SAUSAGE: Security Analysis of Unix domain Socket Usage in Android

TL;DR

This paper introduces SAUSAGE, a static analysis framework that examines Unix domain socket security in Android, revealing widespread access control issues and insecure authentication in vendor-specific system daemons.

Contribution

SAUSAGE is the first comprehensive static analysis tool specifically designed to analyze Unix domain socket security in Android system daemons at scale.

Findings

Identified permission bypass in Qualcomm system daemons

Discovered unprotected sockets allowing untrusted apps to influence system processes

Found that all vendors except AOSP have access control issues in socket configurations

Abstract

The Android operating system is currently the most popular mobile operating system in the world. Android is based on Linux and therefore inherits its features including its Inter-Process Communication (IPC) mechanisms. These mechanisms are used by processes to communicate with one another and are extensively used in Android. While Android-specific IPC mechanisms have been studied extensively, Unix domain sockets have not been examined comprehensively, despite playing a crucial role in the IPC of highly privileged system daemons. In this paper, we propose SAUSAGE, an efficient novel static analysis framework to study the security properties of these sockets. SAUSAGE considers access control policies implemented in the Android security model, as well as authentication checks implemented by the daemon binaries. It is a fully static analysis framework, specifically designed to analyze Unix domain socket usage in Android system daemons, at scale. We use this framework to analyze 200 Android images across eight popular smartphone vendors spanning Android versions 7-9. As a result, we uncover multiple access control misconfigurations and insecure authentication checks. Our notable findings include a permission bypass in highly privileged Qualcomm system daemons and an unprotected socket that allows an untrusted app to set the scheduling priority of other processes running on the system, despite the implementation of mandatory SELinux policies. Ultimately, the results of our analysis are worrisome; all vendors except the Android Open Source Project (AOSP) have access control issues, allowing an untrusted app to communicate to highly privileged daemons through Unix domain sockets introduced by hardware manufacturer or vendor customization.