计算机科学 ›› 2020, Vol. 47 ›› Issue (11A): 303-309.doi: 10.11896/jsjkx.200100122
赵赛1, 刘昊1, 王雨峰1, 苏航1, 燕季薇2,3
ZHAO Sai1, LIU Hao1, WANG Yu-feng1, SU Hang1, YAN Ji-wei2,3
摘要: Android操作系统提供了丰富的应用程序间消息传递机制,其中基于意图的通信是Android应用程序组件间的一种重要通信机制。该机制促进了应用程序间的协作,并通过增加组件重用减轻了开发人员的负担。但是这一消息传递机制可能被滥用,例如应用程序将错误消息发送给目标应用程序,从而导致目标应用程序崩溃。针对这个问题,提出一种基于模糊测试的健壮性检测方法,并实现了意图模糊测试工具ICCDroidFuzzer。该方法通过静态分析获取组件相关信息来构造测试套件,并将其发送给目标组件,同时监测Android系统日志,以发现是否存在运行时崩溃。使用ICCDroidFuzzer检测了420个真实的商业应用程序,通过对实验结果进行分析,发现了19种导致应用程序崩溃的异常。该工具可以自动化地对应用程序的健壮性进行测试,适用于没有人为干预的大量Android应用程序的测试。
中图分类号:
[1] IDC 2019[EB/OL].https://www.idc.com/promo/smartphone-market-share/os. [2] Google Play Store:number of apps 2019 | Statista [EB/OL].https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/. [3] Intent [EB/OL].https://www.hahack.com/wiki/android-intent.html. [4] Intent and Intentfilters [EB/OL].https://developer.android.com/guide/components/intents-filters.html. [5] Android components fundamental [EB/OL].https://developer.android.com/guide/components/fundamentals. [6] Android Activity [EB/OL].https://developer.android.com/guide/components/activities. [7] Android Service [EB/OL].https://developer.android.com/gu-ide/components/services.html. [8] AndroidBroadcastReceiver[EB/OL].https://developer.an-droid.com/reference/android/content/BroadcastReceiver.html. [9] Component Security and Permissions [EB/OL].https://www.oreilly.com/library/view/application-security-for/9781449322250/ch04.html. [10] SUTTON M,GREENE A,AMINI P.Fuzzingbruteforce vulnerability discovery[M].Beijing:China Machine Press,2009:13-14. [11] MILLER B P,FREDRIKSEN L,SO B.An empirical study of the reliability of UNIX utilities[J].Communications of the ACM,1990,33(12):32-44. [12] MILLER B P,KOSKI D,LEEC P,et al.Fuzz revisited:A re-examination of the reliability of UNIX utilities and services[R].University of Wisconsin-Madison Department of Computer Sciences,1995. [13] FORRESTER J E,MILLER B P.An empirical study of the robustness of Windows NT applications using random testing[C]//Proceedings of the 4th USENIX Windows System Symposium.2000,4:59-68. [14] ZHANG X,LI Z J.Survey of fuzz testing technology[J].Computer Science,2016,43(5):1-8,26. [15] CHEN C,CUI B,MA J,et al.A systematic review of fuzzing techniques[J].Computers & Security,2018,75:118-137. [16] BERTSIMAS D,SIM M.The price of robustness[J].Operations research,2004,52(1):35-53. [17] Android StandardActionand Category [EB/OL].https://deve-loper.android.com/reference/android/content/Intent. [18] Soot[EB/OL].http://www.bodden.de/2008/09/22/soot-intra. [19] Android ADB [EB/OL].https://developer.android.com/studio/command-line/adb. [20] Android Logcat [EB/OL].https://developer.android.com/studio/command-line/logcat. [21] Android Eventlog [EB/OL].https://developer.android.com/reference/android/util/EventLog. [22] FU J M,LI P W,YI Q,et al.A static detectionof security defects between inter-components communication[J].J.Huazhong Univ.of Sci.&Tech.(Natural Science Edition),2013,41(S2):259-264. [23] LI L,BARTEL A,BISSYANDÉT F,et al.Iccta:Detecting inter-component privacy leaks in android apps[C]//IEEE/ACM 37th IEEE International Conference on Software Engineering.IEEE,2015:280-291. [24] BOHLULI Z,SHAHRIARIH R.Detecting Privacy Leaks inAndroid Apps using Inter-Component Information Flow Control Analysis[C]//15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC).IEEE,2018:1-6. [25] YANG K,ZHUGE J,WANG Y,et al.IntentFuzzer:detecting capability leaks of android applications[C]//Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security.2014:531-536. [26] LIU W.Research on a method of security detection for Android based on Intent [J] Computer technology and development,2019,29(5):102-106. [27] WANG G Z,YANG H L.Research on test methods of exported Android activity[J].Computer Systems & Applications,2018,27(9):262-267. [28] WANG K,LIU Q X,ZHANG Y Q.Androidinter-applicationcommunication vulnerability mining technique based on Fuzzing[J].Journal of University of Chinese Academy of Sciences,2014,31(6):827-835. [29] ZHANG M,YANG L,ZHANG J W.FuzzerAPP:The robustnesstestof application component communication in Android[J].Journal of Computer Research and Development,2017,54(2):338-347. [30] CHOI K,KO M,CHANG B M.A Practical Intent Fuzzing Tool for Robustness of Inter-Component Communication in Android Apps[J].KSII Transactions on Internet & Information Systems,2018,12(9). |
[1] | 黄松, 杜金虎, 王兴亚, 孙金磊. 以太坊智能合约模糊测试技术研究综述 Survey of Ethereum Smart Contract Fuzzing Technology Research 计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069 |
[2] | 钟将, 尹红, 张剑. 基于学术知识图谱的辅助创新技术研究 Academic Knowledge Graph-based Research for Auxiliary Innovation Technology 计算机科学, 2022, 49(5): 194-199. https://doi.org/10.11896/jsjkx.210400195 |
[3] | 胡志濠, 潘祖烈. 基于QRNN的网络协议模糊测试用例过滤方法 Testcase Filtering Method Based on QRNN for Network Protocol Fuzzing 计算机科学, 2022, 49(5): 318-324. https://doi.org/10.11896/jsjkx.210300281 |
[4] | 余乐章, 夏天宇, 荆一楠, 何震瀛, 王晓阳. 面向大数据分析的智能交互向导系统 Smart Interactive Guide System for Big Data Analytics 计算机科学, 2021, 48(9): 110-117. https://doi.org/10.11896/jsjkx.200900083 |
[5] | 胡潇炜, 陈羽中. 一种结合自编码器与强化学习的查询推荐方法 Query Suggestion Method Based on Autoencoder and Reinforcement Learning 计算机科学, 2021, 48(6A): 206-212. https://doi.org/10.11896/jsjkx.200900196 |
[6] | 李明磊, 黄晖, 陆余良, 朱凯龙. SymFuzz:一种复杂路径条件下的漏洞检测技术 SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions 计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128 |
[7] | 王博宇, 王中卿, 周国栋. 基于回复生成的对话意图预测 Dialogue Act Prediction Based on Response Generation 计算机科学, 2021, 48(2): 212-216. https://doi.org/10.11896/jsjkx.200700137 |
[8] | 李毅豪, 洪征, 林培鸿. 基于深度优先搜索的模糊测试用例生成方法 Fuzzing Test Case Generation Method Based on Depth-first Search 计算机科学, 2021, 48(12): 85-93. https://doi.org/10.11896/jsjkx.200800178 |
[9] | 徐扬,王建成,刘启元,李寿山. 基于上下文信息的口语意图检测方法 Intention Detection in Spoken Language Based on Context Information 计算机科学, 2020, 47(1): 205-211. https://doi.org/10.11896/jsjkx.181202269 |
[10] | 李佳莉, 陈永乐, 李志, 孙利民. 基于协议状态图遍历的RTSP协议漏洞挖掘 Mining RTSP Protocol Vulnerabilities Based on Traversal of Protocol State Graph 计算机科学, 2018, 45(9): 171-176. https://doi.org/10.11896/j.issn.1002-137X.2018.09.028 |
[11] | 孙海春,李欣. 基于交互感知的探索式搜索中资源的推荐方法 Resource Recommendation Method Based on Interactive Perception in Exploratory Search 计算机科学, 2017, 44(Z11): 400-402. https://doi.org/10.11896/j.issn.1002-137X.2017.11A.084 |
[12] | 张亚丰,洪征,吴礼发,周振吉,孙贺. 基于状态的工控协议Fuzzing测试技术 Protocol State Based Fuzzing Method for Industrial Control Protocols 计算机科学, 2017, 44(5): 132-140. https://doi.org/10.11896/j.issn.1002-137X.2017.05.024 |
[13] | 程诚,周彦晖. 基于模糊测试和遗传算法的XSS漏洞挖掘 Findding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm 计算机科学, 2016, 43(Z6): 328-331. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.078 |
[14] | 张晓君,林颖,周昌乐. 智能主体的等级BDI(信念、愿望和意图)模型 Graded Belief-Desire-Intention (BDI) Models for Agent Architectures 计算机科学, 2016, 43(7): 35-40. https://doi.org/10.11896/j.issn.1002-137X.2016.07.005 |
[15] | 张雄,李舟军. 模糊测试技术研究综述 Survey of Fuzz Testing Technology 计算机科学, 2016, 43(5): 1-8. https://doi.org/10.11896/j.issn.1002-137X.2016.05.001 |
|