CN107341403B - File conversion method and device - Google Patents
File conversion method and device Download PDFInfo
- Publication number
- CN107341403B CN107341403B CN201710607870.9A CN201710607870A CN107341403B CN 107341403 B CN107341403 B CN 107341403B CN 201710607870 A CN201710607870 A CN 201710607870A CN 107341403 B CN107341403 B CN 107341403B
- Authority
- CN
- China
- Prior art keywords
- file
- angr
- dex
- android application
- framework
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/10—Text processing
- G06F40/12—Use of codes for handling textual entities
- G06F40/151—Transformation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a file conversion method and a device, which are applied to a binary file analysis framework angr and comprise the following steps: acquiring a dex file of the Android application to be detected; converting the dex file into a first file in a binary format supported by the angr framework; and loading the first file into the angr frame, performing symbolic execution analysis on the first file, and performing auxiliary judgment on whether the Android application to be detected has a bug or not according to the symbolic execution analysis result. According to the technical scheme, the Android application executable file is converted and can be successfully loaded to the angr frame, and symbol-based vulnerability detection is performed on the Android application by using the angr, so that a new solution is provided for Android application vulnerability detection, and the safety of the Android application is guaranteed.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a file conversion method and device.
Background
With the development of internet technology and mobile terminal technology, the security problem and the potential safety hazard of the mobile terminal are getting more and more serious. Especially, the mobile terminal installed with the Android system is concerned about the risks of the developed application programs based on the openness of the source codes of the Android system. The Android system has a well-designed security system, but an attacker still can bypass some protection mechanisms by utilizing vulnerabilities.
Due to the characteristic, a large amount of malicious codes and security events are often developed around security vulnerabilities, so that it can be seen that the security vulnerabilities are key factors affecting the security of the Android system, and how to effectively mine the security vulnerabilities of the Android system is a technical problem which the technical staff face to solve urgently.
Disclosure of Invention
The invention provides a file conversion method and a file conversion device, which are used for mining security vulnerabilities of an Android system, enhancing the security of a mobile terminal provided with the Android system and protecting user privacy data from being stolen by attackers.
According to an aspect of the present invention, there is provided a file transformation method applied in a binary file analysis framework angr, including:
acquiring a dex file of an Android application to be detected;
converting the dex file into a first file in a binary format supported by the angr framework;
and loading the first file into the angr frame, performing symbolic execution analysis on the first file, and judging whether the Android application has a bug in an auxiliary manner according to the symbolic execution analysis result.
According to another aspect of the present invention, there is provided a file transformation apparatus applied in a binary file analysis framework angr, including:
the file acquisition module is used for acquiring a dex file of the Android application to be detected;
the file conversion module is used for converting the dex file into a first file in a binary format supported by the angr framework;
and the detection determining module is used for loading the first file into the angr framework, performing symbolic execution analysis on the first file, and performing auxiliary judgment on whether the Android application has a bug or not according to the symbolic execution analysis result.
The invention has the beneficial effects that: the file conversion method and device provided by the embodiment of the invention are applied to a binary file analysis framework angr, the dex file of the Android application to be detected is obtained, the dex file is converted into a first file in a binary format supported by the angr framework, then the first file is loaded into the angr framework to perform symbolic execution analysis on the first file, and whether the Android application to be detected has a bug is judged in an auxiliary mode according to the symbolic execution analysis result. Therefore, the problem that symbol execution analysis cannot be performed on the Android application by using the angr framework because the existing angr framework does not support the bytecode file of the Android application is solved. In addition, a new solution is provided for vulnerability detection of Android applications, the security of the mobile terminal with the Android system is enhanced, user privacy data are protected from being stolen and leaked, and the user experience of the mobile terminal is improved.
Drawings
FIG. 1 is a flowchart illustrating a file conversion method according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a file acquisition flow according to an embodiment of the invention;
FIG. 3 is a flow diagram of APK file conversion;
FIG. 4 is a schematic diagram illustrating a conversion flow of a dex file;
fig. 5 is a block diagram of a file conversion apparatus according to an embodiment of the present invention.
Detailed Description
The design concept of the invention is as follows: the angr framework can perform symbolic execution analysis on different types of binary files, and a loader of the angr framework can load various types of binary files and can automatically identify and match an appropriate back-end loader according to the types of the binary files. However, due to the particularity of the Android bytecode (i.e. the Android bytecode runs in a Dalvik virtual machine, unlike Java, the Java bytecode runs in a JVM virtual machine), the loader of the angr framework cannot recognize the executable file of the Android application, i.e. the executable file dex file of the Android application cannot be successfully loaded by the angr. Due to the reasons, the angr framework cannot perform symbolic execution analysis on the Android application, and further cannot detect whether the Android application has a vulnerability.
The embodiment of the invention mainly processes the executable file of the Android application, so that the executable file can be successfully loaded to the angr frame, and the angr can be suitable for the Android system of the mobile terminal, and the Android system can be subjected to vulnerability detection based on symbolic execution, thereby helping to improve the security of the Android system.
For convenience of understanding, a few terms used in the embodiments of the present invention will be briefly described.
andr framework: the angr is a binary automatic analysis framework, wherein a plurality of binary analysis technologies are integrated, and the angr has dynamic symbol execution capacity and static analysis capacity on binary programs. The angr was originally used to find backdoors in programs and can now be applied in the area of vulnerability analysis. The angr is based on Python architecture, has good compatibility, simultaneously supports cross-platform and cross-architecture, and can analyze various binary files at present.
Performing symbolic execution: symbolic execution is a code execution space traversal technology, and has important application in the fields of software security, malicious code analysis, program debugging and the like. The symbolic execution is to replace program variables with abstract symbols, perform semantic operation on the abstract symbols and the like through a symbolic calculation engine on each path according to the semantics of the program, and simulate the program execution. Symbolic execution is divided into intra-process analysis and inter-process analysis, and may also be divided into static symbolic execution and dynamic symbolic execution based on whether actual execution is performed or not.
The angr frameworknotation execution includes four parts: a loading tool that can load almost any binary file; a conversion tool for converting the binary file into an intermediate language; a symbolic execution tool to perform symbolic execution on intermediate languages and a constraint solving tool.
Android application: android is a Linux-based operating system with free and open source codes, and is mainly used for mobile devices such as smart phones and tablet computers. The Android application refers to an application program running in an Android operating system, and comprises system application and common application.
Fig. 1 is a schematic flow diagram of a file transformation method according to an embodiment of the present invention, and referring to fig. 1, the file transformation method according to the embodiment is applied to a binary file analysis framework angr, and includes:
s101, acquiring a dex file of an Android application to be detected;
dex is a short name of Dalvik VM executables, and is an executable file on an Android platform (Dalvik virtual machine) and is equivalent to an exe file in a Windows platform, each APK (Android Package) installation package has a dex file, and all source codes of the application are contained in the dex file, and corresponding Java source codes can be obtained through a decompilation tool.
Step S102, converting the dex file into a first file in a binary format supported by the angr framework;
step S103, loading the first file into the angr frame, performing symbolic execution analysis on the first file, and performing auxiliary judgment on whether the Android application has a bug or not according to the symbolic execution analysis result.
As shown in fig. 1, in the file conversion method of the embodiment, a dex file of an Android application is obtained, the dex file is converted into a first file in a binary format supported by an angr frame, the first file is loaded into the angr frame, symbolic execution analysis is performed on the first file, and whether a vulnerability exists in the Android application to be detected is determined in an auxiliary manner according to a symbolic execution analysis result. The Android application vulnerability detection method and device solve the problems that an existing angr framework cannot identify executable files of Android applications and cannot perform symbolic execution analysis on the Android applications, provide a new solution for Android application vulnerability detection, help to improve safety of the Android applications, avoid user privacy data of the Android mobile terminal from being stolen by attackers, and improve user experience of the Android mobile terminal.
The following describes the file conversion method according to the embodiment of the present invention with reference to fig. 2 to 4.
In view of the deficiency that the existing angr framework cannot load the executable file of the Android application, this embodiment provides a method for converting the executable file of the Android application according to the characteristics of the Android code, that is, format conversion is performed on the executable file of the Android application.
Specifically, referring to fig. 2, first, an Android application to be detected is obtained;
and then, performing file conversion on the Android application to generate an exe executable file.
Because the exe executable file is in a binary file format supported by the angr framework, the exe executable file corresponding to the Android application can be loaded into the angr framework.
And finally, performing symbolic execution analysis on the exe executable file based on an angr frame, and further assisting in judging whether the Android application to be detected has a bug.
The file conversion is the focus of the present embodiment, and is described in detail below.
Referring to fig. 3, first, an APK file of an Android application is obtained; the APK file in the Android system is an Android installation package.
And secondly, after obtaining the APK file, decompressing the APK file through an APK tool to obtain a complete Android project. It should be noted that, in the present embodiment, the example of decompressing the APK file by the APK tool is given as an example, but the present invention is not limited thereto, and any tool capable of decompressing the APK file may be used in practical applications.
Referring to fig. 3, the Android project obtained after decompression mainly includes a META-INF file, a res file, an XML file, a dex file, and an arcc file.
The META-INF file is an APK signature file and is used for ensuring the integrity of an APK package and the safety of a system.
The res file is used for storing various resource files of the Android project, and different resource files are stored in different directories. The res directory has next-level directories, such as a layout directory mainly storing layout files, a menu directory mainly storing menu files, and a values directory mainly storing application-default resource files.
XML is mainly Android manifest.
The arcc file is used for storing the compiled binary resource file and recording the mapping relation between the resource file and the resource ID.
The dex file is a compiled Dalvik byte code file that can only run on the Dalvik virtual machine, and the Dalvik virtual machine is not compatible with the Java virtual machine.
And finally, extracting a dex file from the obtained Android project.
That is, in this embodiment, the executable file dex file is extracted from the Android project for subsequent conversion processing.
After the dex file is obtained, referring to fig. 4, a conversion process from the dex file to an exe file of the Windows system is illustrated in fig. 4. Namely, the dex file is inversely compiled into a Java jar file, and then the jar file is converted into an exe file of the Windows system.
The file transformation shown in FIG. 4 may in turn subdivide both the decompilation and recompilation.
Decompiling is to decompile the Android executable file dex file into an initial Java package, i.e., convert classes.
The tool used in the part is dex2jar, and the dex2jar is a decompilation tool for dex files of the Android platform. Although the jar file obtained after decompilation is not a standard Java code file, the jar file can be compiled into an exe file through next recompilation.
And in the recompilation step, the jar file obtained in the last step is compiled and converted into an exe file of an executable file on the Windows system.
The tool used in the part is jar2exe, the operating principle of the jar2exe tool is to use a JNI interface to start a Java virtual machine and provide other high-level functions on the basis, and the jar2exe can generate three types of executable files including a console program, a Windows window program and a Windows NT service program. The conversion from jar files to exe executable files can be realized by using a console program in the recompilation process.
The exe file of the executable file on the Windows system can be directly loaded to the angr frame, and then the subsequent symbolic execution analysis is carried out on the angr frame.
The following is a brief description of the process of performing analysis on symbols on the angr framework.
The angr framework integrates some existing vulnerability analysis technologies, and different modules are used to realize different functions, so that the existing analysis technologies can be easily compared, and the advantages of the different analysis technologies can be utilized.
The brief processing procedure is as follows: first, a binary program (e.g., exe execution file shown in fig. 4) is loaded into the angr framework; then, converting the code of the binary file into an Intermediate language (IR); the program is then further analyzed, including performing an analysis on the static analysis or dynamic symbology of the program.
The angr mainly comprises the following modules:
a binary program loading module (CLE) which loads a binary program into the analysis platform, wherein the binary program comprises exe executable files;
an intermediate representation module (IR) for translating the binary code into an intermediate language, wherein the intermediate language VEX enables the angr to analyze the binary program on different architectures;
a program state representation module (simulvex) for representing the state of a program, wherein SimState in the simulvex implements a set of state plug-ins, such as registers, abstract memories, symbolic memories, and the like, and the states of the plug-ins can be specified by a user;
a data model module (class) that provides an abstract representation of the values stored in registers or memories of SimState;
and a complete program analysis module, wherein all the modules are combined to enable the angr to perform complex and complete program analysis.
The binary program loading module (CLE) is an entry of the angr frame, and the CLE module can load an exe executable file converted from the bytecode file dex file of the Android application in the embodiment into the angr frame for subsequent symbolic execution analysis.
The symbolic execution can find the essential constraint relation among variables in the complex data dependency relation, and the precision is higher than that of methods such as taint propagation analysis and fuzzy test, and the accurate algebraic relation of the variables can help to understand the internal logic of a program; in the process of simulating the program operation, the symbolic execution can also accurately record all constraint conditions on the execution path, so that the accuracy of determining the path accessibility problem in control flow analysis can be improved.
It should be noted that the symbolic execution analysis based on the angr framework is the prior art, and therefore, the symbolic execution analysis after the exe executable file converted from the bytecode file dex file of the Android application is loaded into the angr framework can be referred to the prior art, and details are not described here.
Fig. 5 is a block diagram of a file transformation apparatus according to an embodiment of the present invention, and referring to fig. 5, the file transformation apparatus 500 of the embodiment is applied to a binary file analysis framework angr, and includes:
the file obtaining module 501 is configured to obtain a dex file of an Android application to be detected;
a file conversion module 502, configured to convert the dex file into a first file in a binary format supported by the angr framework;
the detection determining module 503 is configured to load the first file into the angr frame, perform symbolic execution analysis on the first file, and assist in determining whether the Android application has a bug according to a result of the symbolic execution analysis.
In an embodiment, the file obtaining module 501 is specifically configured to obtain an APK file of an installation package of an Android application to be detected, decompress the APK file, and extract a dex file therein.
In an embodiment, the file conversion module 502 is specifically configured to decompile the dex file to obtain a Java archive file jar file; and recompiling the jar file to obtain an exe file in a binary format.
It should be noted that the file conversion apparatus of this embodiment corresponds to the file conversion method in the foregoing embodiment, and therefore, the working process of the file conversion apparatus in this embodiment may refer to the description in the foregoing method embodiment, and is not described herein again.
In summary, the file conversion method and the file conversion device in the embodiments of the present invention achieve the beneficial effects of performing file conversion on an Android application, converting a bytecode file dex of the Android application into an executable file exe under a Windows platform, and loading the executable file exe into an angr frame for subsequent symbol execution analysis. The problem that the angr frame cannot perform symbolic execution analysis on the application program of the Android system due to the fact that the installation package APK file and the executable file dex of the Android system cannot be imported and read, and then vulnerability detection is assisted is solved, and the reliability and the safety of the Android system are improved.
While the foregoing is directed to embodiments of the present invention, other modifications and variations of the present invention may be devised by those skilled in the art in light of the above teachings. It should be understood by those skilled in the art that the foregoing detailed description is for the purpose of illustrating the invention rather than the foregoing detailed description, and that the scope of the invention is defined by the claims.
Claims (6)
1. A file conversion method is applied to a binary file analysis framework (angr), and comprises the following steps:
acquiring a dex file of an Android application to be detected;
converting the dex file into a first file in a binary format supported by the angr framework;
loading the first file into the angr frame, performing symbolic execution analysis on the first file, and judging whether the Android application has a bug in an auxiliary manner according to the symbolic execution analysis result;
the first file is an exe executable file.
2. The file conversion method according to claim 1, wherein the obtaining of the dex file of the Android application to be detected comprises:
the method comprises the steps of obtaining an installation package APK file of the Android application to be detected, decompressing the APK file and extracting a dex file in the APK file.
3. The file conversion method of claim 2, wherein converting the dex file into the first file in binary format supported by the angr framework comprises:
decompiling the dex file to obtain a Java archive file jar file;
and recompiling the jar file to obtain an executable file exe file in a binary format.
4. A file conversion device, applied in a binary file analysis framework (angr), comprises:
the file acquisition module is used for acquiring a dex file of the Android application to be detected;
the file conversion module is used for converting the dex file into a first file in a binary format supported by the angr framework;
the detection determining module is used for loading the first file into the angr framework, performing symbolic execution analysis on the first file, and judging whether the Android application has a bug in an auxiliary manner according to the symbolic execution analysis result;
the first file is an exe executable file.
5. The file converting apparatus according to claim 4,
the file acquisition module is specifically used for acquiring an installation package APK file of the Android application to be detected, decompressing the APK file and extracting a dex file in the APK file.
6. The file converting apparatus according to claim 5,
the file conversion module is specifically used for decompiling the dex file to obtain a Java archive file jar file; and recompiling the jar file to obtain an executable file exe file in a binary format.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710607870.9A CN107341403B (en) | 2017-07-24 | 2017-07-24 | File conversion method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710607870.9A CN107341403B (en) | 2017-07-24 | 2017-07-24 | File conversion method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107341403A CN107341403A (en) | 2017-11-10 |
| CN107341403B true CN107341403B (en) | 2020-11-27 |
Family
ID=60216589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710607870.9A Active CN107341403B (en) | 2017-07-24 | 2017-07-24 | File conversion method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107341403B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115454575B (en) * | 2022-09-28 | 2023-08-15 | 广东保伦电子股份有限公司 | jar packet conversion and automatic loading method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| CN105279078A (en) * | 2014-06-24 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for detecting security hole |
| CN106709356A (en) * | 2016-12-07 | 2017-05-24 | 西安电子科技大学 | Static taint analysis and symbolic execution-based Android application vulnerability discovery method |
-
2017
- 2017-07-24 CN CN201710607870.9A patent/CN107341403B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105279078A (en) * | 2014-06-24 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for detecting security hole |
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| CN106709356A (en) * | 2016-12-07 | 2017-05-24 | 西安电子科技大学 | Static taint analysis and symbolic execution-based Android application vulnerability discovery method |
Non-Patent Citations (1)
| Title |
|---|
| 基于符号执行的Android原生代码控制流图提取方法;颜慧颖等;《网络与信息安全学报》;20170715;第3卷(第7期);第00178-1-00178-14页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107341403A (en) | 2017-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wright et al. | Challenges in firmware re-hosting, emulation, and analysis | |
| Brown et al. | Finding and preventing bugs in javascript bindings | |
| Peng et al. | {X-Force}:{Force-Executing} binary programs for security applications | |
| CN108932406B (en) | Virtualization software protection method and device | |
| EP1702268B1 (en) | Method for controlling program execution integrity by verifying execution trace prints | |
| EP4062288A1 (en) | Software diagnosis using transparent decompilation | |
| US20090271867A1 (en) | Virtual machine to detect malicious code | |
| CN107451474B (en) | Software bug fixing method and device for terminal | |
| US20050108562A1 (en) | Technique for detecting executable malicious code using a combination of static and dynamic analyses | |
| CN109255235B (en) | Mobile application third-party library isolation method based on user state sandbox | |
| CN103778373A (en) | Virus detection method and device | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN109614107B (en) | Integration method and device of software development kit | |
| CN115062309B (en) | Vulnerability mining method based on equipment firmware simulation in novel power system and storage medium | |
| CN114021142A (en) | Android application program vulnerability detection method | |
| Zhang et al. | Rapid Android parser for investigating DEX files (RAPID) | |
| CN107341403B (en) | File conversion method and device | |
| KR101724412B1 (en) | Apparatus for analysis application using expansion code and method usnig the same | |
| US8843908B2 (en) | Compiler validation via program verification | |
| Bleier et al. | Of ahead time: Evaluating disassembly of android apps compiled to binary oats through the art | |
| CN112861138A (en) | Software security analysis method and analysis device, electronic device, and storage medium | |
| Brandl et al. | Modular Abstract Definitional Interpreters for WebAssembly | |
| Lopes | Discovering vulnerabilities in webassembly with code property graphs | |
| Ruggia et al. | The dark side of native code on android | |
| Hauser et al. | Sleak: Automating address space layout derandomization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |