Binder is the IPC Mechanism in Android. It's used in Communication not only between processes with the same privilege but also between low privileged Apps and high privileged system services. The system services is a juicy attack surface to escalate privileges because parameters passed to it through binder call lack sanitization, but until now there are little disclosed vulnerabilities of this type.
In this presentation, I'll first introduce this attack surface and then demonstrate the first fuzzing tools to find this kind of vulnerabilities. The tool take the binder interfaces exported from system services as attacked targets. This tool is simple but efficient. Through this tool I've found 8 vulnerabilities with CVE-IDs got from Android Security Team and dozens of crashes of system services. At last, I'll detail how to exploit this type of vulnerability to get Android's system_server permission by an unpublicized vulnerability.