JNI Global References Are Still Vulnerable: Attacks and Defenses

TL;DR

This paper reveals that JNI global references in Android remain vulnerable to DoS attacks despite security measures, introduces a detection tool, and proposes a new defense mechanism to prevent resource exhaustion.

Contribution

It uncovers persistent JNI global reference vulnerabilities in Android, develops JGREAnalyzer for systematic detection, and proposes a resource-based mitigation strategy.

Findings

Identified 21 vulnerabilities in Android 10 system services

Discovered 9 vulnerabilities exploitable without permissions

Developed JGREAnalyzer tool for vulnerability detection

Abstract

System services and resources in Android are accessed through IPC based mechanisms. Previous research has demonstrated that they are vulnerable to the denial-of-service attack (DoS attack). For instance, the JNI global reference (JGR), which is widely used by system services, can be exhausted to cause the system reboot (hence the name JGRE attack). Even though the Android team tries to fix the problem by enforcing security checks, we find that it is still possible to construct a JGR exhaustion DoS attack in the latest Android system. In this paper, we propose a new JGR exhaustion DoS attack, which is effective in different Android versions, including the latest one (i.e., Android 10). Specifically, we developed JGREAnalyzer, a tool that can systematically detect JGR vulnerable services APIs via a call graph analysis and a forwarding reachability analysis. We applied this tool to different Android versions and found multiple vulnerabilities. In particular, among 148 system services in Android 10, 12 of them have 21 vulnerabilities. Among them, 9 can be successfully exploited without any permissions. We further analyze the root cause of the vulnerabilities and propose a new defense to mitigate the JGRE attack by restricting resource consumption via global reference counting.