Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications

Presentation pdf 2.7MB

Android introduced the \emph{dynamic code loading} (DCL) mechanism to allow for code reuse, to achieve extensibility, to enable updating functionalities or to boost application start-up performance. In spite of its wide adoption by developers, implementing DCL in a secure way is challenging, leading to serious vulnerabilities such as remote code injection.

Previous academic and community attempts at solving this problem are unfortunately either impractical or incomplete, or in some cases exhibit vulnerabilities.

In this paper, we propose, design, implement and test Grab 'n Run, a novel code verification protocol and a series of supporting libraries, APIs, and components, that address the problem by abstracting away from the developer challenging implementation details. Grab 'n Run is designed to be practical: it is a drop-in library, requires no modifications to the Android framework or the underlying Dalvik/ART runtime, is very similar to the native API and most code can be automatically rewritten to use it.

We evaluate Grab 'n Run with a user study, obtaining impressive results in vulnerability reduction, ease of use and speed of development. We also show that the performance overhead introduced by our library is negligible. The library is released as free software.

Author(s):

Luca Falsina    
Politecnico di Milano
Italy

Yanick Fratantonio    
UC Santa Barbara
United States

Stefano Zanero    
Politecnico di Milano
Italy

Christopher Kruegel    
UC Santa Barbara
United States

Giovanni Vigna    
UC Santa Barbara
United States

Federico Maggi    
Politecnico di Milano
Italy