NASS: Fuzzing All Native Android System Services with Interface Awareness and Coverage

Compromised or malicious apps remain a primary security concern for Android. As Android tightens its app sandbox and further reduces the kernel's attack surface, native Android system services emerge as a promising target for privilege escalation.

Bugs in these native system services, triggerable from the app sandbox via RPC (Remote Procedure Calls), may facilitate privilege escalation. We identify the attack surface exposed by proprietary native system services and propose NASS, an approach to effectively fuzz proprietary real-world RPC servers to detect bugs triggerable via RPC. NASS addresses the challenge of extracting coverage from complex intertwined real-world RPC servers. Furthermore, NASS leverages our novel technique deserialization-guided interface extraction to recover the RPC interface definition from proprietary RPC servers. NASS' techniques all build on common RPC design principles, which broadly apply to RPC frameworks.

We implement NASS for Android's Binder RPC framework. NASS outperforms prior work regarding interface extraction, target exploration and bug finding capabilities, even without access to source code. NASS has identified 12 unique bugs in up-to-date Google, Samsung, Xiaomi, and OnePlus devices, with five CVEs assigned so far.