is the largest Android firmware dataset ever used for security measurements. In particular, our study followed a series of research questions, covering vulnerabilities, patches, security updates, and pre-installed apps. To automate the analysis process, we designed a framework, AndScanner, to complete ROM crawling, ROM parsing, patch analysis, and app analysis. Through massive data analysis and case explorations, several interesting findings are obtained. For example, the patch delay and missing issues are widespread in Android images, say 24.2% and 6.1% of all images, respectively. The latest images of several phones still contain vulnerable pre-installed apps, and even the corresponding vulnerabilities have been publicly disclosed. In addition to data measurements, we also explore the causes behind these security threats through case studies and demonstrate that the discovered security threats can be converted into exploitable vulnerabilities via 38 newfound vulnerabilities by our framework, 32 of which have been assigned CVE/CNVD numbers. This study provides much new knowledge of the Android firmware ecosystem with deep understandings of software engineering security practices.
Tue 10 MayDisplayed time zone: Eastern Time (US & Canada) change
03:00 - 04:00 | Mobile Applications 1Journal-First Papers / Technical Track at ICSE room 1-odd hours Chair(s): Luciano Baresi Politecnico di Milano | ||
03:00 5mTalk | FeatCompare: Feature Comparison for Competing Mobile Apps Leveraging User Reviews Journal-First Papers Maram Assi Queen's University, Safwat Hassan Thompson Rivers University, Yuan Tian Queens University, Kingston, Canada, Ying Zou Queen's University, Kingston, Ontario Link to publication Pre-print Media Attached | ||
03:05 5mTalk | Modx: Binary Level Partial Imported Third-Party Library Detection through Program Modularization and Semantic Matching Technical Track Can Yang Institute of Information Engineering, University of Chinese Academy of Sciences, Zhengzi Xu Nanyang Technological University, Hongxu Chen Huawei Technologies Co., Ltd., Yang Liu Nanyang Technological University, Xiaorui Gong Institute of Information Engineering, Chinese Academy of Science, Baoxu Liu Institute of Information Engineering, Chinese Academy of Sciences Pre-print Media Attached | ||
03:10 5mTalk | Large-scale Security Measurements on the Android Firmware Ecosystem Technical Track Qinsheng Hou Shandong University; Qi An Xin Group Corp., Wenrui Diao Shandong University, Yanhao Wang Qi An Xin Group Corp., Xiaofeng Liu Shandong University, Song Liu Qi An Xin Group Corp., Lingyun Ying Qi An Xin Group Corp., Shanqing Guo Shandong University, Yuanzhi Li Qi An Xin Group Corp., Meining Nie Qi An Xin Group Corp., Haixin Duan Institute for Network Science and Cyberspace, Tsinghua University; Qi An Xin Group Corp. Pre-print Media Attached | ||
03:15 5mTalk | Demystifying Android Non-SDK APIs: Measurement and Understanding Technical Track Shishuai Yang Shandong University, Rui Li Shandong University, Jiongyi Chen National University of Defense Technology, Wenrui Diao Shandong University, Shanqing Guo Shandong University Pre-print Media Attached | ||
Wed 11 MayDisplayed time zone: Eastern Time (US & Canada) change
20:00 - 21:00 | Software Security 5Technical Track / SEIP - Software Engineering in Practice / Journal-First Papers at ICSE room 2-even hours Chair(s): Nancy Mead Carnegie Mellon University | ||
20:00 5mTalk | Deep Learning based Vulnerability Detection: Are We There Yet? Journal-First Papers Saikat Chakraborty Columbia University, Rahul Krishna IBM Research, Yangruibo Ding Columbia University, Baishakhi Ray Columbia University Link to publication DOI Media Attached | ||
20:05 5mTalk | An Empirical Study on Implicit Constraints in Smart Contract Static Analysis SEIP - Software Engineering in Practice Tingting Yin Tsinghua University, China, Chao Zhang Tsinghua University, Yuandong Ni Institute for Network Science and Cyberspace of Tsinghua University, Yixiong Wu Institute for Network Science and Cyberspace of Tsinghua University, Taiyu Wong Department of Computer Science and Technology, Tsinghua University, Xiapu Luo Hong Kong Polytechnic University, Zheming Li Tsinghua University, Yu Guo SECBIT labs Pre-print Media Attached | ||
20:10 5mTalk | RoPGen: Towards Robust Code Authorship Attribution via Automatic Coding Style Transformation Technical Track Zhen Li University of Texas at San Antonio, Guenevere (Qian) Chen University of Texas at San Antonio, Chen Chen University of Central Florida, Yayi Zou Northeastern University, Shouhuai Xu University of Colorado Colorado Springs Pre-print Media Attached | ||
20:15 5mTalk | ReMoS: Reducing Defect Inheritance in Transfer Learning via Relevant Model Slicing Technical Track Ziqi Zhang Peking University, Yuanchun Li Microsoft Research, Jindong Wang Microsoft Research, Bingyan Liu Peking University, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University, Yunxin Liu Tsinghua University Pre-print Media Attached | ||
20:20 5mTalk | Modx: Binary Level Partial Imported Third-Party Library Detection through Program Modularization and Semantic Matching Technical Track Can Yang Institute of Information Engineering, University of Chinese Academy of Sciences, Zhengzi Xu Nanyang Technological University, Hongxu Chen Huawei Technologies Co., Ltd., Yang Liu Nanyang Technological University, Xiaorui Gong Institute of Information Engineering, Chinese Academy of Science, Baoxu Liu Institute of Information Engineering, Chinese Academy of Sciences Pre-print Media Attached | ||
20:25 5mTalk | Large-scale Security Measurements on the Android Firmware Ecosystem Technical Track Qinsheng Hou Shandong University; Qi An Xin Group Corp., Wenrui Diao Shandong University, Yanhao Wang Qi An Xin Group Corp., Xiaofeng Liu Shandong University, Song Liu Qi An Xin Group Corp., Lingyun Ying Qi An Xin Group Corp., Shanqing Guo Shandong University, Yuanzhi Li Qi An Xin Group Corp., Meining Nie Qi An Xin Group Corp., Haixin Duan Institute for Network Science and Cyberspace, Tsinghua University; Qi An Xin Group Corp. Pre-print Media Attached | ||