How ServiceFuzzer Enhances Android Native Service Security with libFuzzer

Introduction

Android native services provide essential low‑level functionality and have been the source of several CVE vulnerabilities (e.g., CVE‑2018‑9424, CVE‑2021‑0318). Maintaining their security is crucial for the Android ecosystem.

Fuzz testing injects malformed or unexpected inputs to uncover software defects, and libFuzzer is one of the primary fuzzing tools supported by AOSP.

Fuzzing Basics and libFuzzer

Fuzzing (or fuzz testing) automatically generates random data to feed a program, monitoring for crashes or assertion failures. libFuzzer is a coverage‑guided, in‑process evolutionary fuzzing engine that uses code‑coverage (cov) and execution path (ft) feedback to improve input generation.

Coverage monitoring relies on Sanitizer‑Coverage instrumentation, which inserts counters at each conditional branch to track execution frequency.

Challenges with Native Service Fuzzing

Android native services use a client‑server (C/S) model with Binder IPC for cross‑process communication. Because libFuzzer runs in the client process, obtaining coverage for server‑side native code is difficult.

Traditional approaches call service‑side functions directly, requiring custom adapters for each service, which is time‑consuming.

ServiceFuzzer Framework

In August 2022, AOSP introduced service_fuzzer_defaults , forming the ServiceFuzzer framework. It provides a generic template that uses the service’s Bn side transact entry point, reducing per‑service adaptation.

The framework creates a Binder pool and file descriptor pool, disables Parcel checks via setEnforceNoDataAvail and setServiceFuzzing, and fills Parcels with fuzzed data from libFuzzer.

Case Study: media_player_service_fuzzer

The media_player_service_fuzzer implementation contains only three lines in LLVMFuzzerTestOneInput, yet it exercises all exposed service interfaces.

Key steps:

Instantiate MediaPlayerService via createForFuzzTesting and pass it to fuzzService.

Wrap the raw fuzzed buffer in FuzzedDataProvider (fdp) to extract typed values.

First‑layer fuzzService stores the service object in a vector and forwards it with fdp.

Second‑layer prepares options (Binder and file pools), clears calling identity, and extracts an optional UID from fdp.

Generate code (interface number) and flags for the transact call.

Disable Parcel validation and enable service fuzzing to bypass checks.

Select a Binder from the pool as the target; if the service returns additional Binders or file descriptors, they are added back to the pools for subsequent loops.

Fill the request Parcel using fillRandomParcel, which may directly copy data or randomly insert Binders, file descriptors, or raw bytes.

Invoke transact on the service, capture the reply Parcel, and extract any returned Binders or file descriptors.

Ensure single‑threaded execution to keep coverage data accurate.

This loop repeats, increasing code coverage while exercising diverse service interfaces.

Analysis and Improvements

ServiceFuzzer’s strengths lie in its generic template, Binder and file pools, and the ability to bypass Parcel checks, which speeds up fuzzing. Its weaknesses include random parameter values that may fall outside valid ranges and the unordered Binder pool, which cannot guarantee ordered multi‑stage calls (e.g., media streaming flows).

To improve efficiency, the article adds a preprocessing step that enumerates all valid interface codes by sending a Parcel with a dummy integer to each possible code (0x1‑0xffffff). Responses not returning UNKNOWN_TRANSACTION are stored as valid codes.

A new ServiceFuzzingBase class holds the valid code list and provides a member fuzzService that randomly selects a code from this list, improving the relevance of generated inputs.

Conclusion

The ServiceFuzzer framework, combined with libFuzzer, offers a powerful method for fuzzing Android native services, leveraging Binder and file descriptor pools and disabling Parcel validation to boost coverage. While it simplifies fuzzer development, further enhancements—such as ordered interface calls and smarter input generation—are needed to maximize efficiency.

Reference links: Fuzzing wiki, libFuzzer documentation, ServiceFuzzer source code.