System services and resources in Android are accessed through IPC based mechanisms. Previous research has demonstrated that they are vulnerable to the denial-of-service attack (DoS attack). For instance, the JNI global reference (JGR), which is widely used by system services, can be exhausted to cause the system reboot (hence the name JGRE attack). Even though the Android team tries to fix the problem by enforcing security checks, we find that it is still possible to construct a JGR exhaustion DoS attack in the latest Android system. In this paper, we propose a new JGR exhaustion DoS attack, which is effective in different Android versions, including the latest one (i.e., Android 10). Specifically, we developed JGREAnalyzer, a tool that can systematically detect JGR vulnerable services APIs via a call graph analysis and a forwarding reachability analysis. We applied this tool to different Android versions and found multiple vulnerabilities. In particular, among 148 system services in Android 10, 12 of them have 21 vulnerabilities. Among them, 9 can be successfully exploited without any permissions. We further analyze the root cause of the vulnerabilities and propose a new defense to mitigate the JGRE attack by restricting resource consumption via global reference counting.

翻译：安卓系统中的系统服务与资源通过基于IPC的机制进行访问。已有研究表明，它们容易受到拒绝服务攻击（DoS攻击）。例如，系统服务广泛使用的JNI全局引用（JGR）可能被耗尽从而导致系统重启（即JGRE攻击）。尽管安卓团队试图通过实施安全检查来修复该问题，但我们发现在最新安卓系统中仍可能构建JGR耗尽型DoS攻击。本文提出了一种新的JGR耗尽型DoS攻击，该攻击在不同安卓版本（包括最新版本Android 10）中均有效。具体而言，我们开发了JGREAnalyzer工具，通过调用图分析和转发可达性分析，系统性地检测存在JGR漏洞的服务API。将该工具应用于不同安卓版本后，我们发现了多个漏洞。其中，在Android 10的148个系统服务中，12个服务存在21个漏洞，其中9个无需任何权限即可成功利用。我们进一步分析了漏洞根因，并提出了一种通过全局引用计数限制资源消耗的新型防御机制以缓解JGRE攻击。