计算机科学 ›› 2023, Vol. 50 ›› Issue (7): 293-301.doi: 10.11896/jsjkx.221100147
袁江风, 李昊翔, 游伟, 黄建军, 石文昌, 梁彬
YUAN Jiangfeng, LI Haoxiang, YOU Wei, HUANG Jianjun, SHI Wenchang, LIANG Bin
摘要: 第三方库是Android应用程序的重要组成部分。在对应用进行基于重打包技术的安全增强或分析时,往往需要定位第三方库中的一些特定函数,此时需要将第三方库源码中的函数映射到目标应用反汇编代码中,以找到其对应的位置。在实际工作中,很多应用经过了代码混淆,这给定位第三方库函数带来了挑战。在经过混淆处理的应用程序反汇编代码中,大部分可供定位的特征被消除,代码也变得晦涩、难以分析。在缺少线索的情况下,从庞大的代码空间中定位到一个特定的函数十分困难。目前对混淆后应用进行的分析仅仅关注识别应用程序中包含了哪些第三方库,而没有更细粒度的函数级别的识别。文中提出了一种在混淆后的应用代码中定位第三方库中特定函数的方法。首先,对应用所用到的混淆器和混淆参数进行识别,从而将第三方库源码处理成与目标应用相同混淆方式的代码,即混淆对齐;在此基础上,通过静态插桩在待定位的函数中引入查找特征,并抽取其混淆后的结构特征来从目标应用中最终识别出待定位的函数位置。实验结果表明,所提方法能以较高的正确率识别出目标应用所使用的混淆工具及混淆参数,且能准确定位流行的混淆闭源应用中感兴趣的第三方库函数。
中图分类号:
[1]DONG S,LI M,DIAO W,et al.Understanding Android obfuscation techniques:A large-scale investigation in the wild[C]//International Conference on Security and Privacy in Communication Systems.Cham:Springer,2018:172-192. [2]YOU G,KIM G,CHO S,et al.A Comparative Study on Optimization,Obfuscation,and Deobfuscation tools in Android[J].Journal of Internet Services and Information Security,2021,11(1):2-15. [3]AONZO S,GEORGIU G C,VERDERAME L,et al.Obfuscapk:An open-source black-box obfuscation tool for Android apps[J].SoftwareX,2020,11:100403. [4]BALACHANDRAN V,TAN D J J,THING V L L.Controlflow obfuscation for Android applications[J].Computers & Security,2016,61:72-93. [5]KOVACGEVA A.Efficient code obfuscation for Android[C]//International Conference on Advances in Information Technology.Cham:Springer,2013:104-119. [6]GUO R,LIU Q,ZHANG M,et al.A Survey of Obfuscation and Deobfuscation Techniques in Android Code Protection[C]//2022 7th IEEE International Conference on Data Science in Cyberspace(DSC).IEEE,2022:40-47. [7]YOU G,KIM G,PARK J,et al.Reversing obfuscated control flow structures in android apps using redex optimizer[C]//The 9th International Conference on Smart Media and Applications.2020:272-276. [8]YOU G,KIM G,HAN S,et al.Deoptfuscator:Defeating Ad-vanced Control-flow Obfuscation Using Android Runtime(ART)[J].IEEE Access,2022,10:61426-61440. [9]WERMKE D,HUAMAN N,ACAR Y,et al.A large scale investigation of obfuscation use in google play[C]//Proceedings of the 34th Annual Computer Security Applications Conference.2018:222-235. [10]ZHANG X,BREITINGER F,LUECHINGER E,et al.Android application forensics:A survey of obfuscation,obfuscation detection and deobfuscation techniques and their impact on investigations[J].Forensic Science International:Digital Investigation,2021,39:301285. [11]MAIORCA D,ARIU D,CORONA I,et al.Stealth attacks:An extended insight into the obfuscation effects on android malware[J].Computers & Security,2015,51:16-31. [12]WANG Y,ROUNTEV A.Who changed you? Obfuscator identification for Android[C]//2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems(MOBILESoft).IEEE,2017:154-164. [13]BICHSEL B,RAYCHEV V,TSANKOV P,et al.Statistical deobfuscation of android applications[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:343-355. [14]MIRZAEI O,DE FUENTES J M,TAPIADOR J,et al.AndrODet:An adaptive Android obfuscation detector[J].Future Ge-neration Computer Systems,2019,90:240-261. [15]HUANG J,XUE B,JIANG J,et al.Scalably Detecting Third-Party Android Libraries With Two-Stage Bloom Filtering[J].IEEE Transactions on Software Engineering,2023,49(4):2272-2284. [16]ZHANG J,BERESFORD A R,KOLLMANN S A.Libid:reliable identification of obfuscated third-party android libraries[C]//Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis.2019:55-65. [17]WANG Y,WU H,ZHANG H,et al.Orlis:Obfuscation-resilient library detection for Android[C]//2018 IEEE/ACM 5th International Conference on Mobile Software Engineering and Systems(MOBILESoft).IEEE,2018:13-23. [18]ELSERSY W F,FEIZOLLAH A,ANUAR N B.The rise of obfuscated Android malware and impacts on detection methods[J].PeerJ Computer Science,2022,8:e907. [19]GRAUX P,LALANDE J F,TONG V V T.Obfuscated android application development[C]//Proceedings of the Third Central European Cybersecurity Conference.2019:1-6. [20]BAUMANN R,PROTSENKO M,MULLER T.Anti-proguard:Towards automated deobfuscation of android apps[C]//Proceedings of the 4th Workshop on Security in Highly Connected IT Systems.2017:7-12. [21]ZHANG Y,DAI J,ZHANG X,et al.Detecting third-party li-braries in android applications with high precision and recall[C]//2018 IEEE 25th International Conference on Software Analysis,Evolution and Reengineering(SANER).IEEE,2018:141-152. [22]MA Z,WANG H,GUO Y,et al.Libradar:fast and accurate detection of third-party libraries in android apps[C]//Proceedings of the 38th International Conference on Software Engineering Companion.2016:653-656. [23]BACKES M,BUGUEL S,DERR E.Reliable third-party library detection in android and its security applications[C]//Procee-dings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:356-367. [24]JUNG J H,KIM J Y,LEE H C,et al.Repackaging attack on Android banking applications and its countermeasures[J].Wireless Personal Communications,2013,73(4):1421-1437. [25]LEE Y,WOO S,LEE J,et al.Enhanced Android app-repackaging attack on in-vehicle network[J].Wireless Communications and Mobile Computing,2019,2019:1-13. [26]MA H,LI S,GAO D,et al.Active warden attack:On the(in) effectiveness of Android app repackage-proofing[J].IEEE Tran-sactions on Dependable and Secure Computing,2021,19(5):3508-3520. [27]LI Y X,LIN B G.Design of application security policy reinforcement system based on Android repackaging[J].Netinfo Security,2014(1):5. [28]SALEM A,PAULUS F F,PRETSCHNER A.Repackman:A tool for automatic repackaging of android apps[C]//Proceedings of the 1st International Workshop on Advances in Mobile App Analysis.2018:25-28. |
|