Author: admin

Automating Binder IPC Fuzzing: Building Your Own Vulnerability Scanner for Android Apps
Introduction: The Untamed Wilderness of Android IPC

Android’s Inter-Process Communication (IPC) mechanism, known as Binder, is the backbone of the operating system, facilitating communication between countless processes and services. From system services like Activity Manager to third-party applications interacting with their components, Binder is omnipresent. Its critical role, however, also makes it a prime target for security vulnerabilities. A flaw in a Binder interface can lead to severe consequences, ranging from denial-of-service to privilege escalation or information leakage. Identifying these vulnerabilities requires specialized techniques, and among the most effective is fuzzing. This article will guide you through building your own automated Binder IPC fuzzer, a powerful tool for discovering security flaws in Android applications and system services.

Understanding Android Binder IPC: The Heartbeat of Android

What is Binder?

Binder is a high-performance, lightweight IPC mechanism provided by the Linux kernel, specifically adapted for Android. Unlike traditional Linux IPC methods (e.g., pipes, message queues, shared memory), Binder is designed for the object-oriented paradigm, allowing processes to expose objects and methods to other processes as if they were local.

The Binder Architecture

The Binder framework comprises several key components:
- Binder Driver: A character device in the Linux kernel (/dev/binder) that manages Binder transactions and shared memory.
- Service Manager: A special Binder service (servicemanager) that acts as a naming service. Clients query the Service Manager to obtain a handle to a remote Binder object by its name.
- Client/Server Model: A client process makes a request to a remote service by invoking a method on a local proxy object. This request is marshaled into a Parcel, sent via the Binder driver to the server process, unmarshaled, and then executed on the actual service object. The results are returned in the reverse manner.
The Parcel: Data Serialization for IPC

At the core of Binder IPC data transfer is the Parcel object. A Parcel is a flattened, byte-stream container that can hold various primitive data types (integers, strings, booleans), complex objects (if they implement Parcelable), and even references to Binder objects. Data written by the sender is read by the receiver in a specific order, making robust serialization and deserialization critical. Mismatches or malformed data here are common sources of vulnerabilities.

Why Fuzz Binder IPC? Uncovering Hidden Vulnerabilities

Fuzzing involves supplying invalid, unexpected, or random data to a computer program to expose software bugs and security flaws. For Binder IPC, fuzzing targets the transaction methods and the data within the Parcel.

Common Vulnerability Classes
- Type Confusion: A server expects one type of data but receives another (e.g., an integer where a string is expected), leading to incorrect memory interpretation.
- Integer Overflows and Underflows: Supplying extreme integer values that exceed data type limits, potentially leading to buffer overflows or incorrect memory allocations.
- Memory Corruption: Malformed Parcel data can cause the server to read or write beyond allocated buffers, leading to crashes (DoS) or arbitrary code execution.
- Access Control Bypass: While Binder has built-in permission checks, flaws in custom service implementations or transaction codes could allow unauthorized access to sensitive functionality.
The Need for Automation

Manually testing every possible input permutation for every Binder transaction is impractical. Automation allows for systematic, repetitive testing, covering a much larger attack surface with greater efficiency. A fuzzer can generate thousands or millions of test cases, constantly monitoring for crashes or anomalous behavior.

Building Your Own Binder IPC Fuzzer: A Step-by-Step Guide

Step 1: Identifying Target Binder Services

The first step is to identify which Binder services are running on a device. The most straightforward way is using the Android Debug Bridge (ADB):
```
adb shell service list
```
This command lists all registered Binder services and their corresponding interface names. For deeper analysis, you might look into application packages, inspect their AndroidManifest.xml for exported services, or reverse engineer their bytecode (smali or native libraries) to find custom Binder interfaces. Tools like Frida can also hook addService calls to dynamically discover new services.

Step 2: Interacting with Binder Services Programmatically

To fuzz, you need to programmatically interact with a Binder service. This can be done via a custom Android application or even through a script executing Java code via ADB. The core components are obtaining an IBinder reference and then making transactions using Parcel objects.
```
// This code snippet demonstrates basic Binder interaction within an Android app context. // It would be run as part of a fuzzer app, potentially with root privileges if targeting system services. import android.os.IBinder; import android.os.Parcel; import android.os.RemoteException; import android.os.ServiceManager; // Replace "servicename" with an actual service from "adb shell service list" String serviceName = "activity"; // Example: ActivityManager int transactionCode = 1; // Example: typically an enum or constant for a specific method IBinder binder = ServiceManager.getService(serviceName); if (binder != null) { System.out.println("Found service: " + serviceName); for (int i = 0; i < 1000; i++) { // Fuzzing loop example     Parcel data = Parcel.obtain();     Parcel reply = Parcel.obtain();     try { // --- Fuzzing Logic: Write various fuzzed data types ---         // Example 1: Fuzzing an integer parameter         // Replace with random/boundary values (e.g., 0, -1, Integer.MAX_VALUE, Integer.MIN_VALUE, random)         data.writeInt(i); // Simple incremental fuzzer for illustration         // Example 2: Fuzzing a string parameter with long or malformed data         // data.writeString("A".repeat(1024) + i);         // data.writeStrongBinder(null);         // --- End Fuzzing Logic ---         // Perform the transaction. The transactionCode itself can also be fuzzed.         // Fuzzing transactionCode to invalid values can reveal crashes or unexpected behavior.         binder.transact(transactionCode, data, reply, 0);         // You might read from reply here to check for specific error codes or patterns.         // System.out.println("Reply: " + reply.readString());     } catch (RemoteException e) {         System.err.println("RemoteException during transact for code " + transactionCode + ": " + e.getMessage());         // Log the state that led to the crash.     } catch (Exception e) {         System.err.println("General Exception during fuzz iteration " + i + ": " + e.getMessage());     } finally {         data.recycle();         reply.recycle();     } } } else {     System.err.println("Service not found: " + serviceName); }
```
Step 3: Crafting Fuzzing Inputs

The effectiveness of your fuzzer hinges on the quality of its input generation:
- Random Byte Mutation: The simplest approach, where random bytes are inserted, deleted, or flipped in the Parcel data. This is good for discovering basic parsing errors but less efficient for structured inputs.
- Structure-Aware Fuzzing: If you have some knowledge of the expected Parcel structure (e.g., from AIDL files, reverse engineering, or documentation), you can generate inputs that conform to parts of the structure while fuzzing specific fields. This is much more effective.
- Edge Case Exploration: Systematically test boundary conditions like null values, empty strings, very large strings/arrays, min/max integer values, floating-point special values (NaN, infinity), and invalid object references.
Step 4: Monitoring for Crashes and Anomalies

While your fuzzer is running, you need to constantly monitor the device for signs of crashes or unexpected behavior. The primary tool for this is logcat:
```
adb logcat -b crash -b main -b system -s AndroidRuntime:E *:F
```
Look for keywords like fatal signal, SIGSEGV, SIGBUS, SIGABRT, crash, error, or messages indicating an Application Not Responding (ANR). When a crash is detected, log the exact fuzzed input (Parcel content, transaction code) that triggered it. You can also use Frida to hook critical functions (e.g., memory allocation, `readInt`/`writeString` on `Parcel`) and detect anomalies or exceptions directly.

Advanced Fuzzing Techniques and Considerations

Coverage-Guided Fuzzing (CGF)

For native Binder services (written in C++), integrating with tools like AFL++ or libFuzzer can drastically improve efficiency. CGF monitors code coverage and prioritizes inputs that explore new execution paths, leading to faster discovery of deeper bugs. This often involves instrumenting the target service’s native library.

Dynamic Instrumentation with Frida

Frida is invaluable for dynamic analysis. You can use it to:
- Hook Parcel.read* and Parcel.write* methods to understand data flow.
- Intercept IBinder.transact() to modify inputs or observe outputs in real-time.
- Monitor for exceptions or specific function calls within the target process.
Stateful Fuzzing

Some vulnerabilities only manifest after a specific sequence of Binder transactions. Stateful fuzzing involves maintaining a ‘state’ and generating transaction sequences based on observed states or inferred protocols, rather than just individual transactions.

Permissions and SELinux

When fuzzing system services, be mindful of Android’s robust security model, including UID/PID checks and SELinux policies. Your fuzzer might need to run with elevated privileges (e.g., root) or within a specific security context to trigger certain code paths.

Conclusion: Empowering Your Android Security Toolkit

Automating Binder IPC fuzzing is a critical skill for any serious Android security researcher or penetration tester. By understanding the Binder architecture, crafting intelligent fuzzing inputs, and meticulously monitoring for anomalies, you can uncover subtle yet critical vulnerabilities that might otherwise go unnoticed. This guide provides a foundation for building your own scanner, opening the door to deeper security analysis and contributing to a more secure Android ecosystem. Remember to always conduct fuzzing ethically, targeting only systems for which you have explicit authorization.
May 30, 2026
Uncovering Hidden Attack Surfaces: A Comprehensive Guide to Android Binder IPC Security Analysis
Introduction: The Criticality of Android Binder IPC Security

Android’s Binder Inter-Process Communication (IPC) mechanism is the backbone of its architecture, facilitating communication between different processes, services, and the Android framework itself. From system services like PackageManager and ActivityManager to hardware abstraction layers (HALs) and custom applications, Binder is ubiquitous. While designed for efficiency and security, its complexity also makes it a prime target for attackers seeking to escalate privileges, bypass sandbox restrictions, or achieve remote code execution. Understanding how to analyze Binder IPC for vulnerabilities is an essential skill for any serious Android security researcher or penetration tester.

Understanding Android Binder IPC Fundamentals

At its core, Binder IPC allows processes to invoke methods on objects residing in other processes. It employs a client-server model:
- Client: Holds a Binder proxy object, which implements the interface of the remote service.
- Server: Implements the actual service logic and contains a Binder stub object.
- Binder Driver: The kernel-level component (`/dev/binder`) that mediates all transactions, managing memory and process communication.
- Transaction Codes: Unique integers used to identify specific methods being invoked on the remote service.
- Parcel: The fundamental data structure for Binder transactions, used to serialize and deserialize data across process boundaries.
When a client calls a method on a Binder proxy, the proxy serializes the arguments into a Parcel and sends it to the Binder driver. The driver then dispatches it to the target server process, which deserializes the Parcel, invokes the corresponding method on its stub object (via the onTransact method), and returns the result in another Parcel back to the client.

Identifying Binder Services: Your Initial Attack Surface Enumeration

The first step in Binder IPC analysis is to identify active Binder services. Android provides several ways to do this:

1. Listing Services via servicemanager

The `servicemanager` process maintains a registry of all system services. You can query it using ADB:
```
adb shell service list
```
This command will output a list of registered service names, such as activity, package, window, etc. Each name represents a potential attack surface.

2. Querying Services with dumpsys

The `dumpsys` command is invaluable for inspecting the state of various system services, and implicitly confirms their existence. For instance:
```
adb shell dumpsys activity
adb shell dumpsys package
```
Running `adb shell dumpsys` without arguments will list all services that support `dumpsys`, giving you a broader view.

3. Investigating Hardware Abstraction Layers (HALs)

Modern Android versions heavily utilize Project Treble, separating vendor implementations from the Android framework via HALs. Many HALs communicate using Binderized HIDL interfaces.
```
adb shell lshal
```
This command lists all registered HAL services and their versions, which are crucial for analyzing vendor-specific attack surfaces.

Analyzing Binder Interface Definitions and Transactions

Once services are identified, the next step is to understand their interfaces and supported transactions.

1. Android Interface Definition Language (AIDL)

For most Android framework services, AIDL files (`.aidl`) define the interface. These files specify method signatures, parameters, and return types. You can find them in the Android source code (`frameworks/base/core/java/android/os/`).
```
// Example AIDL (simplified)
interface IMyService {
    void doSomething(in String param1, int param2);
    int getValue();
}
```
AIDL compilers generate corresponding Java and C++ stub/proxy classes based on these definitions, including the transaction codes.

2. Header Files and Source Code

For native C++ Binder services (e.g., in `system/core`, `hardware/interfaces`), the interfaces are defined in C++ header files. Reviewing the `onTransact` method implementation in the server’s source code (if available) is paramount, as this is where all incoming Binder calls are handled.
```
// Example C++ onTransact (simplified)
status_t MyService::onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {
    switch (code) {
        case TRANSACTION_doSomething:
            // ... handle data, call internal method ...
            break;
        case TRANSACTION_getValue:
            // ... return value in reply parcel ...
            break;
        default:
            return BBinder::onTransact(code, data, reply, flags);
    }
    return NO_ERROR;
}
```
Common Binder IPC Vulnerability Patterns

Vulnerabilities in Binder IPC often arise from incorrect handling of input Parcels or insufficient security checks.

1. Missing or Incorrect Permission Checks

The most common vulnerability. A sensitive operation can be invoked by an unprivileged process if the `onTransact` method fails to call `checkCallingPermission()`, `checkCallingOrSelfPermission()`, or other authorization checks.
```
// Vulnerable example (Java)
public boolean onTransact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
    if (code == TRANSACTION_deleteSensitiveData) {
        // NO PERMISSION CHECK HERE!
        deleteSensitiveDataInternal();
        return true;
    }
    return super.onTransact(code, data, reply, flags);
}
```
2. Integer Overflows/Underflows

When reading data from a Parcel, especially lengths or sizes, integer overflows can lead to heap corruptions or information leaks if the resulting allocated buffer is too small.

3. Type Confusion

If a service expects a specific data type but fails to validate it, an attacker might provide a different type, leading to unexpected behavior or memory corruption during deserialization.

4. Deserialization Vulnerabilities

Complex objects deserialized from Parcels can be a source of vulnerabilities, especially if custom `readFromParcel`/`writeToParcel` methods are buggy.

5. Time-of-Check to Time-of-Use (TOCTOU)

A race condition where a permission check is performed, but the underlying resource or data changes before the operation is executed, potentially allowing an unauthorized action.

Practical Binder Security Analysis Workflow

Phase 1: Service Enumeration and Documentation
- Use `service list`, `dumpsys`, `lshal` to identify all potential Binder services.
- Document service names, owning processes, and available `dumpsys` outputs.
Phase 2: Source Code Review (If Available)
- Obtain Android source code for the target version.
- Locate AIDL files for Java services and C++ header files for native services.
- Focus on the `onTransact` method implementation for each service.
- Carefully examine all `data.read*()` calls and subsequent logic. Look for:
  - Missing permission checks before sensitive operations.
  - Usage of sizes/lengths from the Parcel that could lead to overflows.
  - Complex object deserialization logic.
  - File path manipulations without proper canonicalization.
Phase 3: Reverse Engineering (If No Source)
- Pull the service’s binary or APK from the device.
- Use tools like IDA Pro or Ghidra to analyze the `onTransact` method (for C++ services) or decompilers like Jadx/Bytecode Viewer (for Java services).
- Identify transaction codes, parameter parsing, and critical function calls.
- Reconstruct the service’s interface and potential entry points for attack.
For a native service like `mediaserver`, you would pull the binary:
```
adb pull /system/bin/mediaserver .
# Then load 'mediaserver' into IDA Pro/Ghidra.
```
Phase 4: Fuzzing Binder Interfaces

Manual analysis can miss edge cases. Fuzzing involves sending malformed or unexpected Parcels to a service to trigger crashes or abnormal behavior.
- Custom Fuzzers: Develop small client applications (Java or native C++) that connect to the target service.
- Iterate on Parcels: Systematically vary the data in the input Parcel:
  - Incorrect data types.
  - Negative lengths/sizes.
  - Extremely large lengths/sizes.
  - Invalid file descriptors.
  - Null or invalid `IBinder` objects.
- Monitor the device for crashes (`logcat`, `dmesg`).
```
// Conceptual Java Fuzzer structure
IBinder service = ServiceManager.getService("myservice");
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
// Fuzzing loop:
for (int i=0; i<MAX_FUZZES; i++) {
    data.writeStrongBinder(new BadBinder()); // Inject bad data
    data.writeInt(fuzzValue);
    try {
        service.transact(TRANSACTION_CODE, data, reply, 0);
    } catch (RemoteException e) {
        // Handle crash or error
    }
    data.recycle();
    reply.recycle();
    data = Parcel.obtain();
    reply = Parcel.obtain();
}
```
Conclusion

Android Binder IPC remains a critical and complex component, making it a fertile ground for vulnerability discovery. By systematically enumerating services, diligently analyzing interfaces through source code or reverse engineering, and employing intelligent fuzzing techniques, security researchers can uncover hidden attack surfaces that could otherwise compromise the integrity and security of the Android platform. Mastering Binder IPC analysis is not just about finding bugs; it’s about gaining a deep understanding of the operating system’s internal workings and contributing to a more secure mobile ecosystem.
May 30, 2026
How to Identify & Exploit Android Binder IPC Vulnerabilities: A Step-by-Step Lab
Introduction: The Android Binder IPC Mechanism

The Android operating system relies heavily on Inter-Process Communication (IPC) for its various components to interact securely and efficiently. At the heart of this communication lies the Binder mechanism. Binder is a high-performance, robust, and secure IPC system that allows different processes to communicate with each other, even across varying privilege levels. While fundamental to Android’s architecture, its complexity also presents a fertile ground for security vulnerabilities if not implemented or utilized correctly by developers.

This article provides an expert-level, step-by-step lab guide on how to identify and exploit common Binder IPC vulnerabilities. We will delve into understanding the Binder architecture, methods for discovering custom services, and practical techniques for exploiting weaknesses, culminating in a demonstration of a hypothetical vulnerability.

Understanding Android Binder IPC

Binder acts as a remote procedure call (RPC) mechanism. A server process exposes an interface (e.g., through an AIDL file), and client processes can then call methods on that interface as if they were local objects. Key components include:
- Binder Driver: A Linux kernel module that handles the underlying data transfer and memory management.
- Binder Service Manager: A system service that maintains a registry of available Binder services. Processes register their services with the Service Manager, and clients query it to get a handle to a service.
- AIDL (Android Interface Definition Language): Used to define the interface between client and server, automatically generating boilerplate code for marshaling and unmarshaling data.
- Parcel: The fundamental unit of data transfer in Binder. A Parcel is a lightweight, flat data buffer that can contain primitive data types, objects, and even file descriptors.
From a security perspective, Binder transactions typically execute in the context of the server process. This means a vulnerability in a highly privileged service can lead to severe issues, including privilege escalation, information disclosure, or denial-of-service, if an unprivileged client can manipulate its behavior.

Identifying Potential Binder Vulnerabilities

The first step in exploiting Binder vulnerabilities is to identify interesting services and understand their interfaces. We’ll focus on custom, non-system services, as these are more likely to contain implementation flaws.

Phase 1: Service Discovery and Enumeration

We start by enumerating services on an Android device (rooted device or emulator). The service list command provides a basic overview:
```
adb shell service list
```
This command lists all registered Binder services. Look for unusual or custom-named services that might belong to third-party applications or less-scrutinized system components. For more detailed information, dumpsys is invaluable:
```
adb shell dumpsys activity services
```
This command provides an extensive list of running services, including their package names, PIDs, and associated UIDs. This helps in mapping a service name to an application. For specific services, you can often get help or status information:
```
adb shell cmd <service_name> help
```
For example, if we find a service named com.example.SecureFileManager, we might try:
```
adb shell cmd com.example.SecureFileManager help
```
Phase 2: Reverse Engineering the Service Implementation

Once an interesting service is identified, the next step is to reverse engineer its implementation to understand its interface and logic. This typically involves:
1. Locating the APK/JAR: Use the package name found via dumpsys to locate the application’s APK file. For system services, you might need to pull JARs from /system/framework or APKs from /system/app or /system/priv-app.
2. Decompilation: Use tools like Jadx, Ghidra, or IDA Pro to decompile the APK/JAR. Look for AIDL files (if available) or direct Binder implementations (classes extending android.os.Binder or implementing android.os.IBinder).
3. Analyzing the `onTransact` Method: For native Binder implementations, the core logic resides in the onTransact method. This method receives the transaction code, input Parcel, and output Parcel. Key areas to scrutinize are:
  - Permission Checks: Are proper permission checks (e.g., checkCallingOrSelfPermission) performed before sensitive operations? A missing or weak check allows unauthorized access.
  - Input Validation: Is all input from the Parcel thoroughly validated (e.g., length, type, bounds)? Lack of validation can lead to integer overflows, buffer overflows, or type confusion.
  - Race Conditions/TOCTOU: Are there Time-of-Check to Time-of-Use vulnerabilities where a resource’s state is checked, but then changed before it’s used?
  - Object Deserialization: If the service deserializes complex objects from the Parcel, look for deserialization vulnerabilities.
Lab Example: Exploiting a Hypothetical Vulnerability

Let’s imagine we’ve discovered a custom service, com.example.PoorlySecuredService, implemented by a third-party application. After reverse engineering its APK, we find the following simplified AIDL and Binder implementation:

AIDL Definition (`IPoorlySecuredService.aidl`):
```
// IPoorlySecuredService.aidl
package com.example;

interface IPoorlySecuredService {
    void writeLog(String message);
    int getLogCount();
    void deleteLogs();
}
```
Simplified Binder Implementation Snippet:
```
// Inside com.example.PoorlySecuredService.java
public class PoorlySecuredService extends IPoorlySecuredService.Stub {
    private List<String> logs = new ArrayList<>();

    @Override
    public void writeLog(String message) {
        // No permission check! Vulnerability 1
        // No length check for message! Vulnerability 2
        logs.add(message);
        if (logs.size() > 1000) {
            // Prevent excessive memory usage, but can still be abused
            logs.remove(0);
        }
    }

    @Override
    public int getLogCount() {
        return logs.size();
    }

    @Override
    public void deleteLogs() {
        // No permission check! Vulnerability 3
        logs.clear();
    }
}
```
From the snippet, we immediately identify three potential vulnerabilities: the writeLog and deleteLogs methods lack permission checks, and writeLog also lacks a length check on the incoming message string.

Phase 3: Crafting the Exploit

We will use binder_call (a native tool often found on rooted devices or easily compiled from AOSP) to interact with the service. If binder_call is not available, a custom Android application or Frida script could be used.

Exploiting Vulnerability 1: Unauthorized Logging

An unprivileged application could spam the writeLog method, potentially causing resource exhaustion or overwriting legitimate logs from other users within the service’s internal buffer.
1. Find the Service Handle: We need to get the Binder handle for com.example.PoorlySecuredService. This often requires calling the Service Manager first. For simplicity, let’s assume we know its transaction code (e.g., TRANSACTION_writeLog = 1).
2. Crafting the Parcel for writeLog: The writeLog method takes a String. A Parcel containing a string starts with a size followed by the string’s UTF-16 characters.
```
# Assuming transaction code for writeLog is 1

# We need the service's Binder handle. For demonstration, let's assume direct call if service exposed globally.

# In a real scenario, you'd obtain the handle via service manager 'getService' call first.
# Example of spamming the log (simplified binder_call usage):

# If binder_call expects a service name and method ID directly

# This is a highly simplified representation; actual binder_call usage is more complex
# First, identify the binder service node, e.g., /dev/binder

# And the service handle, which you'd get from the service manager.

# For now, let's assume a simplified interaction model, focusing on the payload.
# A more realistic binder_call for sending a string:

# binder_call -s <service_name> -c <transaction_code> -D <hex_parcel_data>
# Let's craft the parcel for "Hello World" (length 11, then 'H' 'e' ... 'd' followed by null terminator)

# String
```
May 30, 2026
Demystifying Android SELinux: A Reverse Engineer’s Guide to Policy Enforcement and Evasion Introduction to Android SELinux Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system integrated into the Linux kernel. On Android, SELinux is critical, enforcing granular permissions that go beyond traditional Unix discretionary access control (DAC). It defines what every process, file, and system resource can and cannot do, significantly hardening the platform against privilege escalation and malicious applications. For reverse engineers and security researchers, understanding Android’s SELinux policy is paramount to identifying potential attack surfaces, understanding sandbox limitations, and discovering policy bypass opportunities. This guide delves into the core concepts of Android SELinux, demonstrating how to analyze its policies and discussing common techniques that attackers might leverage to bypass its stringent controls. We’ll cover everything from policy structure to practical command-line analysis. SELinux Fundamentals on Android SELinux operates on the principle of least privilege, meaning everything is denied unless explicitly allowed. Key concepts include: Security Contexts: Every process, file, and network port has an associated security context, typically represented as user:role:type:sensitivity. On Android, the common format simplifies to u:object_r:type:s0 for objects and u:r:domain:s0 for processes. The type (or domain for processes) is the most critical component for policy decisions. Policy Rules: These rules define interactions between contexts. A typical rule is allow source_type target_type:class permissions;. Classes & Permissions: Resources (like files, sockets, processes) are categorized into object classes (e.g., file, dir, socket), and specific permissions (e.g., read, write, execute, bind, transfer) are defined for each class. Domains & Types: A process’s security context is called a domain, while a file or other resource’s context is called a type. Policies define how domains can interact with types and other domains. Policy Files: On a device, the compiled SELinux policy is found at /sepolicy (or sometimes /vendor/etc/selinux/precompiled_sepolicy or similar paths in newer Android versions). This binary file is compiled from a collection of .te (type enforcement) files, common interface (.if) files, and policy language (.cil) files. Analyzing the Android SELinux Policy To begin, you need access to the device’s SELinux policy. For rooted devices, you can pull it directly. For unrooted devices, you might extract it from factory images. 1. Extracting the Policy Using adb, you can pull the active policy: adb shell su -c 'cp /sys/fs/selinux/policy /data/local/tmp/sepolicy'adb pull /data/local/tmp/sepolicy ./ Alternatively, find the policy file in common locations: adb shell find / -name "*sepolicy*" 2>/dev/null 2. Decompiling and Analyzing Once you have sepolicy, you’ll need tools to decompile and analyze it. The Android open-source project (AOSP) provides sepolicy-analyze and sesearch. You can build these from the AOSP source or find precompiled versions. # Assuming you have sesearch in your PATHsesearch -A -s untrusted_app -t app_data_file -c file -p read,write This command searches for rules allowing untrusted_app domain to read or write app_data_file type files. Replace untrusted_app, app_data_file, and permissions with your targets. 3. Checking Current Context and Enforcement On the device, you can query the current SELinux state: # Check current enforcement mode (Enforcing or Permissive)adb shell getenforce# Get the security context of the shell processadb shell id -Z# Get the security context of a fileadb shell ls -Z /data/local/tmp Identifying and Leveraging Policy Weaknesses Attackers often look for gaps or overly permissive rules in the SELinux policy. These aren’t necessarily May 30, 2026
Dissecting Android Binder IPC: Reverse Engineering Services for Vulnerability Discovery Introduction to Android Binder IPC Android’s Binder is a high-performance inter-process communication (IPC) mechanism that underpins much of the operating system’s functionality. It allows various components – applications, system services, and native daemons – to communicate securely and efficiently. Binder operates on a client-server model, where a client makes a request to a remote service, and the service processes it, optionally returning a result. This communication occurs through a shared memory buffer and a special character device, `/dev/binder`. Understanding Binder is paramount for Android security researchers. Since many critical system operations are exposed via Binder interfaces, these interfaces become prime targets for vulnerability discovery. Flaws in Binder services can lead to privilege escalation, information disclosure, or denial of service, potentially compromising the entire system. The Anatomy of a Binder Transaction At its core, a Binder transaction involves a client sending data in a `Parcel` object to a service, which then receives and processes that data. The `Parcel` is a generic container for flattened data, optimized for IPC. Key components include: IBinder: The base interface for a Binder object. It defines the `transact()` method used to send transactions. ServiceManager: A crucial Binder service itself, responsible for registering and looking up other Binder services by name. It acts like a phone book for services. Proxy/Stub Pattern: Clients interact with a `BpBinder` (proxy) which marshals data into a `Parcel` and calls `transact()`. On the server side, a `BnBinder` (stub) unmarshals the `Parcel` and dispatches the call to the actual service implementation. Identifying Target Services The first step in reverse engineering Binder services is to identify which services are running and accessible. The primary tool for this reconnaissance is `dumpsys` via `adb shell`: adb shell dumpsys activity services This command provides a comprehensive list of all active services, their package names, and often their Binder interfaces. For native services, `dumpsys media.camera` or similar specific `dumpsys` commands can be useful. For HAL (Hardware Abstraction Layer) services, `lshal` is the go-to utility: adb shell lshal Analyzing the output of these commands can reveal services that might be interesting due to their functionality (e.g., managing sensitive data, system settings, or hardware access) or their perceived complexity, which often correlates with potential vulnerabilities. Unearthing Service Interfaces and Implementations Java Services (AIDL) Many Android services are written in Java and define their interfaces using AIDL (Android Interface Definition Language). AIDL files (`.aidl`) define the method signatures that clients and services agree upon. When an AIDL file is compiled, it generates a Java interface (`IYourService.java`) and a nested `Stub` class (`IYourService$Stub.java`). To find these definitions, you can: Decompile APKs: Use tools like `Jadx` or `apktool` to decompile relevant system APKs (e.g., from `/system/framework` or `/system/priv-app`). Look for files named `I.aidl` or `I.java`. Android Source Code: If you have access to the AOSP source, search for AIDL files related to the service name you identified. An AIDL file typically looks like this: // IMyService.aidlinterface IMyService { void doSomething(in String message); int getValue(); boolean setData(in int id, in byte[] data);} The `Stub` class within `IYourService$Stub.java` contains the `onTransact()` method, which is the heart of the service’s Binder implementation. It reads the transaction code and `Parcel` data, then dispatches the call to the appropriate method. Native C++ Services Native Binder services are often found in shared libraries (`.so` files) within `/system/lib` or `/system/lib64`. Reverse engineering these requires more advanced tools like Ghidra or IDA Pro. Identify the Library: Often, the `dumpsys` output or `init.rc` files (which define service startup commands) will hint at the native library backing a service. Locate `Bn` and `Bp` classes: In native Binder, the server-side implementation often inherits from `android::BnInterface` (e.g., `android::BnYourService`), and the client-side proxy from `android::BpInterface` (e.g., `android::BpYourService`). Analyze `onTransact()`: Similar to Java, the `onTransact()` method (or an equivalent virtual function in C++) is where incoming Binder calls are processed. It will read the transaction code and unmarshal the `Parcel` data. Identifying transaction codes (integers mapping to specific methods) is crucial. These are often defined as constants within the service’s interface or implementation files. Crafting Binder Calls and Fuzzing Manual Interaction via `adb shell service call` For simple transactions, the `service call` command can be used. This tool allows sending a Binder transaction directly from the shell: adb shell service call <service_name> <transaction_code> [data_type data_value] ... For example, to call transaction `1` on a service named `your_service` with a string argument: adb shell service call your_service 1 s16 'hello' While useful for basic testing, `service call` has limitations in terms of complex `Parcel` serialization and handling various data types, especially for fuzzing. Programmatic Interaction and Fuzzing For more control and effective fuzzing, programmatic interaction is necessary. Tools like `binder_call.py` (part of the Android security community’s toolkit) or custom C++/Java code offer granular control over `Parcel` serialization. `binder_call.py` wraps the `Binder` syscalls, allowing you to specify transaction codes, flags, and precisely crafted `Parcel` data. # Example using binder_call.py (conceptual)python binder_call.py --svc 'your_service' --code 1 --data 's:"test_string"'python binder_call.py --svc 'your_service' --code 2 --data 'i:12345:f' --data 'b:"x41x42x43"' This allows systematic fuzzing of arguments: Data Type Fuzzing: Send unexpected data types (e.g., an integer where a string is expected, or a very large string/byte array). Size Fuzzing: Test maximum size limits for arrays, strings, or nested objects. Boundary Value Testing: Use minimum, maximum, and edge-case values for integers, offsets, and counts. Analyzing `onTransact` for Vulnerabilities Once you can reliably interact with a service, the focus shifts to finding vulnerabilities within its `onTransact` implementation (Java) or the corresponding native handler. Look for: Missing Permission Checks: Services often require specific permissions. If `checkCallingOrSelfPermission()` or `enforceCallingPermission()` is missing or incorrectly implemented, a low-privileged app might abuse a sensitive functionality. Integer Overflows/Underflows: When `Parcel` data is read (e.g., `readInt()`, `readSize()`), an attacker might supply values that cause integer issues when used in calculations (e.g., buffer allocations, loop counts). Buffer Overflows: If a fixed-size buffer is allocated based on a user-controlled size from the `Parcel` without proper bounds checking, a larger input can lead to a buffer overflow. Deserialization Vulnerabilities: If complex objects are deserialized from the `Parcel` without robust validation, it could lead to arbitrary code execution or denial of service. Type Confusion: A service might expect a certain type of `IBinder` object but receive another, leading to incorrect casting and memory corruption. TOCTOU (Time-of-Check to Time-of-Use): A permission check or data validation might happen, but the underlying resource or data changes before it’s used, leading to a bypass. Practical Example: A Hypothetical Vulnerability Consider a native Binder service designed to process image metadata. Its `onTransact` method might look like this (pseudo-code): // Native C++ service_impl::onTransact(...) { // ... switch (code) { case TRANSACTION_SET_THUMBNAIL_DATA: { // Read user-supplied offset and size from Parcel int offset = data.readInt32(); int size = data.readInt32(); // Read thumbnail data from Parcel const void* thumbnailData = data.readInplace(size); // Check if offset + size exceeds metadata buffer boundary // VULNERABILITY: Missing bound check for 'offset' if (offset < 0 || (size_t)(offset + size) > metadataBufferSize) { // Incorrect or insufficient check } // Copy data to an internal buffer without proper validation memcpy(internalMetadataBuffer + offset, thumbnailData, size); return NO_ERROR; } // ...} In this simplified example, if the `offset` is user-controlled and not properly validated (e.g., against `internalMetadataBuffer` boundaries), an attacker could provide a large `offset` combined with a small `size` to write beyond the intended buffer, leading to memory corruption or even arbitrary code execution. A fuzzer sending carefully crafted `offset` and `size` values via `binder_call.py` could quickly discover such a crash. Conclusion Reverse engineering Android Binder IPC services is a highly effective methodology for discovering critical security vulnerabilities. By systematically identifying services, understanding their interfaces through AIDL or native binary analysis, and then programmatically interacting with and fuzzing their transactions, researchers can uncover flaws that might otherwise remain hidden. A deep dive into the `onTransact` logic, coupled with an understanding of common vulnerability patterns, empowers security experts to significantly enhance the robustness of the Android ecosystem. May 30, 2026
Exploiting SELinux Policy Logic: Advanced Techniques for Android Privilege Escalation Introduction: The Unseen Guard – SELinux on Android Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system integrated into the Android operating system. Far beyond traditional Discretionary Access Control (DAC), SELinux enforces fine-grained permissions on processes, files, and other resources, defining what an application or system service can do, not just what it owns. On Android, SELinux is pivotal, acting as the final line of defense against many vulnerabilities, containing exploits within their assigned domains and preventing lateral movement or privilege escalation. While kernel vulnerabilities often grab headlines, understanding and exploiting flaws in SELinux policy logic itself represents a sophisticated, often overlooked, avenue for privilege escalation. This article delves into advanced techniques for identifying and exploiting misconfigurations or logical flaws within Android’s SELinux policy. We’ll move beyond simple `audit2allow` suggestions and explore methods for analyzing the policy to uncover opportunities for domain transition manipulation, type confusion, and subtle service manager interactions that can lead to elevated privileges. Understanding Android SELinux Fundamentals Before diving into exploitation, a quick recap of core SELinux concepts is essential: Subjects (Domains): Processes run within specific domains (e.g., `untrusted_app`, `system_app`, `init`). Objects (Types): Files, devices, sockets, IPC objects, and other resources are labeled with types (e.g., `system_data_file`, `app_data_file`, `ashmem_device`). Rules: Policies define `allow` rules, specifying which domain can perform which operation on which type (e.g., `allow untrusted_app app_data_file:file { read write open };`). Contexts: A combination of user, role, type, and sensitivity level (e.g., `u:object_r:system_data_file:s0`). In Android, `u` and `r` are typically fixed, with `type` being the primary focus. The entire SELinux policy for an Android device is compiled into a binary format (`sepolicy`) and loaded during boot. Analyzing this policy is the first step in identifying potential weaknesses. Advanced Policy Analysis and Tooling Gaining access to the device’s `sepolicy` is crucial. You can often extract it from `/sys/fs/selinux/policy` on a rooted device, or from AOSP source code (`/external/sepolicy`). Tools like `sepolicy-analyze` (from AOSP or compiled) and `checkpolicy` (for compiling/disassembling) are invaluable for dissecting the policy. First, disassemble the policy to a human-readable format (`.cil` – Common Intermediate Language) if possible: # On an AOSP build environment, or with compiled tools from AOSP:checkpolicy -d /sys/fs/selinux/policy > policy.cil Alternatively, you can inspect individual context files: file_contexts: Defines initial labels for filesystems and directories. genfs_contexts: Defines labels for pseudo-filesystems (e.g., `proc`, `sysfs`). service_contexts: Labels for Binder services. Our goal is to identify `allow` rules that grant overly broad permissions, or `neverallow` rules that are not enforced, or `type` definitions that are too generic. Exploitation Technique 1: Domain Transition Manipulation Domain transition is a core SELinux mechanism where a process executing a specific file (an ‘entrypoint’) is allowed to transition from its current domain to a new, often more privileged, domain. For example, `init` might execute `/system/bin/surfaceflinger` and transition to the `surfaceflinger_domain`. Flaws arise when a less-privileged domain can trick a privileged domain into executing attacker-controlled code or an unintended entrypoint. Scenario: Exploiting a Weak Entrypoint Consider a scenario where a `untrusted_app` needs to interact with a system component, and the policy allows it to execute a binary that *should* only perform a specific, safe action, but instead leads to an unintended domain transition or allows for code injection. Example Policy Snippet to Look For: # Potentially problematic (simplified)allow untrusted_app system_app_exec:file { execute getattr read };allow system_app_domain untrusted_app_domain:process transition;allow system_app_domain system_app_exec:file entrypoint; In this hypothetical scenario, `untrusted_app` can execute a `system_app_exec` file. If that `system_app_exec` (which runs in `system_app_domain`) itself has a vulnerability or if the `untrusted_app` can substitute the actual `system_app_exec` with its own malicious binary (due to weak file context or permissions), it could transition to `system_app_domain`. Steps to Identify and Exploit: Identify Target Domains: Look for processes with high privileges, especially those interacting with the kernel or critical system resources. Analyze `domain_transition` Rules: Search `policy.cil` for `type_transition` or `domain_transition` rules: grep -r May 30, 2026
SELinux Policy Analysis for Android Exploitation: Identifying and Exploiting Weak Rules Introduction to SELinux on Android Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system integrated into the Android operating system. It enforces granular permissions on all processes, files, and resources, significantly enhancing the platform’s security posture by preventing malicious or compromised applications from accessing unauthorized data or system services. While SELinux is a robust security mechanism, misconfigurations or overly permissive rules in the SELinux policy can introduce vulnerabilities, offering avenues for privilege escalation or sandbox escapes. This guide delves into the methodologies for analyzing Android’s SELinux policy to identify such weaknesses and understand how they can be exploited. Understanding Android’s SELinux Architecture On Android, SELinux operates in enforcing mode, meaning all unauthorized actions are blocked. The policy defines domains (representing processes or applications) and types (representing files or objects). Rules dictate which domains can access which types with specific permissions (read, write, execute, etc.). Key components include: Policy File: Typically located at /sepolicy or embedded in the boot image, it contains all SELinux rules. File Contexts: Defined in file_contexts, these map file paths to SELinux types, ensuring files are labeled correctly at creation or boot. Process Domains: Each process runs in a specific SELinux domain (e.g., untrusted_app, system_server, platform_app), which dictates its permissions. Access Vector Cache (AVC): The kernel component that performs access checks based on the loaded policy. The core principle is that if an explicit ‘allow’ rule doesn’t exist, the action is denied. Gathering SELinux Policy from an Android Device The first step in analyzing SELinux policy is to retrieve it from the target device. This often requires root access or an unlocked bootloader to access system partitions. Pulling the Policy You can typically find the active policy file at /sys/fs/selinux/policy or /sepolicy on older devices. From a rooted device, use ADB: adb shell su cp /sys/fs/selinux/policy /data/local/tmp/active_policy exit exit adb pull /data/local/tmp/active_policy . For a full policy dump from an AOSP build, you can extract the sepolicy file directly from the device’s boot.img or vendor_boot.img if you have the firmware. You might need tools like magiskboot or unpackbootimg to extract the ramdisk where /sepolicy resides. Tools for Offline Policy Analysis Once you have the policy file, several tools can aid in its analysis: sesearch: A powerful command-line utility from the libsepol development package for querying SELinux policy rules. apol: A graphical policy analysis tool, useful for visualizing complex policies. sepolicy-analyze: A Python script often found in AOSP source, which can parse and query policy files. Custom Scripts: Python or shell scripts using libsepol bindings or parsing textual representations can be highly effective for automated checks. Converting Binary Policy to Text (for easier parsing) While sesearch works directly with binary policy, for deeper analysis or custom scripting, converting it to a human-readable format can be beneficial. This requires the AOSP build environment or pre-compiled tools: # Assuming you have the AOSP 'sepolicy-tools' in your path # From AOSP source, you might build m4, checkpolicy, etc. m4 -I external/sepolicy -o policy.conf external/sepolicy/sepolicy.conf checkpolicy -M -c 30 -o binary_policy.raw policy.conf # To 'decompile' (requires checkpolicy to generate intermediate files) # This is more complex and often involves a full AOSP build setup. For most practical exploitation scenarios, using sesearch against the binary policy is sufficient. Identifying Policy Weaknesses: Techniques and Examples 1. Permissive Domains A permissive domain logs AVC denials but does not enforce them. While rarely found in production builds for critical domains, a forgotten permissive mode for a less critical service can be a pivot point. sesearch --allow -p permissive -t <target_policy_file> Look for output like (permissive some_domain). If some_domain executes sensitive code or processes sensitive data, it’s a critical flaw. 2. Overly Broad allow Rules Look for rules that grant extensive permissions or allow operations from low-privileged domains on high-privileged types. Example: Writing to System Directories An untrusted_app should generally not be able to write to system directories. Search for rules allowing write access to sensitive file types: sesearch -A -s untrusted_app -t system_file -c dir -p { write create add_name } -t <target_policy_file> If this returns an allowance for untrusted_app to write to system_file directories, an attacker could potentially plant malicious executables or configuration files, leading to privilege escalation if those files are later executed by a more privileged process. 3. Misconfigured File Contexts File contexts define the SELinux type for files in specific paths. A misconfiguration can allow an attacker to create a file with a more powerful label than intended. Example: Arbitrary File Type Creation Consider a scenario where an application has write access to a directory, and the file_contexts specify a powerful type for *any* file created there. First, identify directories writable by an unprivileged domain: sesearch -A -s untrusted_app -c dir -p { write add_name } -t <target_policy_file> Suppose /data/local/tmp is writable by untrusted_app. Now, check file_contexts (often in /vendor/etc/selinux/vendor_file_contexts or /etc/selinux/android/file_contexts on older devices): # From the device adb shell cat /vendor/etc/selinux/vendor_file_contexts | grep "/data/local/tmp" If you find an entry like /data/local/tmp(/.*)? u:object_r:system_file:s0, it means any file created in /data/local/tmp gets the system_file label. If an attacker can then cause a privileged process to execute that system_file (e.g., via a symlink attack or path traversal), it’s a significant vulnerability. 4. Service Manager and Binder Interaction Weaknesses Android’s Binder is crucial for inter-process communication (IPC). SELinux controls which domains can register, find, and transact with Binder services. Weaknesses here can lead to unauthorized service calls or spoofing. Example: Unauthorized Binder Call Search for binder_call permissions from a low-privileged domain to a sensitive service domain: sesearch -A -s untrusted_app -t system_server -c binder -p call -t <target_policy_file> If untrusted_app can call a service implemented by system_server (e.g., activity_service, package_service) without specific restrictions on methods, it might be possible to invoke privileged operations directly. Further analysis of the specific Binder service’s source code would be required to identify exploitable methods. 5. Domain Transitions A domain transition allows a process to change its SELinux domain, usually after executing a specially labeled program. Misconfigured transitions can elevate privileges. sesearch -A -s untrusted_app -p transition -t <privileged_domain> -t <target_policy_file> If untrusted_app can directly transition to a privileged domain (e.g., system_app, init), it’s a severe vulnerability. Typically, transitions are restricted to specific executable types. Exploitation Scenarios and Chains Exploiting SELinux weaknesses rarely involves a single, isolated rule. Instead, it often involves chaining multiple minor misconfigurations or combining them with other kernel/userspace vulnerabilities. Scenario 1: Arbitrary Write + Executable Creation: If an untrusted_app can write to a directory that gets a privileged SELinux type (via file_contexts), and a privileged process later executes files from that directory (e.g., a script in /data/vendor_app/bin that gets labeled vendor_exec), then the attacker can inject a malicious executable. Scenario 2: Binder Call Abuse + Data Leak: An overly broad binder_call rule from untrusted_app to a service that handles sensitive data, combined with a method that returns too much information, could lead to data exfiltration without directly bypassing file permissions. Scenario 3: Weakness in a Helper Process: A minor, often overlooked utility process might have a slightly permissive rule, allowing it to write to a location that a more privileged service then reads or executes. Mitigation and Best Practices For developers and security engineers, preventing these vulnerabilities requires: Principle of Least Privilege: Granting only the bare minimum permissions required for a domain or process. Granular Rules: Avoiding broad allow rules. Use specific types and permissions. Thorough file_contexts Review: Ensure sensitive directories are correctly labeled and that unprivileged domains cannot create files with privileged labels. Automated Testing: Incorporate SELinux policy analysis into CI/CD pipelines to catch regressions. Regular Auditing: Periodically review the policy for unnecessary permissions, especially after system updates or new feature introductions. Conclusion SELinux policy analysis is a critical skill for Android security researchers and exploit developers. By systematically examining policy rules, file contexts, and domain transitions, one can uncover subtle misconfigurations that can be chained together to achieve privilege escalation or break out of an application’s sandbox. The complexity of Android’s SELinux policy necessitates a deep understanding of its components and the use of specialized tools to effectively identify and exploit its weak points, continually pushing the boundaries of Android platform security. May 30, 2026
Android SELinux Sandbox Escape: Deep Dive into Policy Misconfigurations and Exploitation Introduction to SELinux on Android Android’s security architecture relies heavily on SELinux (Security-Enhanced Linux), a mandatory access control (MAC) system that augments traditional discretionary access control (DAC). While DAC allows a user to control access to their own resources, MAC enforces a system-wide security policy, preventing even privileged processes from performing unauthorized actions. On Android, SELinux policies define what each process (identified by its security context or ‘domain’) can access (files, devices, IPC, etc.), based on the resource’s security context (‘type’). This powerful mechanism isolates applications and system services, forming a critical part of the sandbox. However, misconfigured SELinux policies can introduce vulnerabilities, leading to sandbox escapes and privilege escalation. SELinux Fundamentals: Contexts, Domains, and Rules Understanding SELinux requires grasping a few core concepts: Security Contexts: Every process, file, or IPC object on an SELinux-enabled system has an associated security context, typically in the format user:role:type:sensitivity (e.g., u:r:untrusted_app:s0 for an untrusted application). Domains: For processes, the ‘type’ component of the security context is often referred to as a ‘domain’. Processes running in specific domains are restricted by rules defined for that domain. Types: For files and other objects, the ‘type’ component dictates how processes can interact with them. Policy Rules: These define what operations (permissions) a source domain/type can perform on a target domain/type/class. The most common rule is allow source_type target_type:class permissions; Android’s SELinux policy is compiled into a binary file (sepolicy) located in the boot or vendor boot partition. When the system boots, this policy is loaded by the kernel. Administrators can query current contexts using ls -Z for files and ps -Z for processes. adb shell ls -Z /data/data/com.example.app/adb shell ps -Z | grep untrusted_app Identifying Policy Misconfigurations Policy misconfigurations often stem from overly permissive rules, incorrect type transitions, or mislabeled resources. Attackers seek out these flaws to elevate privileges or access restricted data. 1. Overly Permissive allow Rules This is the most direct form of misconfiguration. A domain might be granted permissions to resources it doesn’t legitimately need. For example, an untrusted_app domain should generally not have direct write access to system configuration files. # Example of a dangerous allow rule (conceptual)allow untrusted_app system_file:file { write execute }; To find such rules, you need access to the device’s compiled sepolicy. First, extract the policy: # Pull boot.img/vendor_boot.img (method varies by device)adb pull /dev/block/by-name/boot boot.img# Use a tool like AOSP's sepolicy-decompile or libsepol to decompile.sepolicy-decompile boot.img -o my_sepolicy# Then search the decompiled policy for relevant rulesgrep -r "allow untrusted_app" my_sepolicy/ Or use sesearch from AOSP, which allows direct querying of the binary policy: # Assuming you have adb shell access to a rooted device with sesearchsesearch -s untrusted_app -t system_file -c file -p write 2. Insecure Type Transitions Type transitions allow a process to change its security context (domain) when it performs certain actions, like creating a file or executing a program. A misconfigured type_transition rule can allow a less privileged domain to transition into a more privileged one, effectively escalating privileges. # Example of a dangerous type_transition (conceptual)type_transition untrusted_app app_data_file:process app_privileged_domain; This rule would mean that when an untrusted_app creates a process from an app_data_file, the new process runs in app_privileged_domain, granting it potentially unwanted permissions. You can find these rules using: sesearch -T -s untrusted_app 3. Mislabeled Resources (File Contexts) Files, directories, and even device nodes can have incorrect security contexts. If a sensitive file is labeled with a context that an unprivileged domain can access (e.g., read/write), it creates an attack vector. For example, if a system configuration file intended only for system_server is incorrectly labeled as app_data_file, an untrusted application might exploit it. # Check file contextadb shell ls -Z /data/system/users/0/settings_secure.xml# Check if untrusted_app can write to this file type (if mislabeled)sesearch -s untrusted_app -t settings_file_type -c file -p write Exploitation Scenarios and Techniques Once a policy misconfiguration is identified, an attacker needs to leverage it. Here are common exploitation paths: Scenario 1: Leveraging Overly Permissive Device Node Access Consider a hypothetical scenario where an untrusted_app domain is mistakenly granted write access to a sensitive kernel device node, such as /dev/kmem or a custom driver interface that controls critical system behavior. # Identified misconfiguration:allow untrusted_app kernel_mem_device:chr_file { read write };# Exploitation within a compromised app:import android.util.Log;import java.io.FileOutputStream;import java.io.IOException;public class Exploit { public static void main(String[] args) { String devicePath = "/dev/kmem"; // Hypothetical sensitive device try (FileOutputStream fos = new FileOutputStream(devicePath)) { // Attempt to write arbitrary data to kernel memory // This would likely crash the system or allow for code injection byte[] exploitData = new byte[1024]; // Malicious payload // Fill exploitData with carefully crafted shellcode or data fos.write(exploitData); Log.e("SELinux_Exploit", "Successfully wrote to " + devicePath); } catch (IOException e) { Log.e("SELinux_Exploit", "Failed to write to " + devicePath + ": " + e.getMessage()); } }} This Java code, running within a compromised app’s context, would attempt to write to the device. If the SELinux policy allows it, arbitrary kernel memory writes could lead to full system compromise. Scenario 2: Abusing Type Transition to Access a Privileged Service Imagine a system service (e.g., system_server) that, under certain conditions, launches a helper process. If a misconfigured type_transition allows an `untrusted_app` to trigger the creation of this helper process in a privileged domain (e.g., system_app_privileged_domain) simply by creating a file with a specific label, an attacker can gain control. # Policy rule in sepolicy.conf:type_transition untrusted_app app_data_file:process system_app_privileged_domain; An attacker could craft a malicious executable, place it in a location with the app_data_file context (if possible), and then trigger the system service to execute it. The new process would inherit system_app_privileged_domain and its associated permissions. Scenario 3: Leveraging Incorrect File Contexts for Data Exfiltration/Modification If a sensitive file, like a credential store (e.g., /data/misc/credentials/token.bin), is incorrectly labeled with a generic type (e.g., app_data_file) that untrusted_app can read, the attacker can directly access the data. # Identified misconfiguration:allow untrusted_app app_data_file:file { read };# In a compromised untrusted_app:import java.io.BufferedReader;import java.io.FileReader;import java.io.IOException;public class DataExfiltrator { public static void main(String[] args) { String sensitiveFile = "/data/misc/credentials/token.bin"; // Hypothetical path try (BufferedReader br = new BufferedReader(new FileReader(sensitiveFile))) { String line; StringBuilder data = new StringBuilder(); while ((line = br.readLine()) != null) { data.append(line).append("n"); } Log.i("SELinux_Exploit", "Sensitive data: " + data.toString()); // Send data to attacker-controlled server } catch (IOException e) { Log.e("SELinux_Exfiltrator", "Failed to read " + sensitiveFile + ": " + e.getMessage()); } }} Mitigation and Best Practices Preventing SELinux policy misconfigurations requires a rigorous approach: Principle of Least Privilege: Grant only the absolute minimum permissions necessary for each domain and type. Regularly review policies to remove superfluous rules. Automated Policy Analysis Tools: Integrate tools like sesearch, audit2allow (used carefully), and static policy analyzers into the CI/CD pipeline to identify potential over-privileges early. Thorough Testing: Test new policies extensively in permissive mode to identify all necessary permissions, then transition to enforcing. Monitor logcat for SELinux denials. Avoid Over-Reliance on dontaudit: While useful during development, dontaudit rules should be used sparingly in production as they can mask legitimate security issues. Regular Policy Audits: Periodically review the entire SELinux policy, especially after system updates or adding new features, to ensure no new misconfigurations have been introduced. By meticulously crafting and auditing SELinux policies, Android system integrators can significantly enhance the platform’s security posture and prevent sophisticated sandbox escape attempts. May 30, 2026
Reverse Engineering Android SELinux: Uncovering Policy Vulnerabilities for Privilege Escalation Introduction: The Fortress of Android SELinux Android’s security model heavily relies on Security-Enhanced Linux (SELinux), a mandatory access control (MAC) system that dictates what processes can access what resources. Far beyond traditional Unix discretionary access control (DAC), SELinux enforces fine-grained permissions based on security contexts assigned to every process and file. While designed to contain threats and enforce the principle of least privilege, SELinux policies are complex and can sometimes harbor misconfigurations or unintended permissions, creating pathways for privilege escalation. This article delves into the art of reverse engineering Android SELinux policies to identify such vulnerabilities. Deconstructing Android’s Security Policy Understanding SELinux Fundamentals At its core, SELinux operates on a ‘default deny’ principle, meaning any action not explicitly allowed by the policy is forbidden. Key concepts include: Subjects (Domains): Processes running with a specific SELinux type, often referred to as a domain (e.g., untrusted_app, system_app, init). Objects: Resources being accessed, such as files, directories, sockets, devices, or IPC mechanisms. Types: Labels assigned to objects and subjects (e.g., app_data_file, system_server_domain). Classes: Categories of objects (e.g., file, dir, socket, process). Rules (AVCs): Allowances or denials defined in the policy (e.g., allow source_domain target_type:class { permissions };). Type Transition: Rules that automatically assign a new type to a newly created object based on the creating process’s domain and the parent directory’s type. This is a critical area for exploitation. Acquiring and Dissecting the Policy The Android SELinux policy is compiled into a binary format and typically resides within the boot.img or as /sys/fs/selinux/policy on a running device. To begin our analysis, we first need to extract this policy: Root the device or unlock the bootloader: Access to boot.img or root privileges is usually required. Pull the policy from a running device (requires root): adb root adb disable-verity adb reboot adb pull /sys/fs/selinux/policy policy_raw Extract from boot.img (for AOSP or custom ROMs): If you have the boot.img, you can use tools like AOSP bootimg tools or Magisk's unpackbootimg to extract the SELinux policy. Once extracted, you’ll have a raw policy file. Convert to a human-readable format: Use tools like sepolicy-analyze (part of AOSP) or apol (from setools) to decompile the binary policy into a more readable text format or query it. # Using sepolicy-analyze (from AOSP source/prebuilt) sepolicy-analyze -p policy_raw policy.conf # Or using apol from setools # apol -P policy_raw -o policy.txt The resulting policy.conf or policy.txt file contains thousands of rules. This is where the real reverse engineering begins. Unearthing Policy Vulnerabilities: A Methodical Approach Type Transition Weaknesses: The Trojan Horse Gambit type_transition rules are often overlooked during policy audits, but they can be a goldmine for privilege escalation. A vulnerable type_transition allows a less privileged domain to create a file or directory that automatically receives a more privileged type, provided it’s created in a specific location by a specific source domain. If a privileged service later interacts with this mislabeled file, an attacker can leverage it. Look for rules where an unprivileged source domain (e.g., untrusted_app) can create an object that transitions to a privileged target type (e.g., system_file, shell_exec, service_data_file). Example of a potentially vulnerable rule snippet: type_transition untrusted_app system_tmp_dir:{ file } system_file; If untrusted_app has write access to system_tmp_dir, and a privileged service (e.g., system_server) executes files labeled system_file from that directory, an attacker could plant a malicious executable. Use sepolicy-analyze to query for type transitions: sepolicy-analyze type_transition -s untrusted_app -t system_file -c file sepolicy-analyze type_transition -s untrusted_app -t shell_exec -c file Permission Oversights and Over-Privileged Domains Broad permissions granted to specific domains or types can also introduce vulnerabilities. Pay close attention to permissions like: execmod: Allows execution of code and modification of its text, potentially leading to dynamic code loading exploits. ioctl: Can allow unprivileged processes to perform arbitrary kernel operations if not properly constrained. setattr: If a process can change the attributes (including type) of a file, it can potentially elevate its context. entrypoint and exec_type: Crucial for understanding how a process can execute files with a different SELinux context. A policy might allow a low-privilege domain to execute a file type that becomes privileged upon execution. Query specific domain permissions: sepolicy-analyze perm_summary -d untrusted_app sepolicy-analyze perm_summary -d system_app sepolicy-analyze allows -s untrusted_app -t system_server_domain -c process Analyzing Privileged Daemon Interactions Many critical Android services run as highly privileged SELinux domains (e.g., system_server, zygote, various native daemons). Understanding how these services interact with less privileged domains, especially regarding file creation and execution, is vital. Look for scenarios where: A privileged daemon creates files in world-writable directories that could then be overwritten or influenced by an unprivileged app. A privileged daemon attempts to open or execute files based on user input or data from an unprivileged source, without proper type checking or validation. Crafting an Exploit: From Policy Weakness to Privilege Escalation Scenario: Escalating from an Untrusted App Let’s consider a hypothetical exploit chain: An unprivileged application (untrusted_app domain) identifies a writable directory (e.g., /data/local/tmp or a specific service’s cache directory) where a type_transition rule exists. The rule states: type_transition privileged_daemon_domain some_writable_dir_type:{ file } shell_exec; The untrusted_app creates a malicious shell script or binary in some_writable_dir_type. Because the privileged_daemon_domain is the one creating the file (or some interaction leads to it), the file now gets the shell_exec type. A different, more privileged service (or the same privileged_daemon_domain itself) is found to execute any file labeled shell_exec in that directory, perhaps as part of a cleanup routine or a processing task. The malicious payload is executed with the privileges of the executing service, leading to privilege escalation. Illustrative Code Example (Conceptual Payload) A simple C payload compiled for ARM/ARM64 that attempts to gain root and execute a shell command: #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> int main() { printf("[*] Malicious payload started.n"); // Attempt to drop privileges if running as root initially // or verify effective UID/GID uid_t euid = geteuid(); gid_t egid = getegid(); printf("[*] Current Effective UID: %d, Effective GID: %dn", euid, egid); if (euid != 0 || egid != 0) { printf("[!] Not running as root. This exploit might not succeed.n"); // If we want to try to elevate to root from a privileged context // setuid(0) and setgid(0) can be called if capabilities allow. } // Execute a privileged command, e.g., remounting /system writable // In a real scenario, this would be more complex, e.g., spawning a reverse shell. printf("[*] Attempting to execute privileged command.n"); if (execl("/system/bin/sh", "sh", "-c", "/system/bin/mount -o remount,rw /system && echo 'PWNED BY SELINUX' > /system/pwned.txt", (char *)NULL) == -1) { perror("execl failed"); return 1; } return 0; } This C code would be compiled into an executable and placed in the vulnerable directory, relying on the SELinux policy’s weakness to be executed with higher privileges. Mitigation and Prevention Strategies For policy developers, the key is strict adherence to the principle of least privilege. Regular audits of the compiled policy, especially for type_transition rules and broad permissions, are crucial. Using neverallow rules strategically can prevent certain unintended permissions from ever being granted. Automation with tools like audit2allow should be used cautiously and validated manually to prevent introducing new vulnerabilities. Conclusion Android SELinux is a powerful security mechanism, but its complexity opens avenues for subtle misconfigurations. By understanding the policy structure, leveraging specialized analysis tools, and methodically searching for type transition weaknesses and permission oversights, security researchers can uncover critical privilege escalation vulnerabilities. Reverse engineering SELinux policy is an essential skill for anyone serious about Android security research and exploitation. May 30, 2026
Advanced Android Security: Debugging and Exploiting SELinux Policy Violations Introduction: Navigating Android’s SELinux Labyrinth Android’s security model is built upon multiple layers, with SELinux (Security-Enhanced Linux) serving as a critical mandatory access control (MAC) mechanism. Since Android 5.0 Lollipop, SELinux has moved from permissive to enforcing mode, significantly strengthening the platform’s sandbox. It defines granular permissions for processes, files, and resources, preventing unauthorized access even from root processes. However, like any complex system, misconfigurations or subtle policy weaknesses can create avenues for privilege escalation or sandbox escapes. This article delves into debugging SELinux policy violations and explores techniques for identifying and potentially exploiting these weaknesses. Understanding SELinux on Android SELinux operates on the principle of least privilege, ensuring that every operation (e.g., file access, process execution, network communication) is explicitly permitted by a policy. On Android, this policy is defined in a collection of `.te` (type enforcement) files, compiled into a binary `sepolicy` file loaded at boot. Key concepts include: Subjects (Domains): Processes running with a specific SELinux context, e.g., `untrusted_app`, `system_app`, `init`. Objects (Types): Files, directories, devices, sockets, and other resources, each assigned a specific SELinux type, e.g., `app_data_file`, `system_file`, `radio_device`. Rules: Directives that define what actions a subject (domain) can perform on an object (type), e.g., `allow untrusted_app app_data_file:file { read write getattr };`. Access Vector Cache (AVC): The kernel component that caches SELinux decisions and generates denials when an operation is not permitted. When an operation is denied, SELinux logs an AVC denial message. These messages are invaluable for debugging and understanding policy enforcement. Identifying SELinux Denials The primary method for identifying SELinux denials on a rooted Android device is through `logcat` or the kernel ring buffer (`dmesg`). You’ll typically look for messages containing “avc: denied”. First, ensure you have a rooted device with ADB access. adb shell su To view real-time SELinux denials, use `dmesg` with `grep`: dmesg | grep 'avc: denied' Alternatively, `logcat` can also show these messages, though they might be mixed with other kernel logs: logcat | grep 'avc: denied' A typical AVC denial message looks like this: type=1400 audit(1678886400.123:456): avc: denied { read } for pid=1234 comm="my_app" name="secret_file" dev="dm-0" ino=5678 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 From this message, we can extract critical information: `scontext` (Source Context): The SELinux context of the process attempting the action (`untrusted_app`). `tcontext` (Target Context): The SELinux context of the resource being accessed (`system_data_file`). `tclass` (Target Class): The type of resource (`file`). `name` (Name): The specific file or resource involved (`secret_file`). `{ read }` (Permissions): The specific permission denied. Debugging and Analyzing Policy Violations Once a denial is identified, the next step is to understand *why* it occurred and whether it points to a legitimate security enforcement or a potential policy bug/vulnerability. Scenario: Attempting to Read a Restricted System File Let’s say an `untrusted_app` tries to read a file located in `/data/misc/wifi/wpa_supplicant.conf`, which is typically `wifi_data_file` type. adb shell su runcon u:r:untrusted_app:s0 -- cat /data/misc/wifi/wpa_supplicant.conf This command attempts to run `cat` under the `untrusted_app` context. You would observe an `avc: denied` message similar to this: avc: denied { read } for pid=<pid> comm="cat" name="wpa_supplicant.conf" dev="dm-0" ino=<ino> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file permissive=0 This denial clearly shows `untrusted_app` cannot `read` a `wifi_data_file`. This is expected and a proper enforcement of the policy. Using `sesearch` for Policy Analysis For deeper analysis, the `sesearch` tool (available in the `sepolicy-tools` package in AOSP or custom ROM development environments) helps query the loaded SELinux policy. While not directly available on a stock Android device, understanding its usage is crucial for policy developers and auditors. # Example: Check what untrusted_app can access from wifi_data_file sesearch -s untrusted_app -t wifi_data_file -c file -p read -A If this command returns no results, it confirms the `read` permission is indeed denied by the policy. If it returns `allow` rules, the denial might indicate a context mismatch or a more complex interaction. Exploiting SELinux Policy Weaknesses Exploiting SELinux policy isn’t about bypassing the kernel’s enforcement mechanism directly (which would require kernel exploits), but rather about finding logical flaws or misconfigurations in the policy itself that allow a lower-privileged domain to gain unintended access or transition to a higher-privileged domain. 1. Type Transition Vulnerabilities A `type_transition` rule defines how a new object (e.g., a file or a process) should be labeled when created by a specific domain. If these rules are misconfigured, a low-privileged process might be able to create an object with a more privileged type than intended, which it can then interact with. Consider a hypothetical (and simplified) vulnerability: # Malicious type_transition rule example type_transition untrusted_app system_data_file:file system_config_file; If such a rule existed and was exploited, an `untrusted_app` could create a file that is automatically labeled as `system_config_file` (a more privileged type) within a `system_data_file` directory. If the `untrusted_app` then has `write` access to `system_config_file`, it could potentially modify critical system configurations. 2. File Context Misconfigurations Incorrect file contexts are a common source of SELinux weaknesses. If a sensitive file is accidentally labeled with a less restrictive type, a low-privileged domain might gain access. Example: A system service creates a temporary file in `/data/local/tmp` which is usually `shell_data_file` or `app_data_file`. If this file contains sensitive data and is accidentally labeled as `untrusted_app_data_file` due to a policy oversight or improper `restorecon` behavior, an `untrusted_app` could potentially read it. # Check file context ls -Z /data/local/tmp/sensitive_temp_file If the output shows `u:object_r:untrusted_app_data_file:s0`, and the `untrusted_app` has `read` access to its own data files, this becomes an unintended information disclosure. 3. Service Manager Bypass via Overly Permissive Policies The Android Service Manager (`servicemanager`) is crucial for inter-process communication (IPC) via Binder. SELinux policies strictly govern which domains can `add`, `find`, or `call` specific Binder services. An overly permissive policy might grant a low-privileged domain access to a Binder service that it shouldn’t have. For instance, if an `untrusted_app` is allowed to `call` a service intended only for `system_app` and that service performs a sensitive operation without adequate internal privilege checks, this could lead to escalation. # Hypothetical permissive binder_call rule allow untrusted_app system_server_service:binder call; While highly unlikely in a hardened Android policy, discovering such a rule would be a critical vulnerability. Attackers would look for custom services or third-party components where policy mistakes are more likely. Practical Exploitation Strategy: Levering a Permissive `exec` or `setattr` A classic goal is to gain arbitrary code execution in a more privileged context. If a policy allows a low-privileged domain to `exec` a file with a higher-privileged type, or `setattr` (modify file attributes, potentially including `setgid`/`setuid` bits) on such a file, this opens doors. Imagine a scenario where `untrusted_app` can write to a specific directory (e.g., `/data/vendor_app/`) that is intended for a `vendor_app` domain, and crucially, a `type_transition` rule exists that labels executables dropped in this specific directory as `vendor_app_exec` when created by `untrusted_app`. If `vendor_app` later executes binaries from this location, the attacker could inject and execute their own code with `vendor_app` privileges. # Attacker's steps: # 1. Gain write access to target directory (if not already possible). # 2. Compile malicious payload (e.g., a simple shell or a privilege escalation tool). # 3. Push payload to the target directory. adb push payload /data/vendor_app/evil_script # 4. If a type_transition exists, it gets labeled as vendor_app_exec. # Otherwise, manual relabeling might be needed if possible (unlikely for untrusted_app). # 5. Wait for vendor_app to execute the script, or trigger its execution via other means. Mitigation and Best Practices Strict Policy Design: Follow the principle of least privilege rigorously. Grant only the necessary permissions. Regular Auditing: Periodically audit the SELinux policy for any unintended rules or permissive assignments, especially after system updates or adding new features. Minimize Permissive Domains: Avoid using permissive domains (`permissive domain_type;`) except during initial development/debugging. Context Management: Ensure files and processes are always assigned their correct SELinux contexts, especially during creation, copying, or moving. Use `restorecon` where appropriate. Security Reviews: Conduct thorough security reviews of custom SELinux policies before deployment. Conclusion SELinux is a cornerstone of Android’s security architecture, providing robust mandatory access control. While bypassing SELinux enforcement directly is extremely difficult without kernel exploits, understanding its policies and identifying logical weaknesses can reveal pathways for privilege escalation or sandbox escapes. Debugging AVC denials, analyzing policy rules with tools like `sesearch`, and scrutinizing type transitions and file contexts are essential skills for any advanced Android security researcher or developer aiming to harden the platform further. As Android continues to evolve, the intricacies of its SELinux policy will remain a critical area for both defense and offense. May 30, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
131
132
133
134
135
…
705
			Next Page→

Author: admin

Introduction: The Untamed Wilderness of Android IPC

Understanding Android Binder IPC: The Heartbeat of Android

What is Binder?

The Binder Architecture

The Parcel: Data Serialization for IPC

Why Fuzz Binder IPC? Uncovering Hidden Vulnerabilities

Common Vulnerability Classes

The Need for Automation

Building Your Own Binder IPC Fuzzer: A Step-by-Step Guide

Step 1: Identifying Target Binder Services

Step 2: Interacting with Binder Services Programmatically

Step 3: Crafting Fuzzing Inputs

Step 4: Monitoring for Crashes and Anomalies

Advanced Fuzzing Techniques and Considerations

Coverage-Guided Fuzzing (CGF)

Dynamic Instrumentation with Frida

Stateful Fuzzing

Permissions and SELinux

Conclusion: Empowering Your Android Security Toolkit

Introduction: The Criticality of Android Binder IPC Security

Understanding Android Binder IPC Fundamentals

Identifying Binder Services: Your Initial Attack Surface Enumeration

1. Listing Services via servicemanager

2. Querying Services with dumpsys

3. Investigating Hardware Abstraction Layers (HALs)

Analyzing Binder Interface Definitions and Transactions

1. Android Interface Definition Language (AIDL)

2. Header Files and Source Code

Common Binder IPC Vulnerability Patterns

1. Missing or Incorrect Permission Checks

2. Integer Overflows/Underflows

3. Type Confusion

4. Deserialization Vulnerabilities

5. Time-of-Check to Time-of-Use (TOCTOU)

Practical Binder Security Analysis Workflow

Phase 1: Service Enumeration and Documentation

Phase 2: Source Code Review (If Available)

Phase 3: Reverse Engineering (If No Source)

Phase 4: Fuzzing Binder Interfaces

Conclusion

Introduction: The Android Binder IPC Mechanism

Understanding Android Binder IPC

Identifying Potential Binder Vulnerabilities

Phase 1: Service Discovery and Enumeration

Phase 2: Reverse Engineering the Service Implementation

Lab Example: Exploiting a Hypothetical Vulnerability

AIDL Definition (`IPoorlySecuredService.aidl`):

Simplified Binder Implementation Snippet:

Phase 3: Crafting the Exploit

Exploiting Vulnerability 1: Unauthorized Logging

Introduction to Android SELinux

SELinux Fundamentals on Android

Analyzing the Android SELinux Policy

1. Extracting the Policy

2. Decompiling and Analyzing

3. Checking Current Context and Enforcement

Identifying and Leveraging Policy Weaknesses

Introduction to Android Binder IPC

The Anatomy of a Binder Transaction

Identifying Target Services

Unearthing Service Interfaces and Implementations

Java Services (AIDL)

Native C++ Services

Crafting Binder Calls and Fuzzing

Manual Interaction via `adb shell service call`

Programmatic Interaction and Fuzzing

Analyzing `onTransact` for Vulnerabilities

Practical Example: A Hypothetical Vulnerability

Conclusion

Introduction: The Unseen Guard – SELinux on Android

Understanding Android SELinux Fundamentals

Advanced Policy Analysis and Tooling

Exploitation Technique 1: Domain Transition Manipulation

Scenario: Exploiting a Weak Entrypoint

Introduction to SELinux on Android

Understanding Android’s SELinux Architecture

Gathering SELinux Policy from an Android Device

Pulling the Policy

Tools for Offline Policy Analysis

1. Listing Services via `servicemanager`

2. Querying Services with `dumpsys`

2. Overly Broad `allow` Rules

1. Overly Permissive `allow` Rules