Guardado en:
Detalles Bibliográficos
Autores principales: Wen, Elliott, Shen, Jiaxing, Wuensche, Burkhard
Formato: Preprint
Publicado: 2024
Materias:
Acceso en línea:https://arxiv.org/abs/2410.11075
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866913547047403520
author Wen, Elliott
Shen, Jiaxing
Wuensche, Burkhard
author_facet Wen, Elliott
Shen, Jiaxing
Wuensche, Burkhard
contents Despite extensive security research on various Android components, such as kernel or runtime, little attention has been paid to the proprietary vendor blobs within Android firmware. In this paper, we conduct a large-scale empirical study to understand the update patterns and assess the security implications of vendor blobs. We specifically focus on GPU blobs because they are loaded into every process for displaying graphics user interfaces and can affect the entire system's security. We examine over 13,000 Android firmware releases between January 2018 and April 2024. Our results reveal that device manufacturers often neglect vendor blob updates. About 82\% of firmware releases contain outdated GPU blobs (up to 1,281 days). A significant number of blobs also rely on obsolete LLVM core libraries released more than 15 years ago. To analyze their security implications, we develop a performant fuzzer that requires no physical access to mobile devices. We discover 289 security and behavioral bugs within the blobs. We also present a case study demonstrating how these vulnerabilities can be exploited via WebGL. This work underscores the critical security concerns associated with vulnerable vendor blobs and emphasizes the urgent need for timely updates from device manufacturers.
format Preprint
id arxiv_https___arxiv_org_abs_2410_11075
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Keep Me Updated: An Empirical Study of Proprietary Vendor Blobs in Android Firmware
Wen, Elliott
Shen, Jiaxing
Wuensche, Burkhard
Software Engineering
Despite extensive security research on various Android components, such as kernel or runtime, little attention has been paid to the proprietary vendor blobs within Android firmware. In this paper, we conduct a large-scale empirical study to understand the update patterns and assess the security implications of vendor blobs. We specifically focus on GPU blobs because they are loaded into every process for displaying graphics user interfaces and can affect the entire system's security. We examine over 13,000 Android firmware releases between January 2018 and April 2024. Our results reveal that device manufacturers often neglect vendor blob updates. About 82\% of firmware releases contain outdated GPU blobs (up to 1,281 days). A significant number of blobs also rely on obsolete LLVM core libraries released more than 15 years ago. To analyze their security implications, we develop a performant fuzzer that requires no physical access to mobile devices. We discover 289 security and behavioral bugs within the blobs. We also present a case study demonstrating how these vulnerabilities can be exploited via WebGL. This work underscores the critical security concerns associated with vulnerable vendor blobs and emphasizes the urgent need for timely updates from device manufacturers.
title Keep Me Updated: An Empirical Study of Proprietary Vendor Blobs in Android Firmware
topic Software Engineering
url https://arxiv.org/abs/2410.11075