Starting from Android 4.3, Android employs SEAndroid (SELinux in Android) to enforce mandatory access control (MAC) over all processes, thus is capable of enhancing Android security by confining privileged processes. However, the effectiveness of SEAndroid enforcement depends on the employed policies.
Unfortunately, policy development is error prone and requires lengthy refinement using audit logs from deployed systems. So, in practice, policy engineers always craft over-permissive rules, which significantly increase the attack surfaces and even lead to real-world privilege escalation attacks.
In this talk, we present a new policy analysis tool, VSPMiner, to detect vulnerable SEAndroid policies in the wild through supervised machine learning. Particularly, we construct the training set via differential analysis and optimize the classification of VSPMiner by leveraging several basic classifiers, i.e., GDBT , XGBoost and random forests. The cross validation performed on the training set shows that VSPMiner is very promising, e.g., the mean value of F1-score and AUC are above 0.98 and 0.99 respectively.
We evaluate VSPMiner on the policy rules belonging to more than 2000 images with different tuple information (brand, model, android version), that cover the 22 most popular vendors. As a result, we successfully find as many as 132,702 “vulnerable” policy rules, and in which 2,832 problem access patterns (object, permission) are first revealed. In addition to revealing new attack surfaces, we also demonstrate how to abuse the vulnerable policy rules to facilitate Android rooting.