2014-06-02
Abstract
In the last of his ‘Greetz from academe’ series, highlighting some of the work going on in academic circles, John Aycock looks at change in the form of Android update flaws, as well as spare change under the guise of academic funding.
Copyright © 2014 Virus Bulletin
This is the 13th ‘Greetz from Academe’ article, which happens to coincide with Virus Bulletin ceasing to be published in a traditional magazine format. Since VB is undergoing change, it seems fitting for my final instalment to focus on change as well.
I’ll begin with updates, since they introduce all manner of change to a system. In a previous ‘Greetz’ [1], I featured a research paper that dissected anti-virus updates and found a number of worrying problems. Happily, there seem to be more than enough updating flaws to go around, and anti-malware products aren’t in the cross hairs this time – instead, it’s Google’s turn. Xing et al.’s paper on mobile OS privilege escalation [2] appeared in the recent IEEE Symposium on Security and Privacy, a very well-respected security venue.
The researchers delved into what happens when Android devices are updated, and in particular the behaviour of the Android Package Management Service that oversees the updating process. In other words, the Package Management Service – which the paper’s authors insist on abbreviating to ‘PMS’ – is responsible for periodic software bloat. Make your own inappropriate joke here; it’s simply too easy.
Naturally, it would not be a good thing for user data to be lost, or user-installed apps to break, when an update occurs. PMS thus contains some elaborate logic in an attempt to make changes painless but, as the researchers discovered, some loopholes exist that can be exploited by an attacker. Patience is a virtue, and that idea underlies the various possible attacks. An attacker who can get a malicious app installed on a device (these attacks can all pass through third-party app markets, and most of them work on Google Play as well) simply needs to wait.
In one attack, for example, the malicious app claims carefully chosen privileges that have no special meaning on the Android version on which it is installed; when the Android device is updated, however, and those privileges now happen to be needed by a critical system component, PMS handles the conflict by silently giving the malicious app the system-level permission. PMS is, in effect, the Neville Chamberlain of the Android world, trying desperately to appease apps and keep them functional. This example is but one of many updating flaws the researchers uncovered, both in the Google-sanctioned Android versions and in thousands of custom vendor builds. The problems have been reported to Google, whose developers are working on fixing them, but the reality is that it will take a very long time for fixes to trickle out to all affected devices.
Fermat famously scribbled that he had a clever proof of his Last Theorem that was too large to fit in the margin. Looking at the margins of my copy of Xing et al.’s paper, they are nearly too small to contain all the stars and exclamation points with which I marked interesting points while reading it. It’s a good paper. The authors could have stopped after explaining all the flaws, and it would still be a good paper, but in fact they went further and developed a tool to help find these so-called ‘Pileup’ update flaws, which is publicly available [3]. They make the interesting claim there that ‘Generic security apps (e.g. Lookout, Avast!, Norton, etc.) cannot be easily tuned to detect Pileup threats.’ That sounds to me like a challenge.
From updates as change, I’ll turn to the topic of change in the sense of spare change: academic research funding. One of my goals in writing this column was to help bridge the gap between industry and academia, and along the way I’ve tried to explain what the world looks like from the academic point of view. It would be remiss of me not to mention research funding. One reason I went into academia is that I enjoy both teaching and research, yet a disproportionate amount of my time is spent doing neither of those, but instead worrying about getting the money to pay for research. The thing that may be surprising to readers is the scale, because amounts of money that would be lost in the noise on a corporate balance sheet can go quite far in academic research. For anyone in industry who finds themselves awash with what they consider small change, become a patron for an academic researcher. I, for one, would be happy to go all Renaissance in the tradition of da Vinci and Mozart, dedicating my works to the greater glory of CorporateEntity, if it meant I could get real work done!
I hope ‘Greetz from Academe’ has been both entertaining and enlightening over the last 13 months; thanks for reading.
[1] Aycock, J. Greetz from Academe: Full Frontal. Virus Bulletin, February 2014, p.30. http://www.virusbtn.com/virusbulletin/archive/2014/02/vb201402-greetz.
[2] Xing, L.; Pan, X.; Wang, R.; Yuan, K.; Wang, X. Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating. 35th IEEE Symposium on Security and Privacy, 2014.
[3] Pileup Flaws: Vulnerabilities in Android Update Make All Android Devices Vulnerable. http://secureandroidupdate.org/.
