A static technique for detecting input validation vulnerabilities in Android apps基于静态分析的Android应用软件输入验证漏洞挖掘技术

被引:0
作者
Zhejun Fang
Qixu Liu
Yuqing Zhang
Kai Wang
Zhiqiang Wang
Qianru Wu
机构
[1] University of Chinese Academy of Sciences,National Computer Network Intrusion Protection Center
[2] National Computer Network Emergency Response Technical Team/Coordination Center of China,State Key Laboratory of Information Security, Institute of Information Engineering
[3] Beijing Electronic Science and Technology Institute,undefined
[4] Chinese Academy of Sciences,undefined
来源
Science China Information Sciences | 2017年 / 60卷
关键词
input validation; static analysis; program slicing; vulnerability detection; Android security; 052111; 输入验证; 静态分析; 程序切片; 漏洞挖掘; Android安全;
D O I
暂无
中图分类号
学科分类号
摘要
Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.
引用
收藏
相关论文
共 11 条
  • [1] Mustafa T(2012)Understanding the implemented access control policy of Android system services with slicing and extended static checking Int J Inf Secur 14 347-366
  • [2] Sohr K(2014)Static detection of logic vulnerabilities in Java web applications Secur Commun Netw 7 519-531
  • [3] Fang Z J(2009)Understanding Android security IEEE Secur Priv 7 50-57
  • [4] Zhang Y Q(2014)XAS: Cross-API scripting attacks in social ecosystems Sci China Inf Sci 58 012101-undefined
  • [5] Kong Y(undefined)undefined undefined undefined undefined-undefined
  • [6] Enck W(undefined)undefined undefined undefined undefined-undefined
  • [7] Ongtang M M(undefined)undefined undefined undefined undefined-undefined
  • [8] Daniel P(undefined)undefined undefined undefined undefined-undefined
  • [9] Zhang Y Q(undefined)undefined undefined undefined undefined-undefined
  • [10] Liu Q X(undefined)undefined undefined undefined undefined-undefined
12