Featured Research

from universities, journals, and other organizations

Android security weaknesses caused by performance design identified

Date:
June 19, 2014
Source:
Georgia Institute of Technology
Summary:
Researchers have identified a weakness in one of Android’s security features. The research identifies an Android performance feature that weakens a software protection called Address Space Layout Randomization (ASLR), leaving software components vulnerable to attacks that bypass the protection.

Georgia Tech researchers have identified a weakness in one of Android's security features and will present their work at Black Hat USA 2014, which will be held August 6-7 in Las Vegas.

Related Articles


The research, titled Abusing Performance Optimization Weaknesses to Bypass ASLR, identifies an Android performance feature that weakens a software protection called Address Space Layout Randomization (ASLR), leaving software components vulnerable to attacks that bypass the protection. The work is aimed at helping security practitioners identify and understand the future direction of such attacks.

The work was conducted at the Georgia Tech Information Security Center (GTISC) by Ph.D. students Byoungyoung Lee and Yeongjin Jang and research scientist Tielei Wang, and reveals that the introduction of performance optimization features can inadvertently harm the security guarantees of an otherwise vetted system. In addition to describing how vulnerabilities originate from such designs, they demonstrate real attacks that exploit them.

"To optimize object tracking for some programming languages, interpreters for the languages may leak address information," said Lee, lead researcher for the effort. "As a concrete example, we'll demonstrate how address information can be leaked in the Safari web browser by simply running some JavaScript."

Bypassing ASLR using hash table leaks was previously believed to be obsolete due to its complexity. By exhaustively investigating various language implementations and presenting concrete attacks, the research aims to show that the concern is still valid.

"As part of our talk, we'll present an analysis of the Android Zygote process creation model," Lee said. "The results show that Zygote weakens ASLR as all applications are created with largely identical memory layouts. To highlight the issue, we'll show two different ASLR bypass attacks using real applications -- Google Chrome and VLC Media Player."

The Black Hat Briefings were created approximately 16 years ago to provide computer security professionals a place to learn the very latest in information security risks, research and trends. Presented by the brightest in the industry, the briefings cover everything from critical information infrastructure to widely used enterprise computer systems to the latest InfoSec research and development. These briefings are vendor-neutral, allowing the presenters to speak candidly about the real problems and potential solutions across both the public and private sectors.


Story Source:

The above story is based on materials provided by Georgia Institute of Technology. Note: Materials may be edited for content and length.


Cite This Page:

Georgia Institute of Technology. "Android security weaknesses caused by performance design identified." ScienceDaily. ScienceDaily, 19 June 2014. <www.sciencedaily.com/releases/2014/06/140619144618.htm>.
Georgia Institute of Technology. (2014, June 19). Android security weaknesses caused by performance design identified. ScienceDaily. Retrieved November 24, 2014 from www.sciencedaily.com/releases/2014/06/140619144618.htm
Georgia Institute of Technology. "Android security weaknesses caused by performance design identified." ScienceDaily. www.sciencedaily.com/releases/2014/06/140619144618.htm (accessed November 24, 2014).

Share This


More From ScienceDaily



More Science & Society News

Monday, November 24, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Symantec Uncovers Sophisticated Spying Malware Regin

Symantec Uncovers Sophisticated Spying Malware Regin

Newsy (Nov. 24, 2014) A Symantec white paper reveals details about Regin, a spying malware of unusual complexity which is believed to be state-sponsored. Video provided by Newsy
Powered by NewsLook.com
Hackers Target Business Travellers

Hackers Target Business Travellers

Reuters - Business Video Online (Nov. 24, 2014) A newly detected malware, dubbed Darkhotel, infects hotel networks with spying software to steal sensitive data from the computers of high profile business executives, warns a leading computer security firm. Ciara Lee reports. Video provided by Reuters
Powered by NewsLook.com
NY Gov. on Flood Prep: 'prepared for the Worst'

NY Gov. on Flood Prep: 'prepared for the Worst'

AP (Nov. 23, 2014) First came the big storm. Now comes the big melt for residents of flood-prone areas around Buffalo. New York's governor says officials are preparing for the worst as the temperature is expected to rise and potentially melt several feet of snow. (Nov. 23) Video provided by AP
Powered by NewsLook.com
Indians Muck in for Cleaner Communities

Indians Muck in for Cleaner Communities

AFP (Nov. 22, 2014) India's government is urging all citizens to come together in a mass movement to clean the nation -- but will people heed the call? Duration: 02:39 Video provided by AFP
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Science & Society

Business & Industry

Education & Learning

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins