计算机科学 ›› 2016, Vol. 43 ›› Issue (9): 192-196.doi: 10.11896/j.issn.1002-137X.2016.09.038
王允超,魏强,武泽慧
WANG Yun-chao, WEI Qiang and WU Ze-hui
摘要: 针对Android应用程序组件间通信过程中的消息载体Intent有可能被攻击者构造进而引发组件被恶意注入的安全风险问题,提出了一种基于静态污点分析的检测方法。在构建Android应用的函数调用图和控制流图的基础上,通过跟踪应用组件内和组件间不可信Intent消息的污点传播过程,检测应用中潜在的Intent注入漏洞。用该方法对4类标准测试应用和50款第三方应用进行测试,实验结果表明了该方法的可行性和有效性。
| [1] Maji A K,Arshad F,Bagchi S,et al.An empirical study of the robustness of inter-component communication in Android[C]∥2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).IEEE,2012:1-12 [2] Sasnauskas R,Regehr J.Intent fuzzer:crafting intents of death[C]∥Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Perfor-mance Testing,Debugging,and Analytics (PERTEA).ACM,2014:1-5 [3] Chin E,Felt A P,Greenwood K,et al.Analyzing inter-application communication in Android[C]∥Proceedings of the 9th International Conference on Mobile Systems,Applications,and Services.ACM,2011:239-252 [4] Lu L,Li Z,Wu Z,et al.Chex:statically vetting android apps for component hijacking vulnerabilities[C]∥Proceedings of the 2012 ACM Conference on Computer and Communications Securi-ty.ACM,2012:229-240 [5] Octeau D,McDaniel P,Jha S,et al.Effective inter-component communication mapping in android with epicc:An essential step towards holistic security analysis[C]∥USENIX Security 2013.2013:543-558 [6] Sagiv M,Reps T,Horwitz S.Precise interprocedural data flow analysis with applications to constant propagation[J].Theoretical Computer Science,1996,167(1):131-170 [7] Gallingani D,Gjomemo R,Venkatakrishnan V N,et al.Static detection and automatic exploitation of intent message vulnerabilities in Android applications.http://www.ieee-security.org/TC/spw2015/Most/papers/s3p1.pdf [8] Enck W,Octeau D,McDaniel P,et al.A Study of Android Application Security.http://www.usenix.org/legacy/events/secll/tech/full_papers/Enck.pdf [9] Takeshi Terada/Mitsui Bussan Secure Directions,Inc.Attacking Android browsers via intent scheme URLs.http://www.mbsd.jp/whitepaper/InterScheme.pdf [10] Wang R,Xing L,Wang X F,et al.Unauthorized origin crossing on mobile platforms:Threats and mitigation[C]∥Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security.ACM,2013:635-646 [11] Lam P,Bodden E,Lhoták O,et al.The Soot framework for Java program analysis:a retrospective[C]∥Cetus Users and Compi-ler Infastructure Workshop (CETUS 2011).2011 [12] Bartel A,Klein J,Le Traon Y,et al.Dexpler:converting android dalvikbytecode to jimple for static analysis with soot[C]∥Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis.ACM,2012:27-38 [13] Luo T,Hao H,Du W,et al.Attacks on WebView in the Android system[C]∥Proceedings of the 27th Annual Computer Security Applications Conference.ACM,2011:343-352 |
| No related articles found! |
|
||
首页