Abstract
Despite extensive security research on various Android components, such as kernel or runtime, little attention has been paid to the proprietary vendor blobs within Android firmware. In this paper, we conduct a large-scale empirical study to understand the update patterns and assess the security implications of vendor blobs. We specifically focus on GPU blobs because they are loaded into every process for displaying graphics user interfaces and can affect the entire system's security. We examine over 13,000 Android firmware releases between January 2018 and April 2024. Our results reveal that device manufacturers often neglect vendor blob updates. About 82% of firmware releases contain outdated GPU blobs (up to 1,281 days). A significant number of blobs also rely on obsolete LLVM core libraries released more than 15 years ago. To analyze their security implications, we develop a performant fuzzer that requires no physical access to mobile devices. We discover 289 security and behavioral bugs within the blobs. We also present a case study demonstrating how these vulnerabilities can be exploited via WebGL. This work underscores the critical security concerns associated with vulnerable vendor blobs and emphasizes the urgent need for timely updates from device manufacturers.
Original language | English |
---|---|
Title of host publication | Proceedings - 2024 IEEE 30th International Conference on Parallel and Distributed Systems, ICPADS 2024 |
Publisher | IEEE Computer Society |
Pages | 116-125 |
Number of pages | 10 |
ISBN (Electronic) | 9798331515966 |
DOIs | |
Publication status | Published - Oct 2024 |
Event | 30th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2024 - Belgrade, Serbia Duration: 10 Oct 2024 → 14 Oct 2024 |
Publication series
Name | Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS |
---|---|
ISSN (Print) | 1521-9097 |
Conference
Conference | 30th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2024 |
---|---|
Country/Territory | Serbia |
City | Belgrade |
Period | 10/10/24 → 14/10/24 |
Bibliographical note
Publisher Copyright:© 2024 IEEE.