Author: admin

Reverse Engineering Android SELinux: Unearthing Policy Flaws for Exploitation
Introduction to Android SELinux and its Role

Android’s security architecture relies heavily on Security-Enhanced Linux (SELinux), a mandatory access control (MAC) system that operates alongside traditional discretionary access control (DAC). Introduced in Android 4.3, SELinux enforces fine-grained permissions on processes, files, and other system resources, effectively compartmentalizing the operating system and limiting the damage potential of compromised applications. Every process runs within a specific SELinux domain, and every file or resource has an associated SELinux type. Interactions between domains and types are governed by a strict policy, which is loaded at boot time.

While SELinux significantly enhances Android’s security posture, its complexity means that policy misconfigurations or overly broad rules can introduce vulnerabilities. Reverse engineering these policies is a critical skill for security researchers and penetration testers aiming to uncover privilege escalation paths, sandbox escapes, and other exploitation opportunities.

Understanding Android SELinux Policy Structure

An Android SELinux policy is a collection of rules written in a specialized language, defining types, attributes, domains, and the allowed interactions between them. Key components include:
- Types: Labels applied to objects (files, processes, sockets) representing their security context.
- Domains: Special types applied to processes, defining their execution context.
- Classes: Categories of system objects (e.g., file, process, socket, service).
- Permissions: Actions that can be performed on objects (e.g., read, write, execute, bind).
- Rules: Directives like allow, neverallow, type_transition, role, defining the policy logic.
Our goal in reverse engineering is to analyze these rules to find weaknesses that a malicious actor or a compromised application could exploit to gain unauthorized access or elevate privileges beyond its intended scope.

Extracting the SELinux Policy from an Android Device

Before analysis, we need the policy file itself. There are two primary methods to obtain it:

1. From a Running Device (Root Required)

If you have root access to an Android device, the active policy can be pulled directly from the `/sys` filesystem.
```
adb shellsu -c 'cat /sys/fs/selinux/policy > /sdcard/sepolicy'adb pull /sdcard/sepolicy .
```
This method provides the currently loaded policy, which might include dynamic modifications made at runtime, although these are typically minimal.

2. From the Boot Image

For a more comprehensive analysis, extracting the policy from the boot image is often preferred, as it represents the policy shipped with the device firmware. The SELinux policy is typically located within the ramdisk portion of the boot.img or vendor_boot.img (for devices using A/B partitions).
1. Obtain the Boot Image: Download the factory image for your device, or extract boot.img/vendor_boot.img from a device backup.
2. Unpack the Boot Image: Use tools like magiskboot or AOSP bootimg tools to unpack the image.
3. Locate the Policy: The policy file is usually named sepolicy and found in the root of the extracted ramdisk (e.g., ramdisk/sepolicy).
Analyzing the SELinux Policy for Flaws

Once you have the sepolicy file, specialized tools are essential for parsing and querying its complex structure.

1. Using sepolicy-analyze (from AOSP/SETools)

sepolicy-analyze is a powerful command-line utility from the AOSP source or the setools suite. It allows detailed queries about policy rules, domains, and types.
- List all domains:
```
sepolicy-analyze -s sepolicy_file domain_list
```
- List all types:
```
sepolicy-analyze -s sepolicy_file type_list
```
- Query permissions for a specific domain and target type:
  This is crucial for understanding what a process (domain) can do to a resource (type). For example, checking what untrusted_app (a common domain for installed apps) can do to zygote:
```
sepolicy-analyze -s sepolicy_file query perms untrusted_app zygote
```
- Find all `allow` rules involving a specific type:
  Useful for understanding how a particular resource is accessed.
```
sepolicy-analyze -s sepolicy_file query rules type_name
```
2. Using apol (SETools)

apol provides a graphical interface for exploring SELinux policies, which can be very helpful for visualizing relationships between types, domains, and rules.
```
apol sepolicy_file
```
Within apol, you can navigate through domains, types, and rules, inspect their attributes, and view the graph of allowed transitions and accesses. This visual representation often helps in spotting unusual or overly broad permissions quickly.

Identifying Common Policy Flaws for Exploitation

When analyzing policies, look for patterns that could be exploited:

1. Overly Permissive allow Rules

An allow rule that grants excessive permissions can be a direct path to exploitation. For example, an application’s domain (e.g., untrusted_app) should not have write access to critical system files or executable memory.
```
# Example of a potentially dangerous allow ruleallow untrusted_app system_file:file { execute execute_no_trans read write entrypoint };
```
If untrusted_app can write to a system_file and then execute it, it can achieve arbitrary code execution as the system_server (if system_file is actually accessible to untrusted_app and writable in a way that allows a type transition or direct execution).

2. Type Confusion and Mislabeling

Sometimes, system resources are mislabeled with an incorrect SELinux type, granting a less privileged domain access it shouldn’t have. For instance, if a critical system daemon’s configuration file is accidentally labeled as app_data_file instead of a more restrictive type, an untrusted app might gain read/write access.
```
# Scenario: Configuration file for a privileged service is mislabeled.adb shell ls -Z /data/misc/service_configs/critical_service.confu:object_r:app_data_file:s0 /data/misc/service_configs/critical_service.conf
```
An untrusted_app often has broad permissions over app_data_file, potentially leading to configuration tampering for a privileged service.

3. Improper Domain Transitions and Privileged Executables

The type_transition rule allows a process to transition to a new SELinux domain when executing a specific file. If a low-privileged domain can execute a file that transitions it to a high-privileged domain, this is a clear path to privilege escalation.
```
# Example of a dangerous type_transition rule.type_transition untrusted_app system_file:process system_server;
```
This rule would allow an untrusted_app to transition to the system_server domain merely by executing a system_file labeled as a process, effectively granting it root-like privileges.

Another common flaw involves the execmem permission. If a domain (especially a low-privileged one) has execmem, it can execute code from memory segments it has allocated and written to. This is a powerful primitive for arbitrary code execution.
```
# Query for execmem permissions for untrusted_appsepolicy-analyze -s sepolicy query perms untrusted_app self:process execmem
```
If this returns an allow rule, it means untrusted_app can use mmap with PROT_EXEC, which is often a critical step in traditional memory corruption exploits to gain code execution.

A Practical Scenario: Exploiting a Permissive `execmem`

Scenario Setup

Imagine we have an untrusted_app that discovers a policy flaw: its domain, untrusted_app, is explicitly allowed execmem permission.
```
allow untrusted_app self:process { execmem };
```
Policy Discovery

Using sepolicy-analyze, we confirm the permission:
```
sepolicy-analyze -s sepolicy_file query perms untrusted_app self:process execmemFound rule:allow untrusted_app untrusted_app:process { execmem };
```
Exploitation Steps (Conceptual)
1. Develop Shellcode: Create a small piece of ARM/ARM64 shellcode that performs a desired action, such as spawning a shell or writing to a protected file.
2. Allocate Executable Memory: The Android application (running as untrusted_app) uses mmap to allocate a memory region with PROT_READ | PROT_WRITE | PROT_EXEC permissions. The execmem permission allows this.
3. Execute Shellcode: The application then casts the memory region to a function pointer and executes it. Because execmem is allowed, this operation succeeds, and the shellcode runs within the context of the untrusted_app domain. Depending on what the shellcode does, this can lead to further exploitation, such as gaining access to resources the untrusted_app should not control (e.g., if shellcode targets a vulnerable service or a mislabeled file).
Mitigation and Best Practices

For developers and system integrators, understanding these attack vectors is key to building more secure Android systems:
- Principle of Least Privilege: Grant only the absolute minimum permissions required for a domain to function.
- Strict Type Labeling: Ensure all files and resources are correctly labeled with the most restrictive types possible.
- Avoid `execmem`: Explicitly deny execmem for all but the most trusted and critical components.
- Regular Policy Audits: Periodically review and audit SELinux policies, especially after updates or custom modifications.
- Automated Analysis Tools: Integrate tools like sepolicy-analyze into the CI/CD pipeline to catch overly permissive rules early.
Conclusion

Reverse engineering Android SELinux policies is a challenging but rewarding endeavor for security professionals. By systematically extracting and analyzing the policy rules, and understanding common misconfigurations, it’s possible to identify significant security vulnerabilities. The ability to unearth and understand these policy flaws provides crucial insights into the real-world security posture of Android devices and helps in developing more robust and resilient systems against sophisticated attacks.
May 29, 2026
Hooking ART: Manipulating Dalvik/Java Methods via JNI for Runtime Control
Introduction to Android Runtime (ART) Hooking

The Android Runtime (ART) is a cornerstone of the modern Android operating system, responsible for compiling and executing application code. Unlike its predecessor, Dalvik, ART employs Ahead-Of-Time (AOT) compilation and Just-In-Time (JIT) compilation, significantly improving performance and battery life. However, this sophisticated execution environment also presents unique challenges and opportunities for runtime manipulation, often referred to as ‘hooking’. Method hooking in ART allows security researchers, developers, and exploit developers to intercept, modify, or even entirely replace the execution flow of Java methods at runtime. This capability is invaluable for dynamic analysis, security monitoring, sandboxing, and even developing powerful instrumentation tools.

This article delves into the expert-level technique of hooking ART methods using the Java Native Interface (JNI). We’ll explore how to locate and manipulate the underlying C++ `ArtMethod` structures, effectively redirecting Java method calls to native C/C++ code, thus gaining granular control over an application’s execution.

Understanding ART Internals: The ArtMethod Structure

At the heart of ART method execution lies the `ArtMethod` C++ structure. This internal representation holds critical information about each Java method, including its declaring class, access flags, DEX file offset, method index, and most importantly, its entry points for interpreted and compiled code. Directly manipulating an `ArtMethod` instance is the key to achieving our hooking goal.

While the exact layout of `ArtMethod` can vary slightly across Android versions, its fundamental purpose remains consistent. Key fields typically include:
- declaring_class_: Pointer to the `ArtClass` that declares this method.
- access_flags_: Bitmask representing method modifiers (public, static, native, etc.).
- dex_code_item_offset_: Offset to the method’s code in the DEX file.
- dex_method_index_: Index of the method within its declaring class’s DEX file.
- ptr_sized_fields_: A union that often contains the pointers to the method’s entry points, such as entry_point_from_quick_code_ (for AOT/JIT compiled code) and entry_point_from_interpreter_.
Our primary target for hooking compiled methods will be the entry_point_from_quick_code_ field, which points to the actual executable machine code for the method.

Leveraging JNI for Native Interaction

JNI serves as the crucial bridge between Java and native C/C++ code. It allows Java applications to load native libraries and invoke functions implemented in C/C++. For ART hooking, JNI’s capabilities are indispensable:
1. Loading our native hooking library into the target process.
2. Obtaining a JNIEnv* and JavaVM* pointer, which are essential for interacting with the JVM.
3. Locating Java classes and methods using JNI functions like FindClass and GetMethodID/GetStaticMethodID.
4. Converting JNI jmethodIDs into raw ArtMethod* pointers.
The standard entry point for native libraries is JNI_OnLoad, which is called when the library is loaded by System.loadLibrary().
```
#include <jni.h> #include <string> #include <android/log.h> #define TAG "ART_HOOK" #define LOGI(...) __android_log_print(ANDROID_LOG_INFO, TAG, __VA_ARGS__) // Forward declarations of our hook function and trampoline function void* hooked_function_addr = nullptr; void* original_function_addr = nullptr; // A placeholder for the actual ArtMethod structure, specific to ART version // For simplicity, we'll assume a basic structure. In reality, you'd #include <libart/art/runtime/art_method.h> // or use offsets based on target ART version. struct ArtMethod {     uint32_t declaring_class_;     uint32_t access_flags_;     uint32_t dex_code_item_offset_;     uint32_t dex_method_index_;     // This union layout is simplified. Actual ArtMethod is complex.     struct PtrSizedFields {         void* entry_point_from_quick_code_;         void* entry_point_from_interpreter_;         // More fields...     } ptr_sized_fields_;     // Other fields... }; // Our custom hook function void MyHookedLogI(JNIEnv* env, jclass clazz, jstring tag, jstring msg, jthrowable tr) {     const char* c_tag = env->GetStringUTFChars(tag, 0);     const char* c_msg = env->GetStringUTFChars(msg, 0);     LOGI("HOOKED LOG: [%s] %s", c_tag, c_msg);     env->ReleaseStringUTFChars(tag, c_tag);     env->ReleaseStringUTFChars(msg, c_msg);     // Call the original method (trampoline) if needed     // We need to carefully cast and call the original function pointer.     // This part is highly dependent on the target method's signature and calling convention.     // For Log.i, it's a static method.     typedef void (*OriginalLogIFunc)(JNIEnv*, jclass, jstring, jstring, jthrowable);     if (original_function_addr) {         ((OriginalLogIFunc)original_function_addr)(env, clazz, tag, msg, tr);     } } extern "C" JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {     JNIEnv* env;     if (vm->GetEnv(reinterpret_cast<void**>(&env), JNI_VERSION_1_6) != JNI_OK) {         return JNI_ERR;     }     LOGI("JNI_OnLoad successful!");     // Step 1: Find the target Java class and method     jclass logClass = env->FindClass("android/util/Log");     if (!logClass) {         LOGI("Failed to find android/util/Log class!");         return JNI_ERR;     }     jmethodID logIMethodID = env->GetStaticMethodID(logClass, "i", "(Ljava/lang/String;Ljava/lang/String;)I");     if (!logIMethodID) {         LOGI("Failed to find Log.i method!");         return JNI_ERR;     }     LOGI("Found Log.i methodID: %p", logIMethodID);     // Step 2: Obtain the ArtMethod* pointer from jmethodID     // On many ART versions, jmethodID *is* a pointer to ArtMethod.     ArtMethod* targetArtMethod = reinterpret_cast<ArtMethod*>(logIMethodID);     // Step 3: Backup the original entry point     original_function_addr = targetArtMethod->ptr_sized_fields_.entry_point_from_quick_code_;     LOGI("Original entry point: %p", original_function_addr);     // Step 4: Overwrite the entry point with our hook function     // For a static method, the first two arguments are JNIEnv* and jclass.     // The actual C++ function signature must match the ArtMethod's expected entry point.     // This example uses a simplified signature for demonstration.     hooked_function_addr = reinterpret_cast<void*>(&MyHookedLogI);     targetArtMethod->ptr_sized_fields_.entry_point_from_quick_code_ = hooked_function_addr;     LOGI("Hooked entry point: %p", hooked_function_addr);     return JNI_VERSION_1_6; } 
```
Note on ArtMethod Structure: The `ArtMethod` structure presented above is highly simplified. In a real-world scenario, you would either include the official `libart` headers (if building against AOSP) or derive the exact offsets for fields like `entry_point_from_quick_code_` through reverse engineering or `dlsym` on `libart.so` for specific Android versions. The size and offsets of `ArtMethod` members vary significantly between ART versions (e.g., Android 7 vs. Android 10 vs. Android 13). For instance, `ptr_sized_fields_` might be `data_` or other internal fields depending on the ART version.

Compilation Steps (Example for Android NDK)

To compile this native library, you would typically use the Android NDK. Create an `Android.mk` and `Application.mk` or use `CMakeLists.txt`:
```
# Android.mk LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE := artenabler LOCAL_SRC_FILES := main.cpp LOCAL_LDLIBS := -llog include $(BUILD_SHARED_LIBRARY) 
```
```
# Application.mk APP_ABI := arm64-v8a armeabi-v7a 
```
Then build using `ndk-build`.

The Hooking Mechanism: Swapping Entry Points

The core of ART method hooking involves two primary steps:
1. Obtaining the ArtMethod*: As shown in the code, a `jmethodID` obtained from JNI often directly corresponds to an `ArtMethod*` in ART. This provides us with a direct pointer to the method’s internal structure.
2. Overwriting the Entry Point: We then modify the `targetArtMethod->ptr_sized_fields_.entry_point_from_quick_code_` to point to our custom native C++ function. This effectively redirects any future calls to that Java method from compiled code to our native hook.
For the `Log.i` example:
- When `Log.i` is called from Java, ART’s execution engine checks the method’s entry point.
- After our hook, `entry_point_from_quick_code_` points to `MyHookedLogI`.
- Our `MyHookedLogI` function executes, logs its custom message, and then optionally calls the original `Log.i` using the `original_function_addr` (which we backed up).
The ability to call the original method via a ‘trampoline’ is crucial for maintaining functionality or for implementing ‘proxy’ hooks where you want to inspect or modify arguments/return values without disrupting the original logic.

Challenges and Considerations

ART hooking, while powerful, comes with significant challenges:
- ART Version Incompatibility: The `ArtMethod` structure is an internal detail of ART and is not part of the public NDK API. Its layout changes across Android versions (and sometimes even minor updates), leading to ABI incompatibility. Code compiled for one ART version might crash on another if field offsets or sizes differ.
- JIT Compilation and Inlining: ART’s JIT compiler can optimize code heavily, including inlining methods. If a target method is inlined into its caller, directly hooking its `ArtMethod` entry point might not affect already compiled code paths. New compilations (e.g., after an app restart or a specific JIT trigger) might pick up the hook.
- Memory Permissions (PROT_EXEC): Modifying executable memory pages requires appropriate permissions. While in many cases, the `ArtMethod` structures reside in writable memory segments, directly writing to code pages (if you were to modify the actual instructions) would require changing memory protections using `mprotect`.
- Thread Safety and Concurrency: Modifying `ArtMethod` structures while the application is running, especially in a multi-threaded environment, can lead to race conditions or crashes. It’s best to apply hooks as early as possible (e.g., during `JNI_OnLoad`) or ensure proper synchronization.
- Native Method Resolution: If you’re hooking a native Java method (declared with `native`), its `entry_point_from_quick_code_` already points to a JNI-registered native function. Hooking this might be slightly different, requiring manipulation of JNI function pointers.
- Security Enhancements: Newer Android versions introduce stricter security measures like SELinux, Control Flow Integrity (CFI), and stronger memory protections, which can complicate or prevent direct memory manipulation.
Conclusion

Hooking ART methods via JNI provides an unparalleled level of control over Android application execution. By understanding and manipulating the internal `ArtMethod` structures, developers and security researchers can dynamically alter the behavior of Java methods, opening doors for advanced instrumentation, security analysis, and runtime patching. While powerful, this technique demands a deep understanding of ART internals, careful attention to ABI compatibility, and robust error handling to navigate the complexities and security measures of the Android ecosystem.
May 29, 2026
SELinux Bypass Masterclass: Practical Techniques for Android Privilege Escalation
Introduction to SELinux on Android

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system that provides a robust layer of security on Android devices, operating beyond traditional Discretionary Access Control (DAC). Implemented since Android 4.3, SELinux ensures process isolation, enforces granular permissions for file access, network operations, and inter-process communication (IPC), and significantly strengthens the sandboxing model. While DAC relies on user/group IDs, SELinux assigns security contexts to every file, process, and system resource, then uses a policy database to determine access. Successfully compromising an Android device often requires bypassing these SELinux restrictions, making an understanding of its mechanisms and common bypass techniques crucial for security researchers and exploit developers.

Understanding SELinux Fundamentals

Security Contexts and Types

At the core of SELinux are security contexts, which are labels assigned to every subject (process) and object (file, socket, IPC, etc.). A context typically takes the form user:role:type:sensitivity, with type being the most significant component for policy enforcement. For processes, the type is often referred to as a ‘domain’. For files, it’s a ‘file context’.

For example:
- u:object_r:app_data_file:s0: Data file belonging to an application.
- u:r:untrusted_app:s0: An untrusted application process domain.
- u:object_r:system_file:s0: A system binary or library.
SELinux policy rules dictate what actions a process in a specific domain (source type) can perform on an object with a given type (target type), for a specific class (e.g., file, process, socket), and with specific permissions (e.g., read, write, execute, bind).

Access Vector Cache (AVC) Denials

When an SELinux-enabled kernel blocks an action, it logs an Access Vector Cache (AVC) denial. These denials are invaluable for understanding policy enforcement and identifying potential bypasses or misconfigurations. AVC denials are typically visible in the kernel log buffer, accessible via dmesg or logcat -b kernel.

A typical AVC denial looks like this:
```
avc: denied { read } for pid=1234 comm="my_app" name="secret_file" dev="dm-0" ino=5678 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
```
This log indicates that the process my_app (with source context untrusted_app) was denied read access to secret_file (with target context app_data_file). Analyzing these denials systematically helps in mapping out the restrictions and identifying where a policy might be overly permissive or exploitable.

Practical SELinux Bypass Techniques

1. Type Transition Exploitation

Type transitions allow a process to change its security context when it executes a specific program. This is a legitimate mechanism for processes to gain necessary privileges, for example, when init transitions to zygote. However, misconfigured policies can allow a less privileged process to transition into a more powerful domain. The key is to find an executable that, when run by a low-privileged domain, is allowed to transition to a higher-privileged domain.

Consider a policy rule like:
```
allow untrusted_app system_file:file { execute_no_trans };
```
This allows untrusted_app to execute a system_file but *without* changing its domain. If instead, you find:
```
type_transition untrusted_app su_exec:process su;
```
and a corresponding rule:
```
allow untrusted_app su_exec:file { execute };
```
This means if untrusted_app executes a file labeled su_exec, the new process will transition into the su domain, which is typically highly privileged. An attacker could place a malicious binary with the su_exec context (if writable paths with such contexts exist or can be manipulated) and trigger a privilege escalation.

2. File Context Manipulation and Misconfigurations

SELinux enforces access based on file contexts. If an attacker can control the context of a file, or if a sensitive file is given an overly permissive context, it can lead to bypasses.
- Writable Sensitive Contexts: Discovering directories writable by a low-privileged process (e.g., untrusted_app) that are labeled with a context typically associated with higher privileges (e.g., system_file_type, vendor_file_type). If an attacker can write a malicious script to such a location, and a privileged process later executes it, escalation is possible.
- Arbitrary File Context Changing: In rare cases, vulnerabilities might allow a low-privileged process to relabel files. If an attacker can relabel their own malicious binary to a context like init_exec or system_server_exec, and then cause a privileged process to execute it (e.g., through a path traversal vulnerability or by exploiting a vulnerable service), they could achieve arbitrary code execution in a privileged domain.
Example using restorecon (requires root/special capabilities):
```
# Assume malicious_exploit.sh is written to /data/local/tmp/malicious_exploit.sh (untrusted_app_data_file) # If a policy misconfiguration allowed: allow untrusted_app system_file_type:file { setattr }; # Malicious app could change context: chcon u:object_r:system_file:s0 /data/local/tmp/malicious_exploit.sh
```
This is generally highly restricted, but specific vulnerabilities in tools or services that handle file contexts could be leveraged.

3. Service Manager Interaction Abuses

Android’s Binder IPC mechanism relies heavily on SELinux to control which processes can interact with specific services. The servicemanager acts as a registry. SELinux rules govern who can add, find, or call services.

An attacker looks for:
- Overly Permissive binder_call rules: If an untrusted_app is allowed to call a method on a highly privileged service (e.g., system_server, hwservice_manager) that it typically shouldn’t, and that method has a vulnerability, it can lead to escalation.
- Service Registration Abuse: If a low-privileged app can register a service under a privileged name, it could trick legitimate components into communicating with a malicious service.
Example policy snippet to look for (if some_privileged_service is exploitable and untrusted_app can call it):
```
allow untrusted_app some_privileged_service:binder { call };
```
This allows an untrusted app to invoke methods on some_privileged_service. If a method within some_privileged_service performs a sensitive operation without proper checks, a bypass could occur.

4. Exploiting Policy Inadequacies and Bugs

The complexity of SELinux policies, especially those found in custom Android ROMs or vendor implementations, can introduce subtle bugs or inadequacies. These can manifest as:
- Broad allow Rules: General permissions granted to a broad type, e.g., allow untrusted_app *:{ file folder } *; (highly unlikely, but illustrative). More subtle: allow untrusted_app some_device:chr_file { ioctl read write }; if some_device controls a sensitive hardware component that an untrusted app shouldn’t access.
- Unintended Object Access: A policy might correctly restrict direct file access, but inadvertently allow a side-channel attack through a different object type, like accessing device nodes that manage hardware.
- dontaudit Rules Hiding Issues: While necessary for reducing log spam, dontaudit rules can hide legitimate policy issues or potential attack paths. Removing or selectively disabling dontaudit rules during security audits can reveal hidden denials.
5. Leveraging Capabilities Beyond SELinux

Linux capabilities provide fine-grained control over root privileges, allowing a process to perform specific privileged operations without having full root access. While SELinux is designed to work in conjunction with capabilities, an oversight in either system can create an exploit chain.

For instance, if a process running in a specific SELinux domain is granted a powerful capability like CAP_DAC_OVERRIDE (bypass file read/write/execute permissions) or CAP_SYS_ADMIN (perform a range of system administration operations), and SELinux doesn’t sufficiently constrain how these capabilities can be used, it might lead to a bypass.

Analyzing capabilities for a process:
```
cat /proc/PID/status | grep Cap
```
If an attacker gains control of a process with certain capabilities, they can leverage them to bypass SELinux if the policy for that domain doesn’t specifically block the sensitive actions permitted by those capabilities.

Methodology for Finding Bypass Opportunities

Identifying SELinux bypasses is an iterative process:
1. Policy Analysis: Obtain the device’s sepolicy files (often found in /sys/fs/selinux/policy or unpacked from boot.img). Use tools like sepolicy-analyze, sesearch, and AOSP’s audit2allow (with caution) to understand the policy structure and permissions.
2. Denial Monitoring: Continuously monitor dmesg and logcat -b kernel for AVC denials while interacting with the target application or system components. This highlights exactly where SELinux is enforcing restrictions.
3. Fuzzing and Input Manipulation: Actively try to trigger different code paths and input types in target services or applications, observing how SELinux reacts.
4. Code Review: Examine the source code of privileged services and applications for logical flaws in their interaction with the file system, IPC, or system calls, which might be exploited even under strong SELinux policies.
Conclusion

SELinux on Android is a formidable security barrier, but it is not impenetrable. By understanding its core mechanisms – security contexts, types, and AVC denials – and by systematically exploring common weaknesses such as type transition vulnerabilities, file context misconfigurations, Binder interaction abuses, and subtle policy bugs, security researchers can identify pathways for privilege escalation. A comprehensive approach combining policy analysis, denial monitoring, and targeted fuzzing is essential for uncovering these sophisticated bypasses and ultimately strengthening Android’s security posture.
May 29, 2026
Debugging ART Exploits: Advanced Runtime Analysis with GDB and Frida
Introduction: Navigating the Android Runtime Frontier

The Android Runtime (ART) is the heart of modern Android, responsible for compiling and executing app code. Its Ahead-Of-Time (AOT) and Just-In-Time (JIT) compilation, coupled with sophisticated garbage collection (GC), present a formidable barrier to attackers. However, understanding and exploiting vulnerabilities within ART can yield powerful primitives, offering deep control over a device. Debugging these intricate exploits, often involving type confusion, arbitrary read/write, or method table manipulation, requires a specialized toolkit. This guide delves into advanced runtime analysis techniques using GDB and Frida, equipping you with the expertise to dissect and understand ART exploits.

Understanding ART’s Architecture for Exploitation

Before diving into debugging, it’s crucial to grasp key ART concepts that impact exploitation:
- AOT/JIT Compilation: ART compiles DEX bytecode into native machine code. AOT compilation happens at install time, while JIT dynamically compiles frequently used code at runtime. Exploits often target vulnerabilities in either the compiler itself or the runtime’s handling of compiled code.
- Garbage Collection (GC): ART employs various GC strategies (e.g., Concurrent Mark Sweep, Generational GC) to manage memory. Heap-based vulnerabilities, like use-after-free or heap overflow, are heavily influenced by how ART’s GC operates, including object allocation, movement, and deallocation.
- Object Model and VTables: Every Java object in ART is ultimately a C++ object in memory, with a specific layout and a pointer to its class (art::mirror::Class). Native methods and virtual methods rely on virtual method tables (VTables). Overwriting VTable pointers or entries is a common exploitation primitive for achieving arbitrary code execution.
- Thread Management: ART manages various threads, including main thread, JIT threads, GC threads, and runtime threads. Understanding thread interactions is vital for race condition exploits.
Setting Up Your Advanced Debugging Environment

To effectively debug ART exploits, you’ll need a robust setup:
- Rooted Android Device/Emulator: Essential for `adb root`, installing Frida-server, and accessing `/proc` filesystems.
- ADB (Android Debug Bridge): For shell access, pushing files, and port forwarding.
- GDB Server & Client: `gdbserver` on the device, and a multi-architecture GDB client (e.g., `aarch64-linux-android-gdb`) on your host machine. These are usually part of the Android NDK.
- Frida Server & Client: `frida-server` matching your device’s architecture (ARM64 usually) running on the device, and `frida-tools` on your host.
Preparing GDB on Device and Host

First, push `gdbserver` to your device and ensure `libart.so` symbols are available (often requires a debug build of ART or symbol packages).
```
adb rootadb push /path/to/ndk/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/gdbserver /data/local/tmp/gdbserveradb shell chmod +x /data/local/tmp/gdbserveradb forward tcp:5039 tcp:5039
```
Phase 1: Initial Triage with GDB

GDB provides a low-level view, excellent for analyzing crashes, inspecting memory, and setting hardware breakpoints. When an ART exploit triggers, GDB helps pinpoint the exact instruction causing the issue.

Attaching to an ART Process

Identify the target process ID (PID) using `adb shell ps` or `pidof`.
```
# On device shell/data/local/tmp/gdbserver --attach 5039 <PID_OF_TARGET_APP># On host machine, in a new terminal/path/to/ndk/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-gdbtarget remote :5039set solib-search-path /path/to/your/android/symbols/platform/lib64btinfo registersx/20i $pc
```
Key GDB commands for ART exploitation:
- `info proc mappings`: To find `libart.so` base address.
- `b *<address>`: Set a breakpoint at a specific address (e.g., `b *0x… + <offset_of_art_function>`).
- `b art::mirror::Object::SetField`: Break on object field writes, crucial for understanding type confusion or data corruption.
- `b art::Class::SetComponentSize`: Monitor array size modifications.
- `x/<n>x <address>`: Examine memory in hex.
- `p/x <register>`: Print register value in hex.
Example: Breaking on Object Manipulation

Let’s say you suspect an exploit modifies object fields incorrectly. You can set a breakpoint on `art::mirror::Object::SetField` and observe the arguments:
```
# After attaching with GDBb art::mirror::Object::SetField# Continue execution until breakpoint is hitc# When hit, examine arguments (dependent on calling convention)info args# Or inspect registers (e.g., x0 for 'this', x1 for field_offset, x2 for new_value)info registersx/2x $x0 # Examine the 'this' pointer (the object being modified)
```
Phase 2: Dynamic Analysis with Frida

Frida provides unparalleled dynamic instrumentation capabilities, allowing you to hook arbitrary functions (Java and native), inspect objects, and modify runtime behavior without restarting the process. This is invaluable for tracing execution flows and understanding exploit primitives.

Frida Setup

Push `frida-server` to your device, make it executable, and run it.
```
adb push /path/to/frida-server-<version>-android-arm64 /data/local/tmp/frida-serveradb shell chmod +x /data/local/tmp/frida-serveradb shell /data/local/tmp/frida-server &adb forward tcp:27042 tcp:27042
```
Hooking ART Internals with Frida

Frida allows precise hooking of native ART functions. You’ll need the `libart.so` base address and the offset of the target function, which can be found via symbol tables or GDB.
```
// frida_art_hook.jsJava.perform(function() {    var libart = Module.findBaseAddress('libart.so');    if (libart) {        console.log('libart.so base address: ' + libart);        // Example: Hooking art::mirror::Object::SetField        // Offset might vary with ART version, find it with GDB or `nm -D libart.so | grep SetField`        var setFieldOffset = 0x123456; // Placeholder, replace with actual offset        var SetField = libart.add(setFieldOffset);        Interceptor.attach(SetField, {            onEnter: function(args) {                console.log('[ART] art::mirror::Object::SetField called:');                console.log('  this (object ptr): ' + args[0]);                console.log('  field_offset: ' + args[1].toInt32());                console.log('  new_value_ptr: ' + args[2]);                // Optionally read memory at args[0] and args[2]                // console.log('  Object data: ' + Memory.readHexDump(args[0], 32));            },            onLeave: function(retval) {                // console.log('[ART] art::mirror::Object::SetField returned.');            }        });        console.log('Hooked art::mirror::Object::SetField');    } else {        console.log('libart.so not found!');    }});
```
```
frida -U -l frida_art_hook.js -f <PACKAGE_NAME> --no-pause
```
Beyond native functions, Frida can also hook Java methods, providing a higher-level view:
```
// frida_java_hook.jsJava.perform(function() {    var Class = Java.use('java.lang.Class');    Class.newInstance.implementation = function () {        console.log('[JAVA] java.lang.Class.newInstance called for: ' + this.getName());        return this.newInstance();    };    console.log('Hooked java.lang.Class.newInstance');});
```
Combining GDB and Frida for Deeper Insight

The true power lies in using GDB and Frida together. GDB excels at precise low-level analysis of a specific state (e.g., post-crash analysis), while Frida is unmatched for dynamic, continuous monitoring and runtime manipulation.

Scenario: Triggering an Exploit and Analyzing the Crash
1. Frida for Triggering: Use a Frida script to call a vulnerable method or trigger the exploit primitive. This could involve crafting specific objects or arguments.
2. GDB for Catching: Have GDB attached and ready to catch the crash. Set breakpoints on critical native functions (e.g., `abort`, `__stack_chk_fail`, or the suspected exploited function).
3. Post-Crash Analysis: When GDB hits a crash, use `bt` (backtrace) to see the call stack, `info registers` to check register values, and `x/` to examine memory around the crash point. Use `info proc mappings` to identify memory regions and potential code caves.
4. Frida for Context: During a GDB session, you can still use Frida to introspect other parts of the process, dump heap memory, or trace other threads to understand the events leading up to the crash.
Example: Heap Spray Analysis

Suppose you’re dealing with a heap-based exploit. You could:
- Frida: Instrument object allocation (e.g., `art::mirror::ObjectFactory::Allocate`), track object sizes, and spray the heap with specially crafted objects to achieve a predictable layout.
- GDB: Once the heap spray is complete and the exploit is triggered, use GDB to inspect the heap (`find /proc/<pid>/maps` to find heap regions, then `dump memory`). Search for your sprayed patterns, analyze pointers, and verify memory corruption.
Conclusion: Mastering ART Exploit Debugging

Debugging ART exploits is a complex but rewarding endeavor. By mastering GDB for its precise, low-level inspection and Frida for its dynamic, flexible instrumentation, you gain an unparalleled ability to analyze, understand, and ultimately mitigate or develop powerful Android vulnerabilities. The combination of these tools allows you to observe the ART’s intricate dance of compilation, garbage collection, and object manipulation, turning opaque runtime behavior into transparent, debuggable insights. Continuous practice and a deep dive into ART’s source code will further enhance your capabilities in this fascinating field.
May 29, 2026
Post-Exploitation ART: Injecting Native Code & Modifying App Behavior at Runtime
Introduction: Unveiling ART’s Post-Exploitation Potential

The Android Runtime (ART) is the heart of modern Android’s application execution environment. Replacing the older Dalvik VM, ART brings significant performance improvements through Ahead-Of-Time (AOT) and Just-In-Time (JIT) compilation. For security researchers and penetration testers, understanding and manipulating ART at runtime presents a powerful avenue for post-exploitation activities. This article delves into expert-level techniques for injecting native code and dynamically altering application behavior within a compromised Android device, focusing on the underlying mechanisms of ART.

The Android Runtime (ART): A Brief Overview

ART translates Dalvik Executable (DEX) bytecode, which is the compiled form of Java/Kotlin code, into native machine code. Initially, ART primarily used AOT compilation, converting entire apps to native OAT (Optimized Android Runtime) files during installation. Later versions introduced JIT compilation to optimize performance further and reduce installation times. This hybrid approach means that while much of an app’s code might be AOT-compiled, dynamic loading and runtime optimizations still occur. For an attacker, this execution model creates opportunities to interject code or modify existing logic.

Prerequisites for ART Post-Exploitation

Root Access

Most advanced ART exploitation techniques require root privileges. This is because modifying core system processes, injecting into arbitrary applications, or directly manipulating memory pages typically demands elevated permissions. While some techniques might work in a non-rooted context if an app is highly vulnerable, root access provides the broadest attack surface.

Understanding of ELF, DEX, and ART Internals

A solid grasp of the Executable and Linkable Format (ELF) for native binaries, the DEX format for Android bytecode, and ART’s internal data structures (like ArtMethod, DexFile, ClassLinker) is crucial. Tools like IDA Pro, Ghidra, Frida, and Xposed Framework’s internals are invaluable for reverse engineering and understanding runtime behavior.

Technique 1: Native Code Injection via LD_PRELOAD (or dlopen)

Native code injection allows us to load an arbitrary shared library into a target process’s address space. Once loaded, our library can execute code, hook functions, and manipulate the process’s memory. A common method for this is leveraging the LD_PRELOAD environment variable, though its direct use is often restricted by SELinux policies for non-debuggerd spawned processes. Alternatively, an existing native library within the target application might be coerced to dlopen our malicious library.

Crafting the Injectable Native Library

We’ll create a simple C/C++ shared library that executes code upon loading. The __attribute__((constructor)) function is executed before main() (or any other application code) in the process.
```
// injector.cpp
#include <jni.h>
#include <android/log.h>
#include <string>
#include <fstream>

#define TAG "ART_INJECTOR"

extern "C" __attribute__((constructor)) void my_init(void) {
    __android_log_print(ANDROID_LOG_INFO, TAG, "[+] Native injector library loaded!");

    // Example: Create a file in a writable path (e.g., /data/local/tmp)
    std::ofstream outfile("/data/local/tmp/injected_output.txt");
    if (outfile.is_open()) {
        outfile << "Hello from injected native code!" << std::endl;
        outfile.close();
        __android_log_print(ANDROID_LOG_INFO, TAG, "[+] Wrote output to /data/local/tmp/injected_output.txt");
    } else {
        __android_log_print(ANDROID_LOG_ERROR, TAG, "[-] Failed to write to file!");
    }

    // In a real scenario, this is where you'd perform hooks, modify memory, etc.
}

// Minimal JNI_OnLoad, not strictly necessary for constructor-based injection but good practice
extern "C" JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
    __android_log_print(ANDROID_LOG_INFO, TAG, "[+] JNI_OnLoad called.");
    return JNI_VERSION_1_6;
}
```
Compile this using the Android NDK:
```
$ <NDK_ROOT>/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-clang++ -shared -fPIC injector.cpp -o libinjector.so -llog
```
Injecting into a Target Process

Once compiled, push the library to the device:
```
$ adb push libinjector.so /data/local/tmp/
```
Now, to use LD_PRELOAD. This requires the target process to be launched with specific permissions or from a context that respects LD_PRELOAD. If you’re targeting a debuggable app or have root on a less restrictive setup (e.g., older Android version, custom ROM, or a process spawned via su):
```
# adb shell
# export LD_PRELOAD=/data/local/tmp/libinjector.so
# am start -n com.target.package/.MainActivity
```
Or, if you have root, you can often spawn a new process under `su` with your environment variable set:
```
# adb shell
# su -c "LD_PRELOAD=/data/local/tmp/libinjector.so /system/bin/app_process32 /system/bin com.target.package.MainActivity"
```
After execution, check logcat and the output file:
```
$ adb logcat | grep ART_INJECTOR
$ adb shell cat /data/local/tmp/injected_output.txt
```
For processes where LD_PRELOAD is restricted (common in modern Android), more advanced techniques involve attaching a debugger (like `debuggerd`), or finding an existing native library in the target application that can be hooked to execute `dlopen()` on our malicious library.

Technique 2: Runtime Method Redefinition and Hooking

This technique directly manipulates ART’s internal structures to change the target of a Java method call. Instead of the original method, our
May 29, 2026
From Stock to Custom: Flashing GSI ROMs on Android 10+ Dynamic Partition Devices Explained
Introduction

For years, Android enthusiasts have enjoyed the freedom of custom ROMs, breathing new life into older devices and enhancing newer ones. General System Images (GSIs) have democratized this process, offering a generic, project Treble-compliant system image that can theoretically run on any device. However, with Android 10 and beyond, Google introduced a significant architectural change: Dynamic Partitions. This innovation, while beneficial for device manufacturers and seamless updates, threw a wrench into traditional GSI flashing methods. This guide delves into the intricacies of dynamic partitions and provides a comprehensive, expert-level tutorial on successfully flashing a GSI ROM on your Android 10+ device.

What are GSI ROMs?

A GSI (General System Image) is a pure Android implementation built from the Android Open Source Project (AOSP) code. It adheres to Project Treble, an initiative by Google to separate the Android OS framework from the device’s vendor implementation. This separation allows a single GSI to be compatible with a multitude of Android devices, provided they are Treble-compliant. GSIs enable users to experience various Android versions or flavors (like LineageOS, Pixel Experience, etc.) without waiting for device-specific custom ROMs.

The Challenge: Android 10+ and Dynamic Partitions

Prior to Android 10, devices used static partitions (e.g., system, vendor, product, userdata) with fixed sizes. Flashing a custom image simply meant overwriting the corresponding partition. Dynamic Partitions, however, consolidate multiple logical partitions (like system, vendor, product, and sometimes odm) into a single, large ‘super’ partition. The sizes of these logical partitions are no longer fixed but can be dynamically allocated and resized by the device during updates or flashing processes. This shift complicates manual flashing, as directly writing to ‘system’ might not work as expected or could lead to partition corruption if not handled correctly.

Understanding Dynamic Partitions and Project Treble

Project Treble’s goal was to make Android updates easier and faster. Dynamic Partitions are an evolution of this, allowing manufacturers more flexibility in how they manage storage. Instead of fixed partition tables, the ‘super’ partition acts as a container.

The "super" Partition Explained

The super partition is a physical partition that houses multiple logical partitions. These logical partitions (system, vendor, product, odm, system_ext) are essentially filesystems that reside within super. Android uses a mapping system to manage these logical partitions, dynamically allocating space as needed. This architecture simplifies A/B (seamless) updates, as it allows for smaller download sizes and more efficient utilization of storage.

Implications for Flashing Custom ROMs

When flashing a GSI, you’re primarily concerned with replacing the system logical partition. With dynamic partitions, directly using fastboot flash system system.img usually works, as the fastboot utility has been updated to understand and manage logical partitions within super. However, issues arise if the GSI’s system image size significantly differs from the stock one, or if there are metadata inconsistencies within the super partition. For A/B devices, the logical partitions exist in two slots (e.g., system_a and system_b). The flashing process typically targets the active slot.

Pre-Flashing Checklist

Before you begin, ensure you have the following:
- Unlocked Bootloader: This is a prerequisite for flashing any custom image. Unlocking usually voids warranty and wipes all device data.
- ADB and Fastboot Tools: Ensure you have the latest platform-tools installed on your computer and added to your system’s PATH.
- Device Drivers: Proper USB drivers for your Android device installed on your PC.
- GSI Image: Download a suitable GSI for your device’s architecture (ARM64, A/B vs. A-only, and VNDK version if specified). GSI filenames often indicate these details (e.g., system-arm64-ab-gapps.img).
- Stock vbmeta.img: Crucial for disabling Android Verified Boot (AVB). You can usually extract this from your device’s stock firmware package. If you can’t find one, some GSI developers provide a generic one.
- Backup Your Device: Always perform a full backup of all important data. While a custom recovery might not be available or compatible for full backups on dynamic partitions, you can still back up personal files.
- Sufficient Battery: At least 60% charge to prevent unexpected shutdowns.
Step-by-Step Guide: Flashing Your GSI

1. Unlock Your Bootloader

If your bootloader is not already unlocked, you must do so now. This process is device-specific, but typically involves enabling "OEM Unlocking" in Developer Options, then executing the command:
```
adb reboot bootloaderfastboot flashing unlock
```
Confirm the unlock on your device screen. This will factory reset your device.

2. Enter Fastboot Mode

After unlocking or if already unlocked, boot your device into Fastboot mode:
```
adb reboot bootloader
```
Verify your device is recognized:
```
fastboot devices
```
You should see your device’s serial number listed.

3. Download Your GSI Image and Required Files

Place your downloaded GSI .img file (e.g., system-arm64-ab-gapps.img) and your vbmeta.img in the same directory as your ADB/Fastboot executables for easier access.

4. Clear and Prepare Partitions

This is the most critical step for dynamic partition devices. You need to ensure a clean slate and disable Android Verified Boot (AVB). First, factory reset your device through Fastboot. This wipes your user data and helps reset the logical partition metadata within super.
```
fastboot -w
```
Next, flash your GSI image to the system partition. The fastboot tool will handle the dynamic allocation within super.
```
fastboot flash system path/to/your/gsi-image.img
```
Replace path/to/your/gsi-image.img with the actual name of your GSI file.

5. Handle Android Verified Boot (AVB) with vbmeta

Android Verified Boot (AVB) prevents devices from booting with tampered or unsigned partitions. Since your GSI is not signed by your device’s manufacturer, you must disable AVB. This is done by flashing a modified or stock vbmeta.img with verification disabled.
```
fastboot --disable-verity --disable-verification flash vbmeta path/to/your/vbmeta.img
```
If you have an A/B device and flashing directly to vbmeta doesn’t resolve boot issues, you might need to flash to both slots explicitly:
```
fastboot --disable-verity --disable-verification flash vbmeta_a path/to/your/vbmeta.imgfastboot --disable-verity --disable-verification flash vbmeta_b path/to/your/vbmeta.img
```
Always use the vbmeta.img from your *stock* firmware if possible, or one provided by the GSI developer, as it’s tailored to your device’s specifics.

6. Reboot Your Device

Once all images are flashed successfully, reboot your device:
```
fastboot reboot
```
The first boot into a GSI ROM can take significantly longer than usual (5-15 minutes). Be patient. If it takes longer than 20-30 minutes, or you encounter a boot loop, proceed to the troubleshooting section.

Troubleshooting Common Issues

Boot Loops and Soft Bricks
- Double-check vbmeta: Most boot loops after flashing a GSI are due to AVB not being properly disabled. Re-flash your vbmeta.img with the correct flags.
- Incorrect GSI: Ensure you downloaded the correct GSI (ARM64, A/B or A-only, correct VNDK level).
- Wipe Everything: If desperate, re-flash stock firmware using your manufacturer’s tool (if available), then retry the GSI flashing process from scratch.
Missing Features (Wi-Fi, Bluetooth, Sensors)

GSIs rely on your device’s existing vendor partition for hardware drivers. If Wi-Fi, Bluetooth, camera, or sensors are not working, it usually indicates an incompatibility with the GSI’s VNDK version or missing vendor blobs. Some GSIs are more compatible than others. You might need to try a different GSI variant or a custom kernel if available for your device.

Slow Performance or UI Glitches

While a GSI aims for broad compatibility, it might not be perfectly optimized for every device’s hardware. Performance issues can sometimes be mitigated by flashing a custom kernel (if one exists for your device and GSI combination) or by trying a GSI from a different developer.

Conclusion

Flashing a GSI on Android 10+ devices with dynamic partitions requires a deeper understanding of Android’s architecture but is entirely achievable with the right steps. By meticulously following this guide, understanding the role of the super partition, and properly handling Android Verified Boot, you can successfully transition from your stock ROM to a world of custom Android experiences. Remember, patience and careful adherence to instructions are your best tools in this process. Enjoy your newly customized Android device!
May 29, 2026
Exploiting ART Memory Corruption: Use-After-Free & Type Confusion on Android
Introduction: The Android Runtime (ART) as an Attack Surface

The Android Runtime (ART) is the managed runtime used by the Android operating system. It executes DEX bytecode, compiling it into native machine code during installation or the first run (Ahead-of-Time, AOT, or Just-in-Time, JIT, on newer versions). As the core component executing application logic, any memory corruption vulnerabilities within ART itself represent a critical attack surface, potentially leading to arbitrary code execution, privilege escalation, or sandbox escapes.

This article delves into two prevalent classes of memory corruption vulnerabilities – Use-After-Free (UAF) and Type Confusion – specifically within the context of ART. We will explore their mechanisms, how they can be triggered, and conceptual approaches to their exploitation, highlighting the unique challenges and opportunities presented by ART’s garbage-collected environment and object model.

Understanding ART’s Object Model and Memory Management

Before diving into exploits, it’s crucial to grasp how ART manages memory and objects. ART uses a sophisticated garbage collector (GC) to manage its heap. Objects allocated on the ART heap have a specific layout:
- Object Header: Contains metadata like the object’s class pointer (indicating its type) and GC flags.
- Instance Data: The actual fields of the object.
The GC periodically reclaims memory occupied by objects that are no longer reachable. This interaction between application logic, native code (via JNI), and the GC is a fertile ground for memory corruption.

Example: Simplified ART Object Layout (Conceptual)
```
struct ArtObject {  ArtClass* klass_;  // Pointer to the object's Class  uint32_t monitor_; // Lock/GC status flags  // ... other header fields  // Instance data follows...};
```
Use-After-Free (UAF) in ART

A Use-After-Free vulnerability occurs when a program continues to use a pointer to memory that has been deallocated. In ART, this often manifests when native code (e.g., JNI methods) holds a raw pointer to an ART-managed object or its internal data, and that object is subsequently garbage collected before the native code finishes using the pointer.

Triggering a UAF Vulnerability

Consider a scenario where a native JNI function retrieves a direct pointer to the internal array data of a Java byte array. If the Java object becomes unreachable and the GC runs, the underlying memory might be freed. If the native function then attempts to write to or read from this freed pointer, a UAF occurs.

Conceptual UAF Scenario (JNI C++)
```
// In Java:public class MyNativeObject {    private long nativeHandle;    public native void init();    public native void updateData(byte[] data);    public native void close();}public class UafTrigger {    public static void main(String[] args) {        MyNativeObject obj = new MyNativeObject();        obj.init();        // --- Potential GC point here ---        // If MyNativeObject.nativeHandle holds a direct pointer to internal data        // of a Java object that gets GC'd, subsequent use is UAF.        System.gc(); // Explicitly trigger GC for demonstration        // Assume updateData internally uses a pointer that was freed        obj.updateData(new byte[]{1, 2, 3});    }}// In native C++ (JNI):JNIEXPORT void JNICALL Java_com_example_MyNativeObject_init(JNIEnv* env, jobject thiz) {    // Create a Java byte array    jbyteArray array = env->NewByteArray(1024);    // Get a direct pointer to the array's data (DANGEROUS for long-term storage!)    jbyte* buffer = env->GetByteArrayElements(array, NULL);    // Store buffer in a native structure or JNI 'long' field (e.g., nativeHandle)    // This is where the vulnerability lies if 'array' can be GC'd independently    // without 'buffer' being released by env->ReleaseByteArrayElements(array, buffer, 0);    jfieldID handleField = env->GetFieldID(env->GetObjectClass(thiz),
```
May 29, 2026
ART Deep Dive: Exploiting Android Runtime’s JIT/AOT Compiler Internals Introduction: Understanding Android Runtime (ART) and its Compilers The Android Runtime (ART) is the managed runtime used by the Android operating system, succeeding Dalvik in Android 5.0 Lollipop. ART compiles applications into native machine code, providing significant performance improvements, enhanced security, and better battery life compared to its predecessor’s Just-In-Time (JIT) approach for every execution. While ART primarily relies on Ahead-Of-Time (AOT) compilation during app installation or system updates, it also incorporates a JIT compiler to further optimize frequently executed code paths at runtime. This hybrid compilation strategy, designed for efficiency, inadvertently introduces complex attack surfaces within the compiler’s intricate internals, making ART a prime target for sophisticated Android security exploits. Understanding how ART processes Dalvik bytecode and transforms it into native machine code is crucial for identifying potential vulnerabilities. Exploiting these vulnerabilities can lead to powerful primitives like arbitrary code execution, often escaping traditional sandboxing mechanisms. This article will delve into the ART compilation pipeline, explore common exploitation concepts targeting compilers, and illustrate a hypothetical scenario. ART’s Compilation Pipeline: A Closer Look ART utilizes two primary compilation methods: Ahead-Of-Time (AOT) Compilation: Performed by the dex2oat tool when an app is installed or updated. It translates an app’s Dalvik bytecode (DEX files) into a platform-dependent ELF file containing native machine code. This eliminates the need for compilation at every launch, speeding up subsequent app startups. Just-In-Time (JIT) Compilation: Enabled from Android 7.0 (Nougat) onwards, the JIT compiler dynamically optimizes hot code paths during an app’s execution. It identifies frequently run methods, compiles them into highly optimized native code, and caches the results for future use. This complements AOT by providing runtime adaptation and further performance gains. Both AOT and JIT compilers share common internal components, including frontend bytecode parsers, Intermediate Representation (IR) generators, various optimization passes, and backend code generators for different architectures (ARM, ARM64, x86, x86_64). Vulnerabilities can arise at any stage: Intermediate Representation (IR) and Optimization Phases The compiler first converts Dalvik bytecode into a low-level, machine-independent IR. This IR undergoes numerous optimization passes—such as constant folding, common subexpression elimination, and loop optimizations—before being translated into architecture-specific machine code. Flaws in these optimization passes, particularly incorrect assumptions about program semantics or data types, are fertile ground for exploitation. Exploitation Concepts: Attacking the Compiler Exploiting compiler internals often involves crafting specific bytecode sequences that, when processed by the JIT or AOT compiler, trigger a bug leading to memory corruption or control flow hijacking. 1. Type Confusion Type confusion occurs when the compiler misinterprets the type of a variable or object, leading it to generate code that accesses memory incorrectly. For example, if the compiler believes a pointer is an integer, or an object of type A is actually type B, it might generate code that reads or writes data outside expected boundaries. In ART’s JIT, dynamic type checks can sometimes be optimized away if the compiler makes incorrect assumptions, creating windows for exploitation. 2. Integer Overflows/Underflows Arithmetic operations within the compiler itself, especially during calculations involving array indices, object sizes, or memory offsets, can be vulnerable to integer overflows or underflows. If an attacker can manipulate input (e.g., array dimensions in bytecode) to cause such an overflow, the compiler might allocate an incorrect buffer size or generate incorrect memory access instructions, leading to out-of-bounds reads/writes. 3. Code Generation Logic Flaws The final phase where IR is translated into machine code can contain bugs. Specific bytecode patterns might be incorrectly translated into native instructions, leading to unexpected behavior or exploitable gadgets. This could involve incorrect handling of specific instruction sets, register allocation errors, or flaws in branch prediction logic generated by the compiler. Hypothetical Exploitation Scenario: JIT Type Confusion via Array Optimization Consider a hypothetical scenario where ART’s JIT compiler has a subtle bug related to array optimizations. Let’s assume a Java method that performs operations on an array of a specific object type, say CustomObject[]. If an attacker can craft bytecode that, under certain JIT optimization conditions, convinces the compiler that a CustomObject[] is actually an int[] (or vice versa) after a series of type-unsafe operations, it could lead to arbitrary memory access. Imagine a scenario where the JIT compiler, trying to optimize a loop accessing elements of an object array, removes a necessary type check if it deems the types constant within the loop. If an adversary can then *modify* the underlying array elements to contain disguised pointers (e.g., by using reflection or JNI to write raw bytes), the JIT-compiled code might later access these ‘integers’ as if they were valid object references, leading to type confusion and potentially arbitrary read/write or code execution. Illustrative Java Code (Triggering Pattern) public class ExploitTarget { private Object[] data; public ExploitTarget(int size) { data = new Object[size]; for (int i = 0; i < size; i++) { data[i] = new Object(); } } public void triggerJitBug(int index, long value) { // Complex operations that might confuse JIT data[index] = value; // JIT might optimize this incorrectly, assuming Object[] always holds Objects // If 'value' is actually a long (primitive) disguised as an Object by reflection/JNI // and JIT removes type checks, subsequent access could be problematic } public Object readValue(int index) { return data[index]; // After JIT bug, this might read raw memory if index points to confused data } public static void main(String[] args) { ExploitTarget target = new ExploitTarget(10); // Run multiple times to trigger JIT for (int i = 0; i < 100000; i++) { target.triggerJitBug(0, 0xdeadbeefL); } // In a real exploit, 'value' would be a manipulated address or fake object. // We'd then try to read back or execute from the confused state. } } To analyze such a bug, one would typically compile the app with `dex2oat` debug flags or use an `adb` command to force compilation and inspect the generated native code: # Force AOT compilation for a package adb shell cmd package compile -m speed com.example.app # Enable JIT debugging and view JIT compiled code via simpleperf (advanced) adb shell setprop debug.art.use_jit true adb shell setprop debug.art.jit.dump_cfi true # Then capture simpleperf data during execution and analyze with `app_profiler.py` Analyzing the generated assembly code (e.g., from /data/dalvik-cache/.../base.vdex or JIT dumps) for incorrect memory access patterns or missing type checks would be the next step to confirm the exploit. Mitigation and Defense Strategies Android’s security model incorporates several layers of defense against such exploits: ASLR (Address Space Layout Randomization): Makes it harder for attackers to predict memory addresses. DEP (Data Execution Prevention/NX bit): Prevents execution of code from data segments. CFI (Control Flow Integrity): Aims to prevent arbitrary control flow transfers, making ROP/JOP attacks more difficult. Sandboxing: Apps run in isolated environments with limited permissions. Compiler Hardening: ART’s compilers undergo rigorous security audits, and new features like bounds check elimination safety, stricter type inference, and more robust IR verification are continuously implemented. Regular Security Updates: Patching known vulnerabilities in ART and its compilers is paramount. Despite these robust defenses, the complexity of a JIT/AOT compiler means that subtle bugs will occasionally emerge, underscoring the ongoing cat-and-mouse game between security researchers and platform developers. May 29, 2026
Reverse Engineering ART Dumps: Post-Exploitation Analysis of Android Memory Introduction: Unveiling Android Runtime’s Secrets The Android Runtime (ART) is the managed runtime used by Android and its core role is executing applications. Unlike its predecessor Dalvik, ART uses Ahead-Of-Time (AOT) compilation, which compiles applications into native machine code upon installation. This significantly improves performance but also introduces new facets for security analysis. Post-exploitation scenarios often involve gaining access to a compromised device’s memory. Analyzing memory dumps, specifically focusing on ART’s structures, can yield invaluable intelligence about an application’s state, sensitive data, and even exploit artifacts. This article delves into the methodologies for reverse engineering ART-related data within memory dumps. We’ll explore how to identify critical Java objects, class metadata, method pointers, and other runtime structures that can expose application logic, cryptographic keys, user data, or residual exploit payloads. Understanding ART Memory Structures When an Android application runs, ART manages its entire lifecycle, from object allocation on the Java heap to method execution and garbage collection. A memory dump of an active process managed by ART will contain a wealth of information, including: Java Heap Objects: Instances of Java classes, holding application data, configuration, and state. This is often the primary target for extracting sensitive information. Class Metadata: ART stores detailed metadata about each loaded Java class, including its fields, methods, interfaces, and superclass hierarchy. This structural information is crucial for understanding the layout of Java objects. Method Pointers: References to the compiled native code for Java methods. For AOT-compiled methods, these point directly into the `.oat` or `.vdex` files mapped into memory. For JIT-compiled or interpreted methods, they might point to internal ART stubs. String Literals: Often embedded within class structures or objects, these can reveal API keys, URLs, error messages, or other hardcoded values. Native References: Pointers to native libraries (`.so` files) used by the application, often bridging Java and C/C++ code via JNI. The challenge lies in sifting through raw memory bytes to reconstruct these high-level ART constructs. Obtaining a Process Memory Dump Before analysis, we need a memory dump of the target Android process. Assuming root access or a privileged exploit, tools like adb can facilitate this. Note that a full process memory dump can be very large. # Connect to device via adb shell $ adb shell # Find the PID of the target application (e.g., com.example.vulnerableapp) $ ps -A | grep com.example.vulnerableapp u0_a123 12345 2345 456780 87654 ffffff00 00000000 S com.example.vulnerableapp # Replace 12345 with your target PID $ su -c 'cat /proc/12345/mem > /data/local/tmp/app_memory.dump' # Pull the dump to your host machine $ adb pull /data/local/tmp/app_memory.dump . # Clean up on device $ rm /data/local/tmp/app_memory.dump Alternatively, memory forensic frameworks like Volatility, when used with an Android memory image, offer more sophisticated dumping capabilities and built-in ART parsing modules. Initial Analysis: Strings and Patterns Once you have the memory dump, an initial sweep using tools like strings can quickly reveal hardcoded strings, URLs, or potential method names. $ strings app_memory.dump | grep -i "password" "Your password is: secret123" "EncryptedPasswordStorage" $ strings app_memory.dump | grep -E "(http|https)://[a-zA-Z0-9./?=_-]*" "https://api.example.com/v1/user/" "http://debug.internal.corp/logs" This is a crude but effective first step. For more structured analysis, we need to understand how ART organizes data. Deep Dive: Identifying ART Objects and Classes ART objects are typically aligned and have a header containing metadata, including a pointer to their class (java.lang.Class) object. Identifying these headers is key. While there isn’t a universally available, single tool like ‘art_dump_viewer’ for raw memory dumps (like there is for specific runtime dumps from Android Studio/debugger), the principle involves: Locating Class Objects: Look for pointers that consistently resolve to structures resembling java.lang.Class instances. These objects contain information about the class’s name, superclass, interfaces, fields, and methods. Scanning for Object Instances: Once class structures are identified, you can deduce the typical memory layout of instances of those classes. ART objects generally start with a `monitor_` word and a `klass_` (pointer to class metadata) word. Field Offsets: Within a class object’s metadata, you’ll find information about the fields (member variables) and their offsets from the beginning of the object instance. This allows you to reconstruct an object’s state. Consider a simple Java class: public class UserSession { private String username; private String authToken; private long expiryTime; public UserSession(String username, String authToken, long expiryTime) { this.username = username; this.authToken = authToken; this.expiryTime = expiryTime; } } In memory, an instance of UserSession would look something like: +-----------------------+ | Object Header (Monitor)| +-----------------------+ | Class Pointer (to UserSession.class)| +-----------------------+ | String Object (username)| +-----------------------+ | String Object (authToken)| +-----------------------+ | long (expiryTime) | +-----------------------+ To find such an object, an analyst would typically search for patterns: Identify the string May 29, 2026
JIT Spraying ART: Crafting ROP Chains for Android Runtime Exploitation Introduction to JIT Spraying and Android Runtime (ART) Exploitation Android’s security model is robust, relying on sandboxing, permissions, and low-level mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP/NX). However, advanced exploitation techniques continue to emerge. One such technique, JIT spraying, leverages the Just-In-Time (JIT) compilation capabilities of runtimes to bypass NX and inject executable code. When combined with Return-Oriented Programming (ROP) chains, JIT spraying becomes a formidable tool for achieving arbitrary code execution within the complex environment of the Android Runtime (ART). Understanding Android Runtime (ART) and JIT Compilation ART is the managed runtime used by Android, responsible for executing Dalvik bytecode. Unlike its predecessor, Dalvik (which primarily used JIT for hot paths), ART compiles applications into native machine code either ahead-of-time (AOT) during installation or just-in-time (JIT) during runtime. The JIT compiler in ART dynamically translates frequently executed Dalvik bytecode into native instructions, optimizing performance. This dynamic compilation process creates an interesting attack surface for exploit developers. How ART’s JIT Works Bytecode Input: The JIT compiler receives Dalvik bytecode from running applications. Optimization Passes: It performs various optimizations, such as inlining, loop unrolling, and dead code elimination. Native Code Generation: The optimized bytecode is then translated into native ARM, ARM64, or x86 instructions. Executable Memory: This native code is placed in dynamically allocated, executable memory regions. The crucial aspect for exploitation is the ability to influence the generated native code by controlling the input bytecode, effectively “spraying” the heap with attacker-controlled executable instructions. Fundamentals of JIT Spraying for ART JIT spraying involves manipulating the input to a JIT compiler such as that in ART, causing it to generate predictable sequences of native instructions in memory. The goal is to fill a large enough region of memory with these crafted instruction sequences (often NOP sleds followed by shellcode or ROP gadgets) such that a subsequent control flow hijack (e.g., through a use-after-free or type confusion vulnerability) lands within this sprayed region. For ART, this means writing Java/Kotlin code (which compiles to Dalvik bytecode) that, when JIT-compiled, produces the desired native instruction patterns. Since direct arbitrary code injection is typically blocked by NX, the common approach is to spray ROP gadgets. Generating ROP Gadgets via JIT Spraying Return-Oriented Programming (ROP) allows an attacker to execute arbitrary code in the presence of NX by chaining together small snippets of existing code, called “gadgets,” which end with a return instruction. JIT spraying enhances ROP by creating a large pool of predictable, attacker-controlled gadgets. This can simplify ROP chain construction by eliminating the need to scour existing binaries for suitable gadgets or, more powerfully, by allowing the generation of specific gadgets not otherwise available. Consider a simple Dalvik instruction like add-int v0, v1, v2. Depending on the architecture and compiler optimizations, this might translate into an ARM instruction sequence. By carefully crafting a series of simple arithmetic operations, memory accesses, or method calls, one can influence the JIT compiler to emit specific native instructions that serve as ROP gadgets (e.g., pop {r0, r1, r2, pc}, mov r0, r1). Crafting the JIT Spray Payload for ROP Chains The challenge lies in translating high-level Java/Kotlin constructs into low-level native instructions suitable for ROP. This requires deep knowledge of the ART JIT compiler’s behavior and the target architecture’s instruction set. The strategy often involves: Selecting Gadget Primitives: Identify common ROP gadget patterns (e.g., loading registers, performing arithmetic, branching). Designing Dalvik Bytecode: Write Java/Kotlin code that, when compiled, is likely to produce these gadget primitives. This often involves using simple operations, specific data types, and method calls. Analysis and Testing: Compile and disassemble the generated native code to verify that the desired gadgets are indeed produced. This often involves instrumentation and dynamic analysis tools. Example (Conceptual) Let’s consider a simplified ARMv7 example. We want to generate a pop {r0, r1, pc} gadget. While direct generation is difficult, we might look for sequences that push registers onto the stack and then return. A sequence of local variable assignments followed by a function return could potentially produce useful instruction sequences. For example, if we want to write a specific value to a register, then return: public class GadgetGenerator { public int createGadget(int val1, int val2) { int temp1 = val1; int temp2 = val2; // The JIT might optimize this. We need to force operations. // A common pattern is to use function calls or operations that // involve stack manipulation or register movement. // For example, calling an empty function or using complex arithmetic // to force specific register usage. return temp1 + temp2; // Simple arithmetic, might compile to ADD and RET } public void anotherGadget() { // More complex patterns might involve arrays or object manipulation // to influence heap/stack operations. int[] arr = new int[2]; arr[0] = 0xDEADBEEF; arr[1] = 0xC0FFEE; // The native code for accessing arr[0] and arr[1] could contain // useful load/store instructions. } } Disassembling the JIT-compiled output of such methods is crucial. Tools like perf or custom ART instrumentation can help observe the generated native code. An attacker would then look for instruction sequences ending in a RET or BX LR (Branch and Exchange Link Register) on ARM, which serve as ROP gadget endings. For instance, a sequence like ldr r0, [sp, #4] ; ldr r1, [sp, #8] ; add sp, #12 ; pop {pc} could be formed by specific stack operations. # Conceptual command for observing JIT-compiled code # This requires a debugger or custom ART build with logging. adb shell am start -n com.example.app/.GadgetGeneratorActivity adb shell debugfs -w -R "dmesg" | grep "JIT-compiled method" # Or using GDB/IDA with a running process to dump memory and analyze. Triggering and Redirecting Execution Once the memory has been “sprayed” with ROP gadgets, the next step is to redirect the program’s control flow into this sprayed region. This typically requires an existing memory corruption vulnerability, such as a use-after-free, buffer overflow, or type confusion, that allows an attacker to overwrite a function pointer, a return address on the stack, or a virtual table pointer (vtable). When the vulnerable code attempts to execute the overwritten pointer, control is transferred to the sprayed memory. Because the JIT spray often includes NOP sleds (sequences of no-operation instructions), the exact landing address doesn’t need to be precise. The execution will slide down the NOPs until it hits the beginning of the attacker’s ROP chain, initiating the execution of the crafted gadgets. Exploitation Steps (High-Level) Identify Vulnerability: Find a memory corruption vulnerability in an Android application or system service. JIT Spraying: Trigger the JIT compiler to generate desired ROP gadgets by repeatedly executing crafted Dalvik bytecode. This fills large portions of memory with these gadgets. Heap Grooming: Manipulate the heap layout to ensure the sprayed memory is at a predictable or exploitable location relative to the vulnerability. Control Flow Hijack: Exploit the vulnerability to overwrite a control flow mechanism (e.g., return address, function pointer) with an address pointing into the JIT-sprayed region. ROP Chain Execution: The redirected execution lands on the ROP chain, which then performs malicious actions (e.g., calling mmap with PROT_EXEC, loading a library, changing permissions). Mitigations and Defenses Android and ART implement several security measures against such attacks: ASLR: Address Space Layout Randomization makes it difficult to predict the location of JIT-sprayed code or essential ROP gadgets. However, large sprays can partially mitigate this. NX (DEP): Non-Executable memory prevents direct shellcode injection. JIT spraying combined with ROP bypasses this by executing existing (though attacker-controlled) instruction sequences. SELinux: Android’s SELinux policy confines processes, limiting the capabilities of even exploited processes. Pointer Authentication Codes (PAC): On ARMv8.3-A and later, PACs can protect return addresses and other pointers, making ROP attacks significantly harder. Hardening of JIT compilers: Modern JIT compilers often employ techniques to reduce the predictability of generated code, making JIT spraying more challenging. Conclusion JIT spraying in ART, especially when coupled with ROP chains, represents an advanced and highly technical exploitation vector. It allows attackers to transform controlled bytecode into executable native code, bypassing fundamental memory protections like NX. While challenging due to ART’s optimizations, ASLR, and other mitigations, understanding this technique is vital for both offensive and defensive security professionals. As Android’s security continues to evolve, so too will the sophistication of exploitation techniques, making ongoing research into areas like JIT spraying critical for maintaining a robust security posture. May 29, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
568
569
570
571
572
…
705
			Next Page→

Author: admin

Introduction to Android SELinux and its Role

Understanding Android SELinux Policy Structure

Extracting the SELinux Policy from an Android Device

1. From a Running Device (Root Required)

2. From the Boot Image

Analyzing the SELinux Policy for Flaws

1. Using sepolicy-analyze (from AOSP/SETools)

2. Using apol (SETools)

Identifying Common Policy Flaws for Exploitation

1. Overly Permissive allow Rules

2. Type Confusion and Mislabeling

3. Improper Domain Transitions and Privileged Executables

A Practical Scenario: Exploiting a Permissive `execmem`

Scenario Setup

Policy Discovery

Exploitation Steps (Conceptual)

Mitigation and Best Practices

Conclusion

Introduction to Android Runtime (ART) Hooking

Understanding ART Internals: The ArtMethod Structure

Leveraging JNI for Native Interaction

Compilation Steps (Example for Android NDK)

The Hooking Mechanism: Swapping Entry Points

Challenges and Considerations

Conclusion

Introduction to SELinux on Android

Understanding SELinux Fundamentals

Security Contexts and Types

Access Vector Cache (AVC) Denials

Practical SELinux Bypass Techniques

1. Type Transition Exploitation

2. File Context Manipulation and Misconfigurations

3. Service Manager Interaction Abuses

4. Exploiting Policy Inadequacies and Bugs

5. Leveraging Capabilities Beyond SELinux

Methodology for Finding Bypass Opportunities

Conclusion

Introduction: Navigating the Android Runtime Frontier

Understanding ART’s Architecture for Exploitation

Setting Up Your Advanced Debugging Environment

Preparing GDB on Device and Host

Phase 1: Initial Triage with GDB

Attaching to an ART Process

Example: Breaking on Object Manipulation

Phase 2: Dynamic Analysis with Frida

Frida Setup

Hooking ART Internals with Frida

Combining GDB and Frida for Deeper Insight

Scenario: Triggering an Exploit and Analyzing the Crash

Example: Heap Spray Analysis

Conclusion: Mastering ART Exploit Debugging

Introduction: Unveiling ART’s Post-Exploitation Potential

The Android Runtime (ART): A Brief Overview

Prerequisites for ART Post-Exploitation

Root Access

Understanding of ELF, DEX, and ART Internals

Technique 1: Native Code Injection via LD_PRELOAD (or dlopen)

Crafting the Injectable Native Library

Injecting into a Target Process

Technique 2: Runtime Method Redefinition and Hooking

Introduction

What are GSI ROMs?

The Challenge: Android 10+ and Dynamic Partitions

Understanding Dynamic Partitions and Project Treble

The "super" Partition Explained

Implications for Flashing Custom ROMs

Pre-Flashing Checklist

Step-by-Step Guide: Flashing Your GSI

1. Unlock Your Bootloader

2. Enter Fastboot Mode

3. Download Your GSI Image and Required Files

4. Clear and Prepare Partitions

5. Handle Android Verified Boot (AVB) with vbmeta

6. Reboot Your Device

Troubleshooting Common Issues

Boot Loops and Soft Bricks

Missing Features (Wi-Fi, Bluetooth, Sensors)

Slow Performance or UI Glitches

Conclusion

1. Using `sepolicy-analyze` (from AOSP/SETools)

2. Using `apol` (SETools)

1. Overly Permissive `allow` Rules