Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.6.1023

Automatic Detection and Analysis of Desktop Bus'(D-Bus) Privilege Bypass in Tizen  

Kim, Dongsung (Sungkyunkwan University)
Choi, Hyoung-Kee (Sungkyunkwan University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.6, 2020 , pp. 1023-1030 More about this Journal
Abstract
Wearable devices, such as a smart watch and a wrist band, store owner's private information in the devices so that security in a high level is required. Applications developed by third parties in Tizen request for an access to designated services through the desktop bus (D-Bus). The D-Bus verifies application's privileges to grant the request for an access. We developed a fuzzing tool, so-called DAN (the D-bus ANalyzer), to detect errors in implementations for privilege verifications and access controls within Tizen's system services. The DAN has found a number of vulnerable services which granted accesses to unauthorized applications. We built a proof-of-concept application based on those findings to demonstrate a bypass in the privilege examination.
Keywords
Tizen; Wearable; Privilege; Desktop Bus; Access Control; D-Bus; Vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Waltzer, Global Smartwatch OS Market Share by Region : Q2 2017, Strategy Analytics, Aug. 2017.
2 V. Amorim, S. Delabrida, and R. Oliveira, "A Constraint-Driven Assessment of Operating Systems for Wearable Devices," In Proceedings of SBESC, pp. 150-155, Nov. 2016.
3 O. Gadyatskaya, F. Massacci, and Y. Zhauniarovich, "Security in the Firefox OS and Tizen Mobile Platforms," Computer, Vol. 47, No. 6, pp. 57-63, Jun. 2014.   DOI
4 Tizen Wiki, "Tizen 2.X Architecture," https://wiki.tizen.org/Security/Tizen_2.X_Architecture, Dec. 2020.
5 GitHub, "kiding/dan: Automatic privilege evaluation of D-Bus services," https://github.com/kiding/dan, Dec. 2020.
6 Tizen Developers, "Introduction to Native Applications," https://developer.tizen.org/development/training/native-application, Dec. 2020.
7 K. Vervloesem, "Control your Linux desktop with D-Bus," Linux Journal, Vol. 199, No. 3, Nov. 2010.
8 dbus, "D-Bus Specification," https://dbus.freedesktop.org/doc/dbus-specification.html, Dec. 2020.
9 Google Maps Platform, "Google Maps Geolocation API," https://developers.google.com/maps/documentation/geolocation/, Dec. 2020.
10 GNOME Developer Center, "gdbus: GIO Reference Manual," https://developer.gnome.org/gio/unstable/gdbus.html, Dec. 2020.
11 M. Marhefka et al., "Dfuzzer: A D-Bus Service Fuzzing Tool," In Proceedings of ICSTVV, pp. 383-389, Cleveland, OH, USA, Apr. 2014.
12 Samsung Mobile, "Notify Update," http://goo.gl/K5iGw7, Dec. 2020.
13 Tizen Wiki, "Tizen 3.X Overview," https://wiki.tizen.org/Security/Tizen_3.X_Overview, Dec. 2020.
14 Tizen Wiki, "Tizen 2.X dbus," https://wiki.tizen.org/Security/Tizen_2.X_dbus, Dec. 2020.