CN111859380A - Zero false alarm detection method for Android App vulnerability - Google Patents
Zero false alarm detection method for Android App vulnerability Download PDFInfo
- Publication number
- CN111859380A CN111859380A CN201910338043.3A CN201910338043A CN111859380A CN 111859380 A CN111859380 A CN 111859380A CN 201910338043 A CN201910338043 A CN 201910338043A CN 111859380 A CN111859380 A CN 111859380A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- app
- target
- function
- android
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
A zero false alarm detection method for android App bugs comprises the following steps: step 1) analyzing experience knowledge (such as vulnerability attack paths, CVE reports and the like) of the android App vulnerability, and summarizing comprehensive description of detection and triggering of the vulnerability; step 2) App feature extraction, vulnerability attribute static search and field value needed for constructing test case and trigger; step 3) adopting symbols to execute exploration path constraint and filtering invalid field values in the step 2); step 4), dynamically generating a test case and a trigger, and triggering a target App; step 5), performing dynamic binary instrumentation on the entry function and the target function of the target App; and 6) judging whether the vulnerability exists if the behavior of the target function is matched with the vulnerability behavior. The invention summarizes the information of detecting and triggering the loophole by analyzing the empirical knowledge of the loophole, and simultaneously detects and verifies the loophole by combining the static analysis, the symbolic execution and the dynamic binary pile inserting technology, thereby realizing the detection effect of zero false alarm.
Description
Technical Field
The invention relates to a zero false alarm detection method for Android App loopholes, which is mainly applied to the development of loophole detection systems of Android App.
Background
Static analysis technique: static analysis or static detection for short, and is a white-box testing technology. The detection technology is not required to be carried out when the system runs, but only the source code of the application program is subjected to lexical analysis, syntactic analysis, data flow analysis and other operations, and whether the source code of the target application is standard or not, whether the application program has security threat or not, whether the reliability and maintainability of the application program reach certain standards or not and the like are detected according to various analysis results. More common static code analysis techniques include: lexical and grammatical analysis, control flow analysis and data flow analysis, and so on. One advantage of static code analysis techniques is that it does not require an application to be run, and can be detected as long as there is program source code. However, in the case of not running a program, a higher false alarm rate may be generated depending on a simple code analysis, which may not prove that a bug really exists, and may ultimately affect the accuracy of bug detection.
Dynamic analysis technique: a vulnerability detection technique for automated detection of a target application that is already running without changing the source code or without the source code being visible. This analysis technique is mainly performed by changing the execution environment of the application program. The dynamic analysis technology is mainly used for debugging and running a target application system by constructing illegal input data or constructing user input data with an attack purpose, and then judging whether a detected system has a security vulnerability threat or not according to a running result of the target system. The dynamic analysis technology has the advantages of higher accuracy and lower operation efficiency. This technique is inefficient because dynamic analysis can only perform individual scan tests on each functional module of an application, rather than scanning it uniformly as a whole system.
Symbol execution techniques: symbolic execution is a technique for accurately computing program variables. Symbolic execution replaces program variables with abstract symbols and simulates program execution. And finally, all program variables are formed by expressions composed of symbols, and then are solved through a constraint solving engine to obtain deep semantic information. Symbolic execution can find the essential constraint relation among variables in the complex data dependency relation, and the precision is higher than that of taint propagation analysis, and the precise data flow analysis can help to understand the internal logic of a program; in the process of simulating the program operation, the symbolic execution can also accurately record all constraint conditions on the execution path, so that the accuracy of determining the path accessibility problem in control flow analysis can be improved. The disadvantages of symbol execution are: the problem of executing path space explosion is difficult to solve; a powerful symbol computing system support is required, and the requirement on the computing capacity of hardware is high; the symbolic execution is difficult to handle loops or recursions, because many times the decision on the value of the end condition is not always an accurate solution; symbolic execution is more efficient for basic data types and more difficult to process for complex structured data types (such as arrays, etc.).
Dynamic binary pile inserting technology: dynamic binary instrumentation is a technique of appending instructions at specific locations in a running program that does not modify the binary itself, but rather modifies the memory map mapped to the process address space at run time. It has the advantage that no preparation work (such as recompilation or re-linking) is required for the object program; static instrumentation is difficult to distinguish between code and data in binary code, and dynamic instrumentation can be easily accomplished. The defects of dynamic pile inserting are as follows: the overhead of instrumentation occurs when the program is running, making the execution of the program very slow; furthermore, dynamic instrumentation is more difficult to implement — rewriting the executable code at runtime is not easy, and interference with the execution of the program itself is avoided while adding instructions.
Most of the existing Android App vulnerability detection tools use static analysis and dynamic analysis technologies, the static analysis tools cannot verify vulnerabilities in an operating state, and a high false alarm rate exists; the dynamic analysis tool can verify the bugs, but the generated test cases have high blindness and low operation efficiency.
Disclosure of Invention
In view of the above, the main object of the present invention is to provide a zero false alarm detection method for Android App vulnerabilities. The method generates effective test cases and triggers aiming at specific vulnerability types, and verifies whether the vulnerability exists or not by dynamically triggering the target App, so that zero false report and high-efficiency vulnerability detection effects are achieved.
In order to achieve the purpose, the invention adopts the following technical scheme: an Android App vulnerability detection method combining static analysis, symbolic execution and dynamic binary instrumentation, the method comprising the steps of:
step 1) analyzing experience knowledge (such as vulnerability attack paths, CVE reports and the like) of Android App vulnerabilities, and summarizing comprehensive description of detection and triggering vulnerabilities;
step 2) App feature extraction, vulnerability attribute static search and field value needed for constructing test case and trigger;
step 3) adopting symbols to execute exploration path constraint and filtering invalid field values in the step 2);
step 4), dynamically generating a test case and a trigger, and triggering a target App;
step 5), performing pile insertion on an entry function and a target function of the target App;
and 6) judging whether the vulnerability exists if the behavior of the target function is matched with the vulnerability behavior.
Compared with the prior art, the invention has the advantages that: the invention combines static analysis and dynamic analysis, performs vulnerability verification on the basis of vulnerability detection, improves the accuracy of vulnerability detection, and solves the problem of high false alarm rate of the existing vulnerability detection method. In addition, the invention adopts symbolic execution to guide the generation of the test cases, reduces the number of invalid test cases and improves the efficiency of vulnerability detection.
Drawings
FIG. 1 is a flow chart of the method of the present invention
FIG. 2 is a diagram of the symbol execution module architecture of the present invention
FIG. 3 is a dynamic binary instrumentation block architecture diagram according to the present invention
Detailed Description
As shown in fig. 1, the implementation steps of the present invention are as follows:
1. analyzing the experience knowledge of the Android App vulnerability, summarizing the comprehensive description of detecting and triggering the vulnerability
According to the method, the comprehensive description of the detection and triggering vulnerability is summarized and the vulnerability type is comprehensively described by analyzing the attack path of the vulnerability, CVE report, Android development document and other experience knowledge of the vulnerability. The summarized information includes: (1) a component, namely an object with a vulnerability in the Android App; (2) attributes, i.e., requirements for creating vulnerabilities; (3) an entry function that can be rewritten and accepts by a developer a function set belonging to (1) of an external input; (4) and the target function can trigger the function set of the vulnerability. They are typically some system function that performs security-sensitive operations, such as accessing local resources or remote resources; (5) the correlation function is a function set with a data flow relation with the target function; (6) a test case template, namely a parameter form transmitted to a target App entry function; and (7) a trigger template, namely sending a test case to the target App and calling the code logic of the target App entry function.
App feature extraction, static search of vulnerability attributes and field values needed to construct test cases and triggers
The method comprises the steps of firstly performing decompiling on a target App to obtain an android Manifest xml file and a smali code. And detecting the vulnerability attribute in the file obtained by decompiling, and taking the target App as a potential vulnerability App object if the vulnerability attribute exists, and waiting for subsequent dynamic verification. According to the test case template and the trigger template, the method and the device statically search for the field values needed to be used, such as the package name and the component name in the android manifest. Meanwhile, a control flow graph and a function call graph are constructed, so that the use of subsequent steps is facilitated.
3. Filtering the invalid field values in step 2) by using symbols to perform exploration path constraint
The present invention generates a function call graph and a control flow graph for each entry function and objective function pair, and then explores the path using symbols. The object of symbolic execution is a smali code, and path exploration and constraint collection from an entry function of a vulnerability to a target function are realized by simulating related android API and smali instructions. The symbol execution module comprises four components: a state conserver, a state searcher, a simulator, and a solver. The state saver holds all execution states in the execution process. Where the state, i.e. the execution path of the smali method, contains execution information such as symbol values, path constraints, program counter registers and other variables. The state searcher is responsible for scheduling states and selecting states to execute. For a selected state, the simulator simulates executing instructions in the state. Solvers are used to check whether the constraints of the state are solvable. If the state is solvable, the corresponding path is reachable. At this point, the simulator copies a new state and adds it to the state saver. After exploring the path between the entry function and the objective function, the module will return the path constraints and the solution. According to the constraint and the solution, the invention can filter the field value of the invalid test case, reduce the number of the invalid test cases and improve the effectiveness of the test cases.
4. And dynamically generating a test case and a trigger, and triggering the target App.
The invention enumerates each field value of the test case, uses a permutation and combination method to fill in the test case template, and generates a group of related test cases for each entry function and target function pair. Similarly, the present invention instantiates a trigger for each class of vulnerability by populating the trigger template with test cases. Through the trigger of dynamic operation, the test case can be sent to the target App, and the purpose of triggering the entry function in the target App is achieved.
5. Dynamic binary instrumentation of target App entry function and target function
The invention uses a pile inserter for dynamic binary pile insertion. The stake inserter has two main parts: the system comprises an inserter client and an inserter server. In the client of the pile inserter, a pile inserting strategy of an entry function and an objective function is established. First a package name and class name need to be provided to locate the method. In addition, due to the fact that function reloading exists, the method establishes a strategy based on parameters to distinguish the reloading method. Finally, the invention implements instrumentation logic to modify parameters of the entry function and obtain behavior information from the objective function. The instrumentation client provides the instrumentation policy to the instrumentation server. In the pile inserter server, an inline hook mechanism is adopted in a native layer, and a Java reflection hook mechanism is adopted in a Java layer. On the basis of a pile inserting strategy, a pile inserter server deploys probes, so that the introduced test cases are changed for the insertion of an entry function, and the behavior of a function is dynamically tracked for the insertion of a target function. And after the behavior of the target function is obtained, the pile inserter server transmits the behavior to the pile inserter client.
6. Determine bugs and generate reports
In order to verify the vulnerability, the vulnerability determination rule is customized according to the vulnerability. On the one hand, if the target application satisfies the vulnerability attribute, it is considered a candidate with a vulnerability. On the other hand, the target function behaviors obtained through dynamic binary instrumentation comprise a call stack, received parameters and return values, if the function behaviors are matched with the vulnerability behaviors, the vulnerability verification is successful, the vulnerability is proved to exist really, and a vulnerability report is generated.
Claims (7)
1. A zero false alarm detection method for Android App loopholes is characterized by comprising the following steps:
step 1) analyzing experience knowledge (such as vulnerability attack paths, CVE reports and the like) of Android App vulnerabilities, and summarizing comprehensive description of detection and triggering vulnerabilities;
step 2) App feature extraction, vulnerability attribute static search and field value needed for constructing test case and trigger;
step 3) adopting symbols to execute exploration path constraint and filtering invalid field values in the step 2);
step 4), dynamically generating a test case and a trigger, and triggering a target App;
step 5), performing pile insertion on an entry function and a target function of the target App;
and 6) judging whether the vulnerability exists if the behavior of the target function is matched with the vulnerability behavior.
2. The method for detecting the zero false alarm of the Android App bug according to claim 1, characterized in that step 1) the empirical knowledge of the Android App bug (such as bug attack path, CVE report, etc.) is analyzed, and the comprehensive description of the detection and triggering of the bug is summarized; by comprehensively analyzing the attack path and the like of the Android App vulnerability, components, attributes, entry functions, target functions, related functions, test case templates and trigger templates (vulnerability trigger App templates) are summarized, and the conditions and trigger conditions generated by the vulnerability are formally described.
3. The method for detecting the zero false alarm of the Android App vulnerability of claim 1, characterized in that step 2) App feature extraction, static search for vulnerability attributes and field values needed to construct test cases and triggers; performing decompiling on the target App to obtain an android Manifest xml file and a smali code; detecting whether vulnerability attributes exist in files obtained by decompiling, and if yes, searching field values needed to be used by the test cases and the triggers; meanwhile, a control flow graph and a function call graph are constructed, so that the use of subsequent steps is facilitated.
4. The method for detecting the zero false alarm of the Android App bug according to claim 1, characterized in that step 3) adopts symbols to perform exploration path constraint and filters invalid field values in step 2); by executing the symbols on the smali codes, relevant Android API and smali instructions are simulated, path exploration and constraint collection from an entry function to a target function are achieved, invalid test case field values are filtered, the number of invalid test cases is reduced, and the effectiveness of the test cases is improved.
5. The method for detecting the Android App vulnerability based on the false alarm, as claimed in claim 1, is characterized in that step 4) dynamically generates a test case and a trigger, and triggers the target App; the method comprises the steps of generating a group of related test cases for each entry function and target function pair, and generating a trigger for each type of bug; through the trigger of dynamic operation, the test case can be sent to the target App, and the purpose of triggering the entry function in the target App is achieved.
6. The method for detecting the Android App bug with the zero false alarm according to claim 1, wherein step 5) is implemented by performing instrumentation on an entry function and a target function of a target App; and (3) performing instrumentation on the entry function and the target function of the target App by using a dynamic binary instrumentation technology, changing the transmitted test case by using the instrumentation entry function, and dynamically tracking the function behavior by using the instrumentation target function.
7. The Android App bug zero false alarm detection method according to claim 1, wherein step 6) if the behavior of the target function matches the behavior of the bug, then the bug is determined to exist; and (4) judging a rule according to the vulnerability summarization, if the function behavior tracked by the instrumentation is matched with the vulnerability behavior, indicating that the vulnerability verification is successful, proving that the vulnerability really exists, and realizing the vulnerability detection effect with zero false alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910338043.3A CN111859380A (en) | 2019-04-25 | 2019-04-25 | Zero false alarm detection method for Android App vulnerability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910338043.3A CN111859380A (en) | 2019-04-25 | 2019-04-25 | Zero false alarm detection method for Android App vulnerability |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111859380A true CN111859380A (en) | 2020-10-30 |
Family
ID=72951299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910338043.3A Pending CN111859380A (en) | 2019-04-25 | 2019-04-25 | Zero false alarm detection method for Android App vulnerability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111859380A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112819336A (en) * | 2021-02-03 | 2021-05-18 | 国家电网有限公司 | Power monitoring system network threat-based quantification method and system |
| CN113157590A (en) * | 2021-05-20 | 2021-07-23 | 中国工商银行股份有限公司 | Test case generation method and device |
| CN114968826A (en) * | 2022-07-28 | 2022-08-30 | 深圳开源互联网安全技术有限公司 | Application program bug repair verification method and system |
| CN115277069A (en) * | 2022-06-17 | 2022-11-01 | 江苏通付盾信息安全技术有限公司 | Application software network security detection platform and method |
-
2019
- 2019-04-25 CN CN201910338043.3A patent/CN111859380A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112819336A (en) * | 2021-02-03 | 2021-05-18 | 国家电网有限公司 | Power monitoring system network threat-based quantification method and system |
| CN112819336B (en) * | 2021-02-03 | 2023-12-15 | 国家电网有限公司 | Quantification method and system based on network threat of power monitoring system |
| CN113157590A (en) * | 2021-05-20 | 2021-07-23 | 中国工商银行股份有限公司 | Test case generation method and device |
| CN115277069A (en) * | 2022-06-17 | 2022-11-01 | 江苏通付盾信息安全技术有限公司 | Application software network security detection platform and method |
| CN114968826A (en) * | 2022-07-28 | 2022-08-30 | 深圳开源互联网安全技术有限公司 | Application program bug repair verification method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Godefroid | Fuzzing: Hack, art, and science | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| Godefroid et al. | Automating software testing using program analysis | |
| Artzi et al. | Finding bugs in dynamic web applications | |
| Martin et al. | Finding application errors and security flaws using PQL: a program query language | |
| Saxena et al. | Loop-extended symbolic execution on binary programs | |
| US8578342B2 (en) | Fault detection and localization in dynamic software applications requiring user inputs and persistent states | |
| US8943478B2 (en) | Fault detection and localization in dynamic software applications | |
| CN111859380A (en) | Zero false alarm detection method for Android App vulnerability | |
| Mohammadi et al. | Detecting cross-site scripting vulnerabilities through automated unit testing | |
| US20110016456A1 (en) | Generating additional user inputs for fault detection and localization in dynamic software applications | |
| Bai et al. | Towards model checking android applications | |
| US20240121261A1 (en) | Automated Security Analysis of Software Libraries | |
| Kim et al. | Software vulnerability detection methodology combined with static and dynamic analysis | |
| He et al. | Sofi: Reflection-augmented fuzzing for javascript engines | |
| Fratantonio et al. | Shellzer: a tool for the dynamic analysis of malicious shellcode | |
| Wang et al. | A combinatorial approach to detecting buffer overflow vulnerabilities | |
| Pérez et al. | Lapse+ static analysis security software: Vulnerabilities detection in java ee applications | |
| Fell | A review of fuzzing tools and methods | |
| Calvagna et al. | Automated conformance testing of Java virtual machines | |
| Kim et al. | {FuzzOrigin}: Detecting {UXSS} vulnerabilities in browsers through origin fuzzing | |
| Zhang et al. | Detecting vulnerabilities in C programs using trace-based testing | |
| Lopes | Discovering vulnerabilities in webassembly with code property graphs | |
| Duraibi et al. | A Survey of Symbolic Execution Tools. | |
| Wu et al. | Crafting intents to detect icc vulnerabilities of android apps |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |