Abstract
The development of a new application virtual machine (VM), like the creation of any complex piece of software, is a bug-prone process. In version 5.0, the widely-used Android operating system has changed from the Dalvik VM to the newly-developed ART VM to execute Android applications. As new iterations of this VM are released, how can the developers aim to reduce the number of potentially security-threatening bugs that make it into the final product? In this paper we combine domain-aware binary fuzzing and differential testing to produce DexFuzz, a tool that exploits the presence of multiple modes of execution within a VM to test for defects. These modes of execution include the interpreter and a runtime that executes ahead-of-time compiled code. We find and present a number of bugs in the in-development version of ART in the Android Open Source Project. We also assess DexFuzz's ability to highlight defects in the experimental version of ART released in the previous version of Android, 4.4, finding 189 crashing programs and 15 divergent programs that indicate defects after only 5,000 attempts.
- american-fuzzy-lop on Google Code. https://code.google.com/p/american-fuzzy-lop/. Accessed: 2014-11-12.Google Scholar
- Alien Dalvik. http://www.myriadgroup.com/products/device-solutions/mobile-software/alien-dalvik/. Accessed: 2014-11-25.Google Scholar
- BlueStacks AppPlayer. http://www.bluestacks.com/app-player.html. Accessed: 2014-11-25.Google Scholar
- HITB2014AMS - Day 1 - State of the ART: Exploring the new Android KitKat Runtime. https://www.corelan.be/index.php/2014/05/29/hitb2014ams-day-1-state-of-the-art-exploring-the-new-android-kitkat-runtime/. Accessed: 2014-11-20.Google Scholar
- Peachfuzzer. http://peachfuzzer.com/. Accessed: 2014-11-20.Google Scholar
- smali - an assembler/disassembler for android's dex format on Google Code. https://code.google.com/p/smali/. Accessed: 2014-11-19.Google Scholar
- K. Claessen and J. Hughes. Quickcheck: A lightweight tool for random testing of haskell programs. In Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming, ICFP '00, pages 268--279, New York, NY, USA, 2000. ACM. ISBN 1-58113-202-6. 10.1145/351240.351266. URL http://doi.acm.org/10.1145/351240.351266. Google Scholar
Digital Library
- K. Dewey, J. Roesch, and B. Hardekopf. Language fuzzing using constraint logic programming. In Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, ASE '14, pages 725--730, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-3013-8. 10.1145/2642937.2642963. URL http://doi.acm.org/10.1145/2642937.2642963. Google Scholar
Digital Library
- C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 38--38, Berkeley, CA, USA, 2012. USENIX Association. URL http://dl.acm.org/citation.cfm?id=2362793.2362831. Google Scholar
Digital Library
- K. Jayaraman, D. Harvison, V. Ganesh, and A. Kiezun. jfuzz: A concolic whitebox fuzzer for java. In NASA Formal Methods, pages 121--125, 2009.Google Scholar
- A. Lanzi, L. Martignoni, M. Monga, and R. Paleari. A smart fuzzer for x86 executables. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems, SESS '07, pages 7--, Washington, DC, USA, 2007. IEEE Computer Society. ISBN 0-7695-2952-6. 10.1109/SESS.2007.1. URL http://dx.doi.org/10.1109/SESS.2007.1. Google Scholar
Digital Library
- V. Le, M. Afshari, and Z. Su. Compiler validation via equivalence modulo inputs. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 216--226, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2784-8. 10.1145/2594291.2594334. URL http://doi.acm.org/10.1145/2594291.2594334. Google Scholar
Digital Library
- B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33 (12): 32--44, Dec. 1990. ISSN 0001-0782. 10.1145/96267.96279. URL http://doi.acm.org/10.1145/96267.96279. Google Scholar
Digital Library
- P. Purdom. A sentence generator for testing parsers. BIT Numerical Mathematics, 12 (3): 366--375, 1972. ISSN 0006-3835. 10.1007/BF01932308. URL http://dx.doi.org/10.1007/BF01932308.Google Scholar
Digital Library
- G. Wen, Y. Zhang, Q. Liu, and D. Yang. Fuzzing the actionscript virtual machine. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS '13, pages 457--468, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-1767-2. 10.1145/2484313.2484372. URL http://doi.acm.org/10.1145/2484313.2484372. Google Scholar
Digital Library
- X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in c compilers. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '11, pages 283--294, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0663-8. 10.1145/1993498.1993532. URL http://doi.acm.org/10.1145/1993498.1993532. Google Scholar
Digital Library
Index Terms
Application of Domain-aware Binary Fuzzing to Aid Android Virtual Machine Testing
Recommendations
Application of Domain-aware Binary Fuzzing to Aid Android Virtual Machine Testing
VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsThe development of a new application virtual machine (VM), like the creation of any complex piece of software, is a bug-prone process. In version 5.0, the widely-used Android operating system has changed from the Dalvik VM to the newly-developed ART VM ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Testing android apps through symbolic execution
There is a growing need for automated testing techniques aimed at Android apps. A critical challenge is the systematic generation of test cases. One method of systematically generating test cases for Java programs is symbolic execution. But applying ...







Comments