Mingshen Sun, John C.S. Lui, and Yajin Zhou
The 19th International Symposium on Research in Attacks, Intrusions and Defenses, RAID '16.

blender-1.svg
Overview of Blender Library Randomization Module.
blender-2.svg
Overview of Blender ART Randomization Module.

Availability:

Abstract. In this paper, we first demonstrate that the newly introduced Android RunTime (ART) in latest Android versions (Android 5.0 or above) exposes a new attack surface, namely, the "return-to-art" (ret2art) attack. Unlike traditional return-to-library attacks, the ret2art attack abuses Android framework APIs (e.g., the API to send SMS) as payloads to conveniently perform malicious operations. This new attack surface, along with the weakened ASLR implementation in the Android system, makes the successful exploiting of vulnerable apps much easier. To mitigate this threat and provide self-protection for Android apps, we propose a user-level solution called Blender, which is able to self-randomize address space layout for apps. Specifically, for an app using our system, Blender randomly rearranges loaded libraries and Android runtime executable code in the app's process, achieving much higher memory entropy compared with the vanilla app. Blender requires no changes to the Android framework nor the underlying Linux kernel, thus is a non-invasive and easy-to-deploy solution. Our evaluation shows that Blender only incurs around 6MB memory footprint increase for the app with our system, and does not affect other apps without our system. It increases 0.3 seconds of app starting delay, and imposes negligible CPU and battery overheads.

BibTeX Record:

@inproceedings{sun2016blender,
  author = {Sun, Mingshen and Lui, John C.S. and Zhou, Yajin},
  title = {Blender: Self-randomizing Address Space Layout for Android Apps},
  booktitle = {Proceedings of the 19th International Symposium on Research in Attacks, Intrusions and Defenses},
  series = {RAID '16},
  year = {2016},
}