计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (7): 293-301.doi: 10.11896/jsjkx.221100147

• 信息安全 • 上一篇    下一篇

混淆应用中的第三方库函数定位

袁江风, 李昊翔, 游伟, 黄建军, 石文昌, 梁彬   

  1. 中国人民大学信息学院 北京 100872
  • 收稿日期:2022-11-17 修回日期:2023-03-27 出版日期:2023-07-15 发布日期:2023-07-05
  • 作者简介:(202225feng@ruc.edu.cn)
  • 基金资助:
    国家自然科学基金(U1836209,62272465,62002361);CCF-华为胡杨林研究创新基金(CCF-HuaweiSE2021002)

Locating Third-party Library Functions in Obfuscated Applications

YUAN Jiangfeng, LI Haoxiang, YOU Wei, HUANG Jianjun, SHI Wenchang, LIANG Bin   

  1. School of Information,Renmin University of China,Beijing 100872,China
  • Received:2022-11-17 Revised:2023-03-27 Online:2023-07-15 Published:2023-07-05
  • About author:YUAN Jiangfeng,born in 1998,postgraduate,is a member of China Computer Federation.His main research interests include mobile security and program analysis.LIANG Bin,born in 1973,Ph.D,professor,is a member of China Computer Federation.His main research interests include software analysis,AI security and mobile security.
  • Supported by:
    National Natural Science Foundation of China(U1836209,62272465,62002361) and CCF-Huawei Populus Euphratica Innovation Research Funding(CCF-HuaweiSE2021002).

PDF (PC)

273

摘要: 第三方库是Android应用程序的重要组成部分。在对应用进行基于重打包技术的安全增强或分析时,往往需要定位第三方库中的一些特定函数,此时需要将第三方库源码中的函数映射到目标应用反汇编代码中,以找到其对应的位置。在实际工作中,很多应用经过了代码混淆,这给定位第三方库函数带来了挑战。在经过混淆处理的应用程序反汇编代码中,大部分可供定位的特征被消除,代码也变得晦涩、难以分析。在缺少线索的情况下,从庞大的代码空间中定位到一个特定的函数十分困难。目前对混淆后应用进行的分析仅仅关注识别应用程序中包含了哪些第三方库,而没有更细粒度的函数级别的识别。文中提出了一种在混淆后的应用代码中定位第三方库中特定函数的方法。首先,对应用所用到的混淆器和混淆参数进行识别,从而将第三方库源码处理成与目标应用相同混淆方式的代码,即混淆对齐;在此基础上,通过静态插桩在待定位的函数中引入查找特征,并抽取其混淆后的结构特征来从目标应用中最终识别出待定位的函数位置。实验结果表明,所提方法能以较高的正确率识别出目标应用所使用的混淆工具及混淆参数,且能准确定位流行的混淆闭源应用中感兴趣的第三方库函数。

关键词: Android应用, 重打包, 混淆, 第三方库, 定位

Abstract: Third-party libraries are an important part of Android applications.When enforcing security enhancement or analysis based on application repackaging,it is often necessary to locate specific functions in third-party library.To this end,there is a need to map the functions of the third-party library to the disassembly code of the target application.However,many applications are obfuscated,which brings challenges to locating third-party library functions.In the disassembly code of the obfuscated application,the discriminated fingerprints are often eliminated,hence the code becomes obscure and difficult to analyze.Due to the lack of location fingerprints,it is very difficult to identify a specific function from the huge code space.So far,the existing studies only focus on identifying which third-party libraries are included in the target application rather than locating specific functions.In this paper,a method to locate the third-party functions in obfuscated applications is presented.In the first place,the obfuscator and obfuscation parameters used in the target application are identified.The source code of the third-party library is obfuscated in the same way as done for the target application.The stage is called as obfuscation alignment in this study.On this basis,we introduce some location fingerprints into the target functions with static instrumentation,and extract the structural features to identify the function location from the target application.Experiments show that the proposed method can identify the obfuscation tools and obfuscation parameters with high accuracy,and can accurately locate the third-party library functions for popular obfuscated close-source applications.

Key words: Android application, Repackaging, Obfuscation, Third-party library, Location

中图分类号: 

  • TP309.2
[1]DONG S,LI M,DIAO W,et al.Understanding Android obfuscation techniques:A large-scale investigation in the wild[C]//International Conference on Security and Privacy in Communication Systems.Cham:Springer,2018:172-192.
[2]YOU G,KIM G,CHO S,et al.A Comparative Study on Optimization,Obfuscation,and Deobfuscation tools in Android[J].Journal of Internet Services and Information Security,2021,11(1):2-15.
[3]AONZO S,GEORGIU G C,VERDERAME L,et al.Obfuscapk:An open-source black-box obfuscation tool for Android apps[J].SoftwareX,2020,11:100403.
[4]BALACHANDRAN V,TAN D J J,THING V L L.Controlflow obfuscation for Android applications[J].Computers & Security,2016,61:72-93.
[5]KOVACGEVA A.Efficient code obfuscation for Android[C]//International Conference on Advances in Information Technology.Cham:Springer,2013:104-119.
[6]GUO R,LIU Q,ZHANG M,et al.A Survey of Obfuscation and Deobfuscation Techniques in Android Code Protection[C]//2022 7th IEEE International Conference on Data Science in Cyberspace(DSC).IEEE,2022:40-47.
[7]YOU G,KIM G,PARK J,et al.Reversing obfuscated control flow structures in android apps using redex optimizer[C]//The 9th International Conference on Smart Media and Applications.2020:272-276.
[8]YOU G,KIM G,HAN S,et al.Deoptfuscator:Defeating Ad-vanced Control-flow Obfuscation Using Android Runtime(ART)[J].IEEE Access,2022,10:61426-61440.
[9]WERMKE D,HUAMAN N,ACAR Y,et al.A large scale investigation of obfuscation use in google play[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:222-235.
[10]ZHANG X,BREITINGER F,LUECHINGER E,et al.Android application forensics:A survey of obfuscation,obfuscation detection and deobfuscation techniques and their impact on investigations[J].Forensic Science International:Digital Investigation,2021,39:301285.
[11]MAIORCA D,ARIU D,CORONA I,et al.Stealth attacks:An extended insight into the obfuscation effects on android malware[J].Computers & Security,2015,51:16-31.
[12]WANG Y,ROUNTEV A.Who changed you? Obfuscator identification for Android[C]//2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems(MOBILESoft).IEEE,2017:154-164.
[13]BICHSEL B,RAYCHEV V,TSANKOV P,et al.Statistical deobfuscation of android applications[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:343-355.
[14]MIRZAEI O,DE FUENTES J M,TAPIADOR J,et al.AndrODet:An adaptive Android obfuscation detector[J].Future Ge-neration Computer Systems,2019,90:240-261.
[15]HUANG J,XUE B,JIANG J,et al.Scalably Detecting Third-Party Android Libraries With Two-Stage Bloom Filtering[J].IEEE Transactions on Software Engineering,2023,49(4):2272-2284.
[16]ZHANG J,BERESFORD A R,KOLLMANN S A.Libid:reliable identification of obfuscated third-party android libraries[C]//Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis.2019:55-65.
[17]WANG Y,WU H,ZHANG H,et al.Orlis:Obfuscation-resilient library detection for Android[C]//2018 IEEE/ACM 5th International Conference on Mobile Software Engineering and Systems(MOBILESoft).IEEE,2018:13-23.
[18]ELSERSY W F,FEIZOLLAH A,ANUAR N B.The rise of obfuscated Android malware and impacts on detection methods[J].PeerJ Computer Science,2022,8:e907.
[19]GRAUX P,LALANDE J F,TONG V V T.Obfuscated android application development[C]//Proceedings of the Third Central European Cybersecurity Conference.2019:1-6.
[20]BAUMANN R,PROTSENKO M,MULLER T.Anti-proguard:Towards automated deobfuscation of android apps[C]//Proceedings of the 4th Workshop on Security in Highly Connected IT Systems.2017:7-12.
[21]ZHANG Y,DAI J,ZHANG X,et al.Detecting third-party li-braries in android applications with high precision and recall[C]//2018 IEEE 25th International Conference on Software Analysis,Evolution and Reengineering(SANER).IEEE,2018:141-152.
[22]MA Z,WANG H,GUO Y,et al.Libradar:fast and accurate detection of third-party libraries in android apps[C]//Proceedings of the 38th International Conference on Software Engineering Companion.2016:653-656.
[23]BACKES M,BUGUEL S,DERR E.Reliable third-party library detection in android and its security applications[C]//Procee-dings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:356-367.
[24]JUNG J H,KIM J Y,LEE H C,et al.Repackaging attack on Android banking applications and its countermeasures[J].Wireless Personal Communications,2013,73(4):1421-1437.
[25]LEE Y,WOO S,LEE J,et al.Enhanced Android app-repackaging attack on in-vehicle network[J].Wireless Communications and Mobile Computing,2019,2019:1-13.
[26]MA H,LI S,GAO D,et al.Active warden attack:On the(in) effectiveness of Android app repackage-proofing[J].IEEE Tran-sactions on Dependable and Secure Computing,2021,19(5):3508-3520.
[27]LI Y X,LIN B G.Design of application security policy reinforcement system based on Android repackaging[J].Netinfo Security,2014(1):5.
[28]SALEM A,PAULUS F F,PRETSCHNER A.Repackman:A tool for automatic repackaging of android apps[C]//Proceedings of the 1st International Workshop on Advances in Mobile App Analysis.2018:25-28.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发