自动生成Android应用程序的功能泄漏漏洞

2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW) Pub Date : 2019-04-01 DOI:10.1109/ICSTW.2019.00068

Mingsong Zhou, Fanping Zeng, Yu Zhang, Chengcheng Lv, Zhao Chen, Guozhu Chen

{"title":"自动生成Android应用程序的功能泄漏漏洞","authors":"Mingsong Zhou, Fanping Zeng, Yu Zhang, Chengcheng Lv, Zhao Chen, Guozhu Chen","doi":"10.1109/ICSTW.2019.00068","DOIUrl":null,"url":null,"abstract":"The capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks' exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website https://youtu.be/dXFMNZWxEc0","PeriodicalId":310230,"journal":{"name":"2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Automatic Generation of Capability Leaks' Exploits for Android Applications\",\"authors\":\"Mingsong Zhou, Fanping Zeng, Yu Zhang, Chengcheng Lv, Zhao Chen, Guozhu Chen\",\"doi\":\"10.1109/ICSTW.2019.00068\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks' exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website https://youtu.be/dXFMNZWxEc0\",\"PeriodicalId\":310230,\"journal\":{\"name\":\"2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)\",\"volume\":\"38 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-04-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICSTW.2019.00068\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSTW.2019.00068","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

Android应用程序的性能泄漏是一种严重的安全漏洞。它导致其他应用程序利用它的功能来实现他们的非法目标。本文提出了一种基于路径敏感符号执行的静态分析和测试工具，可以自动生成Android应用程序的能力泄漏漏洞。它可以帮助减少漏洞分析的误报，并帮助工程师发现漏洞。我们利用控制流图(CFG)缩减和调用图(CG)搜索优化来优化符号执行，使我们的工具适用于实际应用。通过对豌豆荚(国内著名的应用市场)2017年的439个热门应用进行分析，我们发现了16种权限的2239个能力漏洞。每个应用程序的平均分析时间为4分钟。演示视频可在网站https://youtu.be/dXFMNZWxEc0上找到

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Automatic Generation of Capability Leaks' Exploits for Android Applications

The capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks' exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website https://youtu.be/dXFMNZWxEc0

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)

自引率

0.00%

发文量