Semester thesis at EPFL in spring 2025, conducted in the HexHive group under Philipp Mao and Prof. Mathias Payer. A really cool research group with really nice people - always nice to bump into them again at CTFs in Lausanne, or at the parties afterwards ;)
Android system services talk to each other through Binder IPC, with their interfaces formally specified in AIDL. Google’s existing fuzzing setup for these services is the binder-parcel fuzzer, which treats every transaction as an opaque byte stream and lets the fuzzer rediscover method codes, argument layouts and parcelable boundaries by chance. The result: 40-80 % of inputs die at parsing or validation before ever reaching service logic. The thesis project, AID(L)ing the Fuzzer, plugs into the upstream AIDL compiler with a new “fuzz-harness” backend that emits C++ libFuzzer harnesses with type-safe argument packing, custom mutators, and deterministic handling of Binder objects and file descriptors. Across six AOSP services the autogenerated harnesses hit 85 % - and often 99 % - successful transactions, reaching service logic almost immediately.
I was honored to be offered an internship to keep building this out, but unfortunately wasn’t able to take it due to time constraints. Maybe next time.
