Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2016, Vol. 56 Issue (5): 461-467    DOI: 10.16511/j.cnki.qhdxxb.2016.25.002
  信息安全 本期目录 | 过刊浏览 | 高级检索 |
基于特征匹配的Android应用漏洞分析框架
董国伟, 王眉林, 邵帅, 朱龙华
中国信息安全测评中心, 北京 100085
Android application security vulnerability analysis framework based on feature matching
DONG Guowei, WANG Meilin, SHAO Shuai, ZHU Longhua
China Information Technology Security Evaluation Center, Beijing 100085, China
全文: PDF(1303 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 Android平台应用数量迅速增长, 随之而来的安全问题也日益增多。但现有分析工具大多数只对应用进行简单的扫描, 较少涉及深层次的数据流分析, 因此某些漏洞无法有效地被发现。该文基于对已有Android应用漏洞特征的归纳, 提出一种Android应用漏洞的静态分析框架。从Manifest文件扫描、Smali代码危险函数分析、数据流分析等3个层面归纳了7类主流安全漏洞模式, 依此构建了漏洞检测规则, 并结合相关静态分析技术对应用进行分析, 以发现其中存在的安全漏洞。通过对323个Android应用程序的实验分析, 结果表明: 该框架的有效检出率在70%以上, 误报率在30%以下。因此, 该框架能够有效发现Android应用中常见的安全漏洞, 提高用户安全性。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
董国伟
王眉林
邵帅
朱龙华
关键词 Android应用安全漏洞特性匹配静态分析    
Abstract:The number of Android applications is growing rapidly, which is bringing more and more vulnerabilities. However, most existing tools use only simple API scanning with data flow analysis tools rarely used, so some vulnerabilities cannot be found. This paper presents a static analysis framework for Android applications based on common vulnerability patterns. The analysis can detect 7 kinds of vulnerability patterns in Android apps using detection rules. Tests on 323 Android applications show that the framework can detect more than 70% of the vulnerabilities with less than 30% false positives, which shows that it can effectively detect common security vulnerabilities in Android apps.
Key wordsAndroid app    security vulnerability    feature matching    static analysis
收稿日期: 2016-01-15      出版日期: 2016-05-15
ZTFLH:  TP393  
引用本文:   
董国伟, 王眉林, 邵帅, 朱龙华. 基于特征匹配的Android应用漏洞分析框架[J]. 清华大学学报(自然科学版), 2016, 56(5): 461-467.
DONG Guowei, WANG Meilin, SHAO Shuai, ZHU Longhua. Android application security vulnerability analysis framework based on feature matching. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 461-467.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.25.002  或          http://jst.tsinghuajournals.com/CN/Y2016/V56/I5/461
  图1 Android应用权限泄露漏洞
  图2 应用Manifest.xml文件中Service申请
  图3 基于特征匹配的Android应用分析框架
  图4 APK 静态分析流程
  图5 Android应用数据流分析流程
  图6 Android应用常见漏洞
  表1 缺陷应用测试结果
  表2 市场应用检测结果
  图7 应用大小与分析时间
[1] Google. Bouncer[Z/OL]. (2012-02-18). http://googlemobile.blogspot.com/2012/02/android-and-security.html.
[2] Felt A P, Finifter M, Chin E, et al. A survey of mobile malware in the wild[C]//Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'11). Chicago, USA:ACM, 2011:1-14.
[3] Grace M, Zhou Y, Wang Z, et al. Systematic detection of capability leaks in stock Android smartphones[C]//Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS'12). San Diego, USA:ISOC, 2012:107-121.
[4] Wang R, Xing L, Wang X, et al. Unauthorized origin crossing on mobile platforms:Threats and mitigation[C]//Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany:ACM, 2013:635-646.
[5] Zhou Y, Jiang X. Dissecting Android malware:Characterization and evolution[C]//Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P'12). San Francisco, USA:IEEE, 2012:95-109.
[6] Zhou Y, Wang Z, Zhou W, et al. Hey, you, get off of my market:Detecting malicious apps in official and alternative Android markets[C]//Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS' 12). San Diego, USA:ISOC, 2012:1-13.
[7] Lu L, Li Z, Wu Z, et al. Chex:Statically vetting Android apps for component hijacking vulnerabilities[C]//Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS' 12). Raleigh, USA:ACM, 2012:229-240.
[8] Zhong Y, Xin Z, Mao B, et al. DroidAlarm:An all-sided static analysis tool for Android privilege-escalation malware[C]//Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS'13). Hangzhou, China:ACM, 2013:353-358.
[9] Zhou Y J, Jiang X X. Detecting passive content leaks and pollution in Android applications[C]//Proceedings of the 20th Network and Distributed System Security Symposium (NDSS'13). San Diego, USA:ISOC, 2013:1-16.
[10] Chin E, Felt A P, Greenwood K, et al. Analyzing inter-application communication in Android[C]//Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services (MobiSys'11). Washington D C, USA:ACM, 2011:239-252.
[11] Luo T, Hao H, Du W, et al. Attacks on WebView in the Android system[C]//Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC'11). Florida, USA:ACM, 2011:343-352.
[12] Jin X, Hu X, Ying K, et al. Code injection attacks on HTML5-based mobile apps:Characterization, detection and mitigation[C]//Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS'14). Scottsdale, USA:ACM, 2014:66-77.
[13] Poeplau S, Fratantonio Y, Bianchi A, et al. Execute this analyzing unsafe and malicious dynamic code loading in android applications[C]//Proceedings of the 20th Annual Network & Distributed System Security Symposium (NDSS'14). San Digeo, USA:ISOC, 2014:1-16.
[14] 丰生强. Android软件安全与逆向分析[M]. 北京:人民邮电出版社, 2013. FENG Shengqiang. Android Software Security and Reverse Engineering. Beijing:Posts & Telecom Press, 2013. (in Chinese)
[15] Arzt S, Rasthofer S, Fritz C, et al. Flowdroid:Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps[C]//Proceedings of the 35th Annual ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'14). Edinburgh, UK:ACM, 2014:259-269.
[16] Egele M, Brumley D, Fratantonio Y, et al. An empirical study of cryptographic misuse in Android applications[C]//Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany:ACM, 2013:73-84.
[17] Kim S H, Han D, Lee D H. Predictability of Android OpenSSL's pseudo random number generator[C]//Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany:ACM, 2013:124-136.
[18] Enck W, Gilbert P, Chun B G, et al. TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones[C]//Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI'10). Vancouver, Canada:USENIX, 2010:1-15.
[19] Lessard J, Kessler G. Android forensics:Simplifying cell phone examinations[J].Digital Device Forensics Journal, 2010,4(1):1-12.
[1] 李学良, 赵千川, 杨文, Syed Naeem HAIDER. PLC指令表程序的一种语法分析方法及其在代码静态测试上的应用[J]. 清华大学学报(自然科学版), 2021, 61(10): 1159-1165.
[2] 刘武, 王永科, 孙东红, 任萍, 刘柯. 开源智能终端认证漏洞挖掘及登录认证改进[J]. 清华大学学报(自然科学版), 2017, 57(9): 897-902.
[3] 沈科, 叶晓俊, 刘孝男, 李斌. 基于API调用分析的Android应用行为意图推测[J]. 清华大学学报(自然科学版), 2017, 57(11): 1139-1144.
[4] 韩心慧, 魏爽, 叶佳奕, 张超, 叶志远. 二进制程序中的use-after-free漏洞检测技术[J]. 清华大学学报(自然科学版), 2017, 57(10): 1022-1029.
[5] 韩心慧, 丁怡婧, 王东祺, 黎桐辛, 叶志远. Android恶意广告威胁分析与检测技术[J]. 清华大学学报(自然科学版), 2016, 56(5): 468-477.
[6] 李舟军, 吴春明, 王啸. 基于沙盒的Android应用风险行为分析与评估[J]. 清华大学学报(自然科学版), 2016, 56(5): 453-460.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn