Introduction: Unveiling the Android Runtime’s Core

The Android Runtime (ART) is the backbone of modern Android’s application execution environment. Replacing Dalvik in Android 5.0, ART compiles application bytecode (DEX) into native machine code, offering performance improvements and a more robust runtime. However, its sophisticated object management, garbage collection, and Just-In-Time (JIT) compilation mechanisms also present a rich attack surface for security researchers and adversaries alike. This article delves into the intricate process of exploiting vulnerabilities within ART to gain highly coveted arbitrary read/write primitives, a fundamental step towards full system compromise within the Android sandbox.

Achieving arbitrary read/write means an attacker can read data from any memory address and write data to any memory address within the process’s address space. This capability bypasses many security safeguards, allowing for the manipulation of critical internal structures, privilege escalation, and ultimately, code execution.

Understanding ART’s Object Model

To manipulate ART internals, we must first understand its foundational object model. Every object in ART is ultimately derived from mirror::Object. Key fields include:

• klass_: A pointer to the object’s mirror::Class, which describes its type, methods, and fields.
• Object Header: Contains flags and metadata for garbage collection.

The mirror::Class object itself is a treasure trove of pointers, including those to the class’s methods (ArtMethod objects), static fields, and the dex_cache_, which holds resolved types, methods, and fields from the application’s DEX file. Manipulating these pointers is central to runtime exploitation.

Example: A Simplified mirror::Object Structure

namespace art {namespace mirror {class Object {protected:  // The lowest bit of klass_ is used for the lock word on 64-bit to indicate thin lock.  // 64-bit: klass_ pointer (8 bytes)  // 32-bit: klass_ pointer (4 bytes)  uintptr_t klass_;  // ... other internal fields like monitor, hash code, etc.public:  // Methods to access klass_, etc.};}} // namespace art::mirror

The Path to Arbitrary Read/Write: Leveraging Type Confusion

The most common path to arbitrary read/write in ART involves exploiting a vulnerability that leads to type confusion or controlled memory corruption. This allows an attacker to make the runtime interpret an object of one type as an object of another, or to control the contents of an existing object’s critical pointers.

Phase 1: Achieving an Addrof Primitive

An