> From a security pov, is it possible to guess binder reference numbers of > binder nodes, thus by-passing the service manager to initiate IPC > 'directly' from one application to another? Is that possible in the > traditional Binder implementation? If yes, did you regard this in your > project?
I had thought about before too. From the implementation point of view, you need someone to send you either a binder or handler (like invitation) to be able to create a kernel level reference (numbered locally), which you can then use to start transaction with. As the reference number is created locally, there's no point of guessing or forging, because if you don't have a local reference, the kernel will simply reject it. From that perspective, it's probably secure. But there's nothing (from memory) would stop you from creating a reference via a reference from someone else other than the owner. On the other hand, the service provider (owner) can always enforce verification the originator of the request if they want to. What might be a security risk I found is actually the way the framework handles the cookie. When a request is received, the cookie is cast-ed into an object without much checking, which can potentially be misused by some malicious apps. The first priority of my project was to implement a version that can be used as a drop replacement, well as much as possible. So logic mentioned above mostly applies to my implementation too, but I'd certainly consider those security aspects along the way. Cheers, Rong -- unsubscribe: android-kernel+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-kernel
