{"title":"Precise Command Injection Analysis in Android Applications","authors":"A. Maalouf, Lunjin Lu","doi":"10.1145/3459012.3459013","DOIUrl":null,"url":null,"abstract":"Android mobile applications are vulnerable to code injection attacks. We use taint analysis to approximate the parameters of a sensitive instruction that may originate from user input. We combine it with a string analysis based on automatons to over-approximate the values of the string variables in the program. Using information derived from these two analyses, we detect when untrusted input may be used to inject malicious code into the program, and when the attack patterns were removed using a sanitizer operation. The proposed approach was implemented on top of FlowDroid. Experimental results show that the resulting analyzer, , is very efficient at detecting command injection vulnerabilities.","PeriodicalId":397312,"journal":{"name":"Proceedings of the 5th International Conference on Management Engineering, Software Engineering and Service Sciences","volume":"55 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-01-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 5th International Conference on Management Engineering, Software Engineering and Service Sciences","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3459012.3459013","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
Android mobile applications are vulnerable to code injection attacks. We use taint analysis to approximate the parameters of a sensitive instruction that may originate from user input. We combine it with a string analysis based on automatons to over-approximate the values of the string variables in the program. Using information derived from these two analyses, we detect when untrusted input may be used to inject malicious code into the program, and when the attack patterns were removed using a sanitizer operation. The proposed approach was implemented on top of FlowDroid. Experimental results show that the resulting analyzer, , is very efficient at detecting command injection vulnerabilities.