SSPFA: effective stack smashing protection for Android OS

Hector Marco-Gisbert, Ismael Ripoll-Ripoll

Research output: Contribution to journalArticle

4 Downloads (Pure)

Abstract

In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack buffer overflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Android devices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA, the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows without changing the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is not intrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over the proposed solution.
Original languageEnglish
Pages (from-to)519-532
Number of pages14
JournalInternational Journal of Information Security
Volume18
Issue number4
Early online date22 Jan 2019
DOIs
Publication statusE-pub ahead of print - 22 Jan 2019

Keywords

  • Android
  • Buffer overflow
  • Defenses
  • Mobile devices
  • Security
  • Stack smashing protector

Cite this

@article{18d4e2891d134a2fad4c7e6b4fdbfee5,
title = "SSPFA: effective stack smashing protection for Android OS",
abstract = "In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack buffer overflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Android devices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA, the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows without changing the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is not intrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over the proposed solution.",
keywords = "Android, Buffer overflow, Defenses, Mobile devices, Security, Stack smashing protector",
author = "Hector Marco-Gisbert and Ismael Ripoll-Ripoll",
year = "2019",
month = "1",
day = "22",
doi = "10.1007/s10207-018-00425-8",
language = "English",
volume = "18",
pages = "519--532",
journal = "International Journal of Information Security",
issn = "1615-5262",
publisher = "Springer Nature",
number = "4",

}

SSPFA : effective stack smashing protection for Android OS. / Marco-Gisbert, Hector; Ripoll-Ripoll, Ismael.

In: International Journal of Information Security, Vol. 18, No. 4, 31.08.2019, p. 519-532.

Research output: Contribution to journalArticle

TY - JOUR

T1 - SSPFA

T2 - effective stack smashing protection for Android OS

AU - Marco-Gisbert, Hector

AU - Ripoll-Ripoll, Ismael

PY - 2019/1/22

Y1 - 2019/1/22

N2 - In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack buffer overflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Android devices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA, the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows without changing the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is not intrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over the proposed solution.

AB - In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack buffer overflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Android devices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA, the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows without changing the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is not intrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over the proposed solution.

KW - Android

KW - Buffer overflow

KW - Defenses

KW - Mobile devices

KW - Security

KW - Stack smashing protector

U2 - 10.1007/s10207-018-00425-8

DO - 10.1007/s10207-018-00425-8

M3 - Article

VL - 18

SP - 519

EP - 532

JO - International Journal of Information Security

JF - International Journal of Information Security

SN - 1615-5262

IS - 4

ER -