Ruian Duan (Georgia Institute of Technology), Ashish Bijlani (Georgia Institute of Technology), Yang Ji (Georgia Institute of Technology), Omar Alrawi (Georgia Institute of Technology), Yiyuan Xiong (Peking University), Moses Ike (Georgia Institute of Technology), Brendan Saltaformaggio (Georgia Institute of Technology), Wenke Lee (Georgia Institute of Technology)

Mobile application developers rely heavily on open-source software (OSS)
to offload common functionalities such as the implementation of
protocols and media format playback. Over the past years, several
vulnerabilities have been found in popular open-source libraries like
OpenSSL and FFmpeg. Mobile applications that include such libraries
inherit these flaws, which make them vulnerable. Fortunately, the
open-source community is responsive and patches are made available
within days. However, mobile application developers are often left
unaware of these flaws. The App Security Improvement Program (ASIP) is
a commendable effort by Google to notify application developers of these
flaws, but recent work has shown that many developers do not act on this

Our work addresses vulnerable mobile applications through automatic
binary patching from source patches provided by the OSS maintainers and
without involving the developers. We propose novel techniques to
overcome difficult challenges like patching feasibility analysis,
source-code-to-binary-code matching, and in-memory patching. Our
technique uses a novel variability-aware approach, which we implement as
OSSPatcher. We evaluated OSSPatcher with 39 OSS and a collection of
1,000 Android applications using their vulnerable versions. OSSPatcher
generated 675 function-level patches that fixed the affected mobile
applications without breaking their binary code. Further, we evaluated
10 vulnerabilities in popular apps such as Chrome with public exploits,
which OSSPatcher was able to mitigate and thwart their exploitation.

View More Papers

Distinguishing Attacks from Legitimate Authentication Traffic at Scale

Cormac Herley (Microsoft), Stuart Schechter (Unaffiliated)

Read More

DroidCap: OS Support for Capability-based Permissions in Android

Abdallah Dawoud (CISPA Helmholtz Center i.G.), Sven Bugiel (CISPA Helmholtz Center i.G.)

Read More

ConcurORAM: High-Throughput Stateless Parallel Multi-Client ORAM

Anrin Chakraborti (Stony Brook University), Radu Sion (Stony Brook University)

Read More

Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation

Victor Le Pochat (imec-DistriNet, KU Leuven), Tom Van Goethem (imec-DistriNet, KU Leuven), Samaneh Tajalizadehkhoob (Delft University of Technology), Maciej Korczyński (Grenoble Alps University), Wouter Joosen (imec-DistriNet, KU Leuven)

Read More