Vulnerability: Memory leaks | ASLR/PIC Support Needed to Mitigate Security Risks #1674
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SPECIFIC ISSUE ENCOUNTERED
During the dynamic scan of our Android app, we identified a vulnerability: Not Using Built-in Binary Protection (ASLR/PIC), which exposes app components to memory corruption attacks.
We would like to know which version of the app has ASLR and PIC enabled.
For reference:
PIC stands for Position Independent Code.
ASLR stands for Address Space Layout Randomization."
VERSIONS USED
STEPS TO REPRODUCE THE ISSUE
This test examines the individual components of the application to see if they were compiled using Position Independent Code (PIC) wherever applicable.
Business Impact (IF ANY)
Some components in this application do not protect against a specific type of attack that can allow an attacker to perform custom actions such as executing custom code or easily extracting interesting memory areas of the application.
These could potentially give them access to sensitive information from the app or the device.
ADDITIONAL COMMENTS
Not Using Built/in Binary Protection (ASLRHPIC) Exposes App Components to Memory Corruption Attacks.
PIC protection is not implemented for certain components of the application. ( libarcore_sdk_jni.so)
PIC ( Position Independent Code ) is required to ensure ASLR (Address Space Layout Randomization) which is a security feature that protects binaries when they are loaded and maintained in memory by randomizing the address space used in the application.
ASLR forces an attacker to guess memory addresses making it difficult to execute malicious code without first causing the application to crash.
ASLR also complicates the process of dumping specific application memory areas that the attacker might be interested in.
Regulatory:
CWE: https://cwe.mitre.org/data/definitions/119.html
The text was updated successfully, but these errors were encountered: