|
|
- 2015
Android应用软件功能泄露漏洞挖掘工具的设计与实现
|
Abstract:
摘要 Android平台的功能泄露漏洞会导致权限提升和隐私泄露等严重危害,常被恶意软件用于绕过安全机制.针对这一问题,提出一个基于静态分析的功能泄露漏洞挖掘工具CLDroid.CLDroid使用逆向控制流的程序切片算法从源代码中提取程序逻辑,并利用可定制的安全规则库来检测违规行为.实验结果表明,CLDroid能有效挖掘Android源代码中的功能泄露漏洞,且具有较好的可扩展性.
| [1] | Grace M, Zhou Y, Wang Z, et al. Systematic detection of capability leaks in stock Android smartphones[C]//Proceedings of the 19th Annual Symposium on Network and Distributed System Security. 2012. |
| [2] | Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale[C]//Trust and Trustworthy Computing. Springer Berlin Heidelberg, 2012: 291-307. |
| [3] | Mustafa T, Sohr K. Understanding the implemented access control policy of Android system services with slicing and extended static checking[EB/OL]. [2014-01-22]. http://www.informatik.uni-bremen.de/~sohr/papers/Report.pdf. |
| [4] | Android Open Source Project. Application fundamentals[EB/OL]. [2014-01-22]. http://developer.android.com/guide/components/fundamentals.html |
| [5] | Fang Z, Zhang Y, Kong Y, et al. Static detection of logic vulnerabilities in Java web applications[J/OL]. Security and Communication Networks, 2013. doi: 10.1002/sec.747, http://onlinelibrary.wiley.com/doi/10.1002/sec.747/abstract.</p> |
| [6] | <p> Gartner. Worldwide smartphone sales in Q<sub>3</sub> 2013[EB/OL]. [2014-1-22]. http://www.gartner.com/newsroom/id/2623415. |
| [7] | AppBrain. Number of available Android applications[EB/OL]. [2014-1-22]. http://www.appbrain.com/stats/. |
| [8] | Roman Unuchek. Obad.a trojan now being distributed via mobile botnets[EB/OL]. [2014-01-22]. http://www.securelist.com/en/blog/8131/Obad_a_Trojan_now_being_distributed_via_mobile_botnets |
| [9] | Chinese 3C Products Sales Promotion. Android, KungFu series variants depth analysis and complete clean-up methods[EB/OL]. [2014-01-22]. http://www.aicuxiao.org/2012/01/17/20403.html |
| [10] | Jiang X X. Smishing vulnerability in multiple Android platforms (including gingerbread, ice cream sandwich, and jelly bean)[EB/OL]. [2014-01-22]. http://www.csc.ncsu.edu/faculty/jiang/smishing.html. |
| [11] | Chan P P F, Hui L C K, Yiu S M. Droidchecker: analyzing Android applications for capability leak[C]//Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2012: 125-136. |
| [12] | Davi L, Dmitrienko A, Sadeghi A R, et al. Privilege escalation attacks on Android[C]//Information Security. Springer Berlin Heidelberg, 2011: 346-360. |
| [13] | Felt A P, Wang H J, Moshchuk A, et al. Permission re-delegation: attacks and defenses[C]//USENIX Security Symposium. 2011. |
| [14] | Enck W, Octeau D, McDaniel P, et al. A study of Android application security[C]//USENIX Security Symposium. 2011. |
| [15] | Kim J, Yoon Y, Yi K, et al. ScanDal: Static analyzer for detecting privacy leaks in Android applications[C]//Proceedings of the Workshop on Mobile Security Technologies (MoST), in Conjunction with the IEEE Symposium on Security and Privacy. 2012. |
| [16] | Yang Z, Yang M, Zhang Y, et al. Appintent: Analyzing sensitive data transmission in Android for privacy leakage detection[C]//Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM, 2013: 1043-1054. |
| [17] | Felt A P, Chin E, Hanna S, et al. Android permissions demystified[C]//Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 2011: 627-638. |
| [18] | Egele M, Brumley D, Fratantonio Y, et al. An empirical study of cryptographic misuse in Android applications[C]//Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM, 2013: 73-84. |
| [19] | Fuchs A P, Chaudhuri A, Foster J S. SCanDroid: automated security certification of Android applications[EB/OL]. [2014-01-22]. http://www. cs. umd. edu/~avik/projects/scandroidascaa. |
| [20] | Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification[C]//Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, 2009: 235-245. |
| [21] | Enck W, Gilbert P, Chun B G, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones[C]//OSDI. 2010, 10: 255-270. |
| [22] | Enck W, Ongtang M, McDaniel P. Understanding Android security[J]. Security & Privacy, IEEE, 2009, 7(1): 50-57. |
| [23] | Jesse Burns. Developing secure mobile applications for Android [EB/OL]. [2014-01-22]. https://www.isecpartners.com/media/11991/isec_securing_android_apps.pdf. |
| [24] | Berger B J, Sohr K, Koschke R. Extracting and analyzing the implemented security architecture of business applications[C]//Software Maintenance and Reengineering (CSMR), 2013 17th European Conference on. IEEE, 2013: 285-294. |
| [25] | Weiser M. Program slicing[C]//Proceedings of the 5th lnternational Conference on Software Engineering. IEEE Press, 1981: 439-449. |
| [26] | Jgesser. Javaparser: a Java 1.5 parser with AST generation and visitor support[EB/OL]. [2014-01-22]. https://code.google.com/p/javaparser/. |
