Speaker
Description
THIS WORK HAS BEEN ACCEPTED AND PRESENTED AT IEEE SECDEV 2023
Android is an operating system widely deployed
especially on devices such as smartphones. In this paper, we study
the evolution of OpenJDK Java Class Library (JCL) versions
used as the basis of the Dalvik Virtual Machine (DVM) and
the Android Runtime (ART). We also identify vulnerabilities
impacting OpenJDK JCL versions and analyze their impact on
Android. Our results indicate that the complexity of the Android
JCL code imported from OpenJDK increases because: (1) there is
an increase in the number of classes imported from OpenJDK,
(2) there is an increase in the fragmentation of the JCL code
in Android as code is increasingly imported from multiple
OpenJDK versions at the same time, and (3) there is an increase
in the distance between the JCL code in Android and OpenJDK
as, for instance, Android developer introduce customizations
to the imported code. We also observe that most OpenJDK
vulnerabilities (80%) are not impacting Android because the
vulnerable classes are not imported in Android. Nevertheless,
Android does import vulnerable code and little is done to patch
this vulnerable code which is only ”patched” when a newer
version of the vulnerable code is imported. This means that the
code can stay vulnerable in Android for years. Most of the vul-
nerabilities impacting Android (77%) have a security impact on
the availability of the system. By developing a proof-of-concept,
we show that OpenJDK vulnerabilities imported in Android do
have a security impact. We suggest to seriously take into account
public information available about OpenJDK vulnerabilities to
increase the security of the Android development pipeline.
| Length | 15 minutes |
|---|
