Need help with fans?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

iromise
168 Stars 29 Forks 4 Commits 3 Opened issues

Description

FANS: Fuzzing Android Native System Services

Services available

!
?

Need anything else?

Contributors list

# 12,660
misc
Shell
Python
reverse
4 commits

FANS: Fuzzing Android Native System Services

FANS is a fuzzing tool for fuzzing Android native system services. It contains four components: interface collector, interface model extractor, dependency inferer, and fuzzer engine.

For more details, please refer to our USENIX Security'20 paper.

You could follow the following steps to setup FANS. In the following, we use Pixel 2 XL to illustrate the instructions.

Prepare Host

Please prepare a server with

  • at least 1T disk (preferably SSD) as the following reasons
    • We should separate the AOSP projects with/without ASan enabled.
    • We need to save the logs.
    • etc.
  • many cores as compiling AOSP is time-consuming. The more cores, the better.

We suggest using FANS on Ubuntu. We tested it on Ubuntu 18.04.

Prepare Android Environment

Please refer to AOSP for - how to download AOSP source code - how to compile AOSP for the target mobile phone with the target version (e.g., Android 9.0.0_r46 for Pixel 2 XL) - how to compile AOSP with ASan enabled - how to flash devices

Suppose we have - downloaded AOSP source code to

/path/to/aosp
. - checkout to the target version, e.g., Android 9.0.0_r46. - downloaded the proprietary binaries of the target mobile phone to
/path/to/aosp
according to the following URLs - https://source.android.com/setup/start/build-numbers#source-code-tags-and-builds - https://developers.google.com/android/drivers

Before building, we'd better modify some options in the following files to make fuzzing more convenient.

/path/to/aosp/build/core/main.mk
  • ro.adb.secure=0, which will disable adb authentication. Otherwise, every time we reflash the phone, we need to click the screen manually to trust the host. Disabling adb authentication will help us reflash the mobile automatically as we will reflash the mobile phone through adb.

  • persist.sys.disable_rescue=1, which will disable rescue party. For more details, please see https://source.android.com/devices/tech/debug/rescue-party. This will improve fuzzing efficiency.

# line 273
## before modifying
ifneq (,$(user_variant))
  # Target is secure in user builds.
  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
  ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1

ifeq ($(user_variant),user) ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1 endif

after modifying

ifneq (,$(user_variant))

Target is secure in user builds.

ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1 ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1

ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0 ADDITIONAL_DEFAULT_PROPERTIES += persist.sys.disable_rescue=1

#ifeq ($(user_variant),user)

ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1

#endif

/path/to/aosp/build/make/target/product/core_minimal.mk
  • tombstoned.maxtombstonecount=99999, which will set the maximum number of tombstones to 99999.
    # line 170
    ## before modifying
    ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
    PRODUCT_SYSTEM_DEFAULT_PROPERTIES += \
    tombstoned.max_tombstone_count=50
    endif
    ## after modifying
    ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
    PRODUCT_SYSTEM_DEFAULT_PROPERTIES += \
    tombstoned.max_tombstone_count=99999
    endif
    

Note, when flashing the image, you should use the correct

adb
and
fastboot
version corresponding to the Android version. So please install Android SDK according to the version of the target phone. For instance, we are testing Android 9.0.0_r46, so we install the Android SDK for Android 9.0. After installing the SDK, please create the following symbolic links
sudo ln -s /path/to/sdk/platform-tools/adb /usr/bin/fastboot
sudo ln -s /path/to/sdk/platform-tools/adb /usr/bin/adb

Here are some helpful instructions for flashing a device with ASan enabled.

############################# Flash factory image       #############################
# Before flashing the manually build image, 
# you should flash the mobile phone with the corresponding factory image.
# please refer to the offical website for flashing factory image.

############################# Flash AOSP image without ASan #############################

we need to compile aosp in a bash environment

bash

cd /path/to/aosp

prepare environment

source build/envsetup.sh

select the target version.

50 corresponding to the aosp_taimen-userdebug

you can use lunch to see the allowed choices.

lunch 50

compile AOSP and save the compile commands

replace the N_PROCS with the number you want,

e.g., make -j15 showcommands 2>&1 >cmd.txt

make -j [N_PROCS] showcommands 2>&1 >cmd.txt

here, you should run your commands to flash the image.

############################# Flash AOSP image with ASan #############################

cd ..

copy the entire project to another place.

cp /path/to/aosp /path/to/aosp_asan cd /path/to/aosp_asan source build/envsetup.sh lunch 50

compile the entire AOSP with ASan enabled

replace the N_PROCS with the number you want,

e.g., SANITIZE_TARGET=address make -j15

SANITIZE_TARGET=address make -j [N_PROCS]

here, you should run your commands to flash the image with ASan enabled.

Config FANS

Then we need to create a config file

fans.cfg
for FANS. You could utilize the template
fans.template.cfg
to set up your config. In detail, we need to config the following options of FANS. -
fans_dir
, FANS directory. -
aosp_dir
, AOSP directory. -
aosp_sanitizer_dir
, AOSP with ASan enabled directory. -
aosp_compilation_cmd_file
, the location of the AOSP compilation cmd file. -
lunch_command
, the lunch command, e.g.,
lunch 50
for aosptaimen-userdebug. - `aospclanglocation
, the location of clang used to compile AOSP, relative to
aosp
dir
, e.g.,
prebuilts/clang/host/linux-x86/clang-4691093/bin/clang++.real
for Android 9.0.0_r46.
-
manuallybuildclanglocation
, the location of clang manually built. For details, please refer to [pre-process](interface-model-extractor/pre-process/readme.md) of the interface model extractor.
-
clang
pluginoption
, the additional options appended to the compilation cmd to load the clang plugin.
-
service
relatedfilecollectorworkdir
, the work dir of the service-related file collector. Keep as default.
-
service
relatedfilepathstoragelocation
, store files related to service. Keep as default.
-
misc
parcelrelatedfunctionstoragelocation
, store misc functions that have a parcel parameter, e.g., setSchedPolicy(data). Keep as default.
-
specialparcelablefunctionstoragelocation
, store special functions of special parcelable structures. Keep as default.
-
aospcompilationcc1cmdfile
, store cc1 cmd. Keep as default.
-
alreadypreprocessedfilesstoragelocation
, store already preprocessed files. Keep as default.
-
roughinterfacerelateddatadir
, store the data extracted during the pre-processing. This directory locates in the root dir of aosp. Its name is
data
.
-
alreadyparsedinterfacesstoragelocation
, store already parsed interfaces during the post process. Keep as default.
-
interfacemodelextractortmpdir
, the tmp dir used by interface model extractor. Keep as default.
-
interfacemodelextractordir
, interface model extractor work dir. Keep as default.
-
interface
dependency_dir`, interface dependency dir. Keep as default.

Collect Interface and Related Files

Please see Service Related File Collector.

Extract Interface Model

Please see Interface Model Extractor.

Infer Dependency

Please see Dependency Inferer.

Start Fuzzing

Please see Fuzzer Engine.

Results

workdir
contains the following results, including - service-related files information, located in
workdir/service-related-file
. - interface model, located in
workdir/interface-model-extractor/model
. - simplified interface dependency, located in
workdir/interface-dependency
.

For details, you can refer to the

workdir
.

As for the fuzzing results, you can refer to Fuzzer Manager.

If you find bugs by running FANS, please let us know by sending a PR.

TODO

See TODO.

Disclaimer

I am not sure what will happen to your device when using FANS. So good luck!

Contact

Baozheng Liu ([email protected])

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.