InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android

Abstract

Hot-patches, easier to develop and faster to deploy than permanent patches, are used to timely (and temporarily) block exploits of newly discovered vulnerabilities while permanent patches are being developed and tested. Researchers recently proposed to apply hot-patching techniques to system programs on Android as a quick mitigation against critical vulnerabilities. However, existing hot-patching techniques, though widely used in conventional computers, are rarely adopted by Android OS or device vendors in reality. Our study uncovers a major hurdle that prevents existing hot-patching methods from being effective on mobile devices: after being developed, hot-patches for mobile devices have to go through lengthy compatibility tests that Android device partners impose on all system code updates. This testing and release process can take months, and therefore, erase the key benefit of hot-patches (i.e., quickly deployable). We propose InstaGuard, a new approach to hot-patch for mobile devices that allows for instant deployment of patches (i.e., “carrier-passthrough”) and fast patch development for device vendors. Unlike existing hot-patching techniques, InstaGuard avoids injecting new code to programs being patched. Instead, it enforces instantly updatable rules that contain no code (i.e., no carrier test is needed) to block exploits of unpatched vulnerabilities in a timely fashion. When designing InstaGuard, we overcame two major challenges that previous hot-patching methods did not face. First, since no code addition is allowed, InstaGuard needs a rule language that is expressive enough to mitigate various kinds of vulnerabilities and efficient to be enforced on mobile devices. Second, rule generation cannot require special skills or much efforts from human users. We designed a new language for hot-patches and an enforcement mechanism based on the basic debugging primitives supported by ARM CPUs. We also built RuleMaker, a tool for automatically generating rules for InstaGuard based on high-level, easy-to-write vulnerability descriptions. We have implemented InstaGuard on Google Nexus 5X phones. To demonstrate the coverage of InstaGuard, we show that InstaGuard can handle all critical CVEs from Android Security Bulletins reported in 2016. We also conduct unit tests using critical vulnerabilities from 4 different categories. On average, InstaGuard increases program memory footprint by 1.69% and slows down program execution by 2.70%, which are unnoticeable to device users in practice.