CN113139184A - Method for detecting Binder communication overload vulnerability based on static analysis - Google Patents
Method for detecting Binder communication overload vulnerability based on static analysis Download PDFInfo
- Publication number
- CN113139184A CN113139184A CN202110390864.9A CN202110390864A CN113139184A CN 113139184 A CN113139184 A CN 113139184A CN 202110390864 A CN202110390864 A CN 202110390864A CN 113139184 A CN113139184 A CN 113139184A
- Authority
- CN
- China
- Prior art keywords
- function
- containermap
- capacity expansion
- binder
- binder communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 239000011230 binding agent Substances 0.000 title claims abstract description 104
- 230000006854 communication Effects 0.000 title claims abstract description 89
- 238000004891 communication Methods 0.000 title claims abstract description 88
- 238000004458 analytical method Methods 0.000 title claims abstract description 50
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000003068 static effect Effects 0.000 title claims abstract description 35
- 230000006870 function Effects 0.000 claims abstract description 179
- 230000005540 biological transmission Effects 0.000 claims abstract description 80
- 238000012546 transfer Methods 0.000 claims abstract description 20
- 238000005206 flow analysis Methods 0.000 claims abstract description 15
- 238000005516 engineering process Methods 0.000 claims abstract description 8
- RWSOTUBLDIXVET-UHFFFAOYSA-N Dihydrogen sulfide Chemical compound S RWSOTUBLDIXVET-UHFFFAOYSA-N 0.000 claims description 18
- 238000001514 detection method Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 3
- 238000010845 search algorithm Methods 0.000 claims description 3
- 125000004122 cyclic group Chemical group 0.000 claims description 2
- 230000035945 sensitivity Effects 0.000 claims description 2
- 230000000694 effects Effects 0.000 abstract description 6
- 230000015654 memory Effects 0.000 description 14
- 238000011161 development Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 206010028980 Neoplasm Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 201000011510 cancer Diseases 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method for detecting android application Binder communication overload loopholes based on static analysis, which comprises the following steps: analyzing the android frame source code to establish a function call graph, and determining a Binder communication interface function exposed by the android frame based on transfer forward analysis of a transfer function; performing static analysis on the android application code, and establishing a data inclusion relation table of a single function by using a data flow analysis technology among functions which are context insensitive, flow sensitive and path insensitive; selecting functions related to the Binder communication interface function to establish an application data inclusion relation summary table; searching for a capacity expansion transmission object conforming to the mode based on the mode of capacity expansion transmission, analyzing capacity expansion statements of the capacity expansion transmission object to judge whether a circulation condition is met, and detecting to obtain a Binder communication overload vulnerability conforming to the circulation capacity expansion transmission mode. The method adopts the means of static program analysis, determines the transmission object by establishing the data containing relation of the whole application, and achieves the technical effect of detecting the Binder communication overload vulnerability.
Description
Technical Field
The invention relates to the technical field of android application Binder communication overload vulnerability detection, in particular to a method and a device for detecting android application Binder communication overload vulnerability based on static analysis, electronic equipment and a storage medium.
Background
With the development of information technology, mobile terminals represented by android platforms have become an indispensable part in life of people for a long time, more and more mobile phone users begin to send mails, view pictures and browse videos through smart phones, the functions of mobile application programs are increasingly powerful, and accordingly, the occupied memory for running the mobile application programs is also increasingly large.
The android system is a service-based system, and various services provided by a framework or developed by the user provide the most basic and most core functions of the system to the outside, including the most important services such as Location Manager (Location Manager), Package Manager (Package Manager), Activity Manager (Activity Manager), and the like, and all the services are independent of the Binder communication framework provided by the android system. Compared with the traditional cross-process communication means such as pipelines, sockets, shared memories and the like, the Binder communication framework has the advantages of single data copy, high transmission efficiency, simplicity in use and the like, and has the characteristics of high safety and the like. In order to balance the efficiency of cross-process communication and memory occupation, the android system limits the transmission size of Binder communication to 1M, and if the transmission size exceeds a limited range, an exception is thrown out, so that an application program is crashed, user data loss is caused, and user experience and application evaluation are greatly influenced.
The existing method for dealing with the problem of Binder communication overload mainly comprises a debugging tool and a development tool. And a debugging tool such as TooLargeTool carries out hook on an open interface provided by part of the android frame, and the size of the current transmission object is output in the development log, so that the monitoring on the size of the Binder communication transmission object is realized. The development tool such as Bridge changes the storage mode of the transmission object in an annotation mode, stores the transmission object in a memory instead of a Binder cache, and reduces the size of the transmission object at the expense of efficiency. Both of the above ways depend on actual program execution and cannot locate the position of the Binder transmission object in advance.
The inter-component communication is an important component of the Binder communication, and a plurality of testing tools for the inter-component communication exist, but only a few of works relate to the Binder communication overload problem, and the main reason is that the Binder communication overload vulnerability is difficult to trigger through a simple test case. And test cases are not customized to correct the problem.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method, a device, electronic equipment and a storage medium for detecting the overload vulnerability of android application Binder communication based on static analysis.
In order to achieve the purpose, the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present application provides a method for detecting an overload vulnerability of android application Binder communication based on static analysis, where the method includes the following steps:
s1, analyzing the android frame source code to establish a function call graph, and determining a Binder communication interface function exposed by the android frame based on transfer forward analysis;
s2, performing static analysis on the android application code, starting from a Binder communication interface function used in the android application, and establishing a Containermap of a single function by using a context insensitive, flow sensitive and path insensitive inter-function data flow analysis technology, wherein the iteration termination condition of the data flow analysis is that the Containermap is not changed any more; selecting a function related to the Binder communication interface function to establish a ContainerMap _ app;
and S3, based on the ContainerMap _ app in the step S2, searching for a capacity expansion transmission object conforming to the mode based on the mode of capacity expansion transmission, analyzing a capacity expansion statement of the capacity expansion transmission object to judge whether a cycle condition is met, and detecting to obtain a Binder communication overload vulnerability conforming to the cycle capacity expansion transmission mode.
Further, in step S1, the process of analyzing the android frame source code to create a function call graph and determining the Binder communication interface function exposed by the android frame based on the transfer function transact forward analysis includes the following steps:
statically analyzing the android frame code and establishing a function call relation graph;
based on a Binder communication transmission principle, starting from a function transaction at the lowest layer of a Binder transmission Java layer, analyzing a function call relational graph through context insensitivity, flow insensitivity and path insensitivity forward static analysis to obtain all functions directly or indirectly calling the transfer function transaction in an android frame source code, and taking the functions exposed to a developer as Binder transmission interface functions provided by the android frame.
Further, the process of obtaining all functions in the source code of the android frame, which directly or indirectly call the transfer function transact, includes the following steps:
starting from a bottom function transact transmitted on a Java layer by a Binder, putting the transact function into a function queue Q to be analyzed;
taking a transact function from Q as a current analysis function m, analyzing the inheritance realization relation of the class where m is located to obtain a parent class of the function, adding a function with the same signature as m in the parent class into Q, analyzing a function call relational graph to obtain all functions which are called m, and adding the functions into Q;
and (4) iterating the analysis functions until Q is empty, wherein all analyzed functions are all functions directly or indirectly calling the transfer function transact.
Further, in step S2, the process of establishing a ContainerMap of a single function through the inter-function data flow analysis technique of context insensitivity, flow sensitivity, and path insensitivity includes the following steps:
creating an empty ContainerMap and a DependencyMap for the current function;
starting from the initial statement of the current function, analyzing the statements one by one and updating the conteinermap and the DependencyMap;
the method comprises the steps that a Def-Use mode is used for updating a dependencyMap, when an assignment statement is analyzed, a left value variable of the assignment statement is an assigned variable, if a right value variable is a new object, the definition of the left value variable in the dependencyMap is updated to be the new object, and otherwise, the definition of the left value variable in the dependencyMap is updated to be the definition of the current right value object. When the analyzed statement uses a variable in the DependencyMap, the definition of the variable in analyzing the statement is obtained.
The updating of the ContainerMap comprises the processing of a capacity expansion statement and a function calling statement, and the repeated analysis is carried out until the ContainerMap of the current function is not changed;
and continuously analyzing until a ContainerMap is generated for all the function related to the Binder transmission interface function, and establishing a mapping between the function and the ContainerMap, namely the ContainerMap _ app.
Further, the updating of the ContainerMap includes:
for a container capacity expansion statement with complete definition, adding a container object and an element object into a ContainerMap; the container capacity expansion statement refers to an operation function of a container object, and the operation can add elements to the container object;
for the function calling statement, if the called function m has ContainerMap _ m, the ContainerMap _ m is used for carrying out the containing relation mapping, and if the ContainerMap _ m does not exist, the called function is analyzed to generate the ContainerMap _ m.
Further, the ContainerMap and the DependencyMap both adopt a hash table form stored in a key value pair form, the key is unique, and one key can only correspond to one value;
the key of the ContainerMap represents a container object, and the value represents the collection of element objects contained in the container object; when a new capacity expansion operation is analyzed each time, adding an element object corresponding to the capacity expansion operation to an element object set corresponding to a container object in the current ContainerMap;
the key of the DependencyMap is a data object, the value is a definition set corresponding to the data object, the definition set represents a possible definition set of the object pointed by the key when the statement is analyzed currently, and the current DependencyMap is updated when the statement is analyzed to be defined each time.
Further, in step S3, the step of detecting a Binder communication overload vulnerability meeting the cyclic capacity expansion transmission mode includes the following steps:
starting from a Binder transmission interface function, screening out a transmitted capacity expansion object by using a ContainerMap and a function call graph of the function;
for all transmitted capacity-expansion objects, traversing all statements in the current function to find the corresponding capacity-expansion statements, and recording the capacity-expansion statements corresponding to the transmitted capacity-expansion objects, namely obtaining a program path meeting a capacity-expansion transmission mode;
based on the program path meeting the capacity expansion transmission mode, judging whether the capacity expansion statement is in a loop through a depth-first search algorithm, judging whether the transmission statement is in the loop, and if the capacity expansion statement is in the loop and the transmission statement does not exist in the loop, obtaining the program path meeting the capacity expansion loop transmission.
In a second aspect, an embodiment of the present application provides a device for detecting an overload communication vulnerability of an android application Binder based on static analysis, where the device for detecting an overload communication vulnerability includes:
the Binder communication interface function acquisition module is used for analyzing the android frame source code to establish a function call graph and determining the Binder communication interface function exposed by the android frame based on the transfer function forward analysis;
the ContainerMap _ app building module is used for carrying out static analysis on the android application codes, starting from a Binder communication interface function used in the android application, and establishing the ContainerMap of a single function by using a data flow analysis technology among functions which is context insensitive, flow sensitive and path insensitive, wherein the iteration termination condition of the data flow analysis is that the ContainerMap is not changed any more; selecting a function related to the Binder communication interface function to establish a ContainerMap _ app;
and the Binder communication overload vulnerability detection module is used for searching for a capacity expansion transmission object which accords with the mode based on the application ContainerMap _ app and the mode of capacity expansion transmission, analyzing capacity expansion sentences of the capacity expansion transmission object to judge whether the circulation condition is met, and detecting to obtain the Binder communication overload vulnerability which accords with the circulation capacity expansion transmission mode.
In a third aspect, an embodiment of the present application provides an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the detection method as described above.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the detection method as described above.
In the embodiment of the application, a transmission object is determined by establishing a data containing relation of the whole application by adopting a static program analysis means, so that the aim of detecting the Binder communication overload vulnerability is achieved; the method solves the technical problems that the current method depends on actual program execution, cannot position the position of a Binder transmission object in advance, and is difficult to trigger the Binder communication overload vulnerability through a simple test case.
Drawings
Fig. 1 is a schematic diagram of a framework logic of a method for detecting an overload communication vulnerability of an android application Binder based on static analysis according to an embodiment of the present invention.
Fig. 2 is a schematic flow chart of a method for detecting an overload communication vulnerability of an android application Binder based on static analysis according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of code blocks in a LeakCanary according to a first embodiment of the present invention.
Detailed Description
The present invention will now be described in further detail with reference to the accompanying drawings.
It should be noted that the terms "upper", "lower", "left", "right", "front", "back", etc. used in the present invention are for clarity of description only, and are not intended to limit the scope of the present invention, and the relative relationship between the terms and the terms is not limited by the technical contents of the essential changes.
Example one
Fig. 1 is a schematic diagram of a framework logic of a method for detecting an overload communication vulnerability of an android application Binder based on static analysis according to an embodiment of the present invention. Fig. 2 is a schematic flow chart of a method for detecting an overload communication vulnerability of an android application Binder based on static analysis according to an embodiment of the present invention. The method can be implemented by a device for detecting the Binder communication overload vulnerability based on static analysis, can be implemented in a software and/or hardware manner, and can be integrated in an electronic device, such as an integrated server device.
Referring to fig. 1 and 2, the detection method specifically includes:
and S1, analyzing the android frame source code to establish a function call graph, and determining the Binder communication interface function exposed by the android frame based on the transfer function transact forward analysis.
Specifically, a function call graph obtained by analyzing the source code of the android framework is utilized, based on the observation that all Binder communication processes call the transfer function transact, forward static analysis which is context insensitive, flow insensitive and path insensitive is carried out from the transfer function transact, and a Binder transmission interface function is obtained.
In step S1, through context insensitive, flow insensitive, and path insensitive forward static analysis, starting from the lowest layer function transact transmitted in Java layer by Binder, the transact function is put into the function queue Q to be analyzed. Taking the transact function from Q as a current analysis function m, analyzing the inheritance realization relation of the class where m is located to obtain a parent class of the function, adding the function with the same signature as m in the parent class into Q, analyzing the function call relational graph to obtain all the functions which are called m, and adding the functions into Q. And iterating the analysis functions until Q is empty, wherein all analyzed functions are functions directly or indirectly calling the transfer function transact, and the functions exposed to the developer can be directly called by application, namely the function of the Binder transfer interface provided by the android framework.
S2, performing static analysis on the android application code, starting from a Binder communication interface function used in the android application, establishing a Containermap of a single function by using a data flow analysis technology among functions which is context insensitive, flow sensitive and path insensitive, wherein the iteration termination condition of the data flow analysis is that the Containermap is not changed any more, and further integrating the Containermap of the function related to the Binder communication interface function to form the Containermap _ app.
Specifically, the process comprises the following steps:
and 2.1, creating an empty ContainerMap and a DependencyMap for the current function, wherein the ContainerMap is a hash table stored in a key value pair form, keys in the hash table are unique, and one key can only correspond to one value, and in the ContainerMap, the key represents a container object and the value represents a set of element objects contained in the container object. And when a new capacity expansion operation is analyzed each time, adding an element object corresponding to the capacity expansion operation to an element object set corresponding to the container object in the current ContainerMap. The DependencyMap is also a hash table, wherein a key is a data object, a value is a definition set corresponding to the data object, and the definition set represents a possible definition set of the object pointed by the key when the statement is currently analyzed, and the current DependencyMap is updated each time the statement is analyzed to the definition set.
And 2.2, starting from the initial statement of the current function, analyzing the statements one by one and updating the DependencyMap and the conterminermap, wherein the updating of the DependencyMap uses a Def-Use mode, and the updating of the conterminermap mainly comprises the processing of the capacity expansion statement and the function call statement. (1) Capacity expansion statement: for a container capacity expansion statement that defines a complete container object (an operation function of the container object and which adds an element to the container object), the container object and the element object are added into the ContainerMap. (2) Function call statements: if the called function m has the ContainerMap _ m, the ContainerMap _ m is used for carrying out the mapping of the containing relation, and if the called function m does not have the ContainerMap _ m, the called function is analyzed to generate the ContainerMap _ m (step 2.1).
And 2.3, repeating the step 2.2 until the ContainerMap of the current function is not changed any more.
And 2.4, repeating the step 2.1 until a ContainerMap is generated for all the Binder transmission interface function related functions, and establishing the mapping between the function and the ContainerMap as the ContainerMap _ app.
And S3, based on the application ContainerMap _ app in the step S2, searching for a capacity expansion transmission object conforming to the mode based on the mode of capacity expansion transmission, analyzing a capacity expansion statement of the capacity expansion transmission object to judge whether a cycle condition is met, and detecting to obtain a Binder communication overload vulnerability conforming to the cycle capacity expansion transmission mode.
Specifically, the process comprises the following steps:
and 3.1, starting from the Binder transmission interface function, screening the transmitted capacity expansion object by using the ContainerMap and the function call graph of the function.
And 3.2, traversing all the sentences in the current function for all the transmitted expansion objects to find the expansion sentences corresponding to the transmitted expansion objects, and recording the expansion sentences corresponding to the transmitted expansion objects, so that the program path meeting the expansion transmission mode is obtained.
And 3.3, judging whether the capacity expansion statement is in a loop irrelevant to the transmission statement or not based on the program path meeting the capacity expansion transmission mode, judging whether the capacity expansion statement is in the loop or not through a depth-first search algorithm, and judging whether the transmission statement is on the loop or not at the same time to obtain the program path meeting the capacity expansion loop transmission.
Example two
In the second embodiment of the present invention, a real application, leak, is taken as an example in an application market, and a specific algorithm flowchart of the method in fig. 2 is combined to describe how to detect a Binder communication overload vulnerability (gitubissue 1646) that has been verified and repaired in leak, by using an android application Binder communication overload vulnerability detection method based on static program analysis, through the steps of the scheme described in the present invention.
Fig. 3 shows program source codes related to the Binder communication overload vulnerability in the leakceary, which mainly include three functions displayability.
In step 1, a Binder transmission interface function provided by an android frame needs to be determined, and an android frame source code is analyzed to obtain such a function call chain activity.
Analyzing the application code in step 2 to determine the use position of the Binder transmission interface function, that is, the transmission interface function activity is used in the last line of the displayactivity.
In displayleak activity shareleak, the intent object contains the intent and getString objects of the function, and the intent object contains the intent, action _ SEND, intent, tetra _ TEXT, leakInfo, TEXT/play objects. In the function leak cancer. leak info, the return value info contains "In", packageName, "\ n", versioname, versionCode, "\ n", result.
According to the conteinermap of the above three functions, a conteinermap _ app is organized, wherein a transmission object of interest is internal, createchooser (internal, getString (r.string.leak _ search _ share _ with)), and the conteinermap _ app contains, in addition to a local object of the function itself, result.leak trace.tostring () in leak list.leak info and element.tostring (maybeakelleucause) in leak trace.tostring.
In step 3, according to the conternermap obtained in step 2, first, an object of Binder communication transmission is analyzed in a conternermap _ app to obtain an element of Binder communication transmission (inside, getString (r.string.leak _ search _ share _ with)), and the capacity is expanded through a function string builder.aped form, that is, the capacity expansion transmission mode is satisfied, and the capacity expansion statement is further analyzed to determine that the capacity expansion statement is in a for-loop statement, thereby determining that the capacity expansion transmission mode is satisfied, that is, the defined overload hole of Binder communication transmission is determined.
EXAMPLE III
The embodiment of the application provides a detection device for android application Binder communication overload vulnerability based on static analysis, the detection device comprises:
and the Binder communication interface function acquisition module is used for analyzing the android frame source code to establish a function call graph and determining the Binder communication interface function exposed by the android frame based on the transfer function forward analysis.
The context map _ app building module is used for carrying out static analysis on the android application codes, starting from a Binder communication interface function used in the android application, and establishing the context map by using a data flow analysis technology among functions which is context insensitive, flow sensitive and path insensitive, wherein the iteration termination condition of the data flow analysis is that the context map is not changed any more; and selecting a function related to the Binder communication interface function to establish the ContainerMap _ app.
And the Binder communication overload vulnerability detection module is used for searching for capacity expansion transmission objects which accord with the mode based on the Containermap _ app and the mode of capacity expansion transmission, analyzing capacity expansion sentences of the capacity expansion transmission objects to judge whether the circulation condition is met, and detecting to obtain Binder communication overload vulnerabilities which accord with the circulation capacity expansion transmission mode.
Through the detection device of the third embodiment of the invention, the transmission object is determined by establishing the data containing relation of the whole application, so that the aim of detecting the Binder communication overload vulnerability is achieved. The detection device provided by the embodiment of the invention can execute the detection method of the Binder communication overload vulnerability provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example four
The embodiment of the application provides an electronic device, which comprises a processor, a memory, an input device and an output device; in the electronic device, the number of the processors can be one or more; the processor, memory, input devices, and output devices in the electronic device may be connected by a bus or other means.
The memory, which is a computer-readable storage medium, may be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the detection method in the embodiments of the present invention. The processor executes various functional applications and data processing of the electronic device by running the software program, the instructions and the modules stored in the memory, namely, the method for detecting the Binder communication overload vulnerability provided by the embodiment of the invention is realized.
The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory may further include memory located remotely from the processor, and these remote memories may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device may be used to receive input numeric or character information and generate key signal inputs corresponding to user settings and function controls of the electronic device, and may include a keyboard, a mouse, and the like. The output device may include a display device such as a display screen.
EXAMPLE five
The embodiment of the application provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for detecting a Binder communication overload vulnerability is implemented as described above.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the method for detecting a Binder communication overload vulnerability provided by any embodiment of the present invention.
The above is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above-mentioned embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may be made by those skilled in the art without departing from the principle of the invention.
Claims (10)
1. A method for detecting a Binder communication overload vulnerability based on static analysis is characterized by comprising the following steps:
s1, analyzing the android frame source code to establish a function call graph, and determining a Binder communication interface function exposed by the android frame based on transfer forward analysis;
s2, performing static analysis on the android application code, starting from a Binder communication interface function used in the android application, and establishing a ContainerMap of a single function by using a context insensitive, flow sensitive and path insensitive inter-function data flow analysis technology, wherein the iteration termination condition of the data flow analysis is that the data-containing relation table ContainerMap is not changed any more; selecting a function related to the Binder communication interface function to establish a relation summary table ContainerMap _ app of application data;
and S3, based on the ContainerMap _ app in the step S2, searching for a capacity expansion transmission object conforming to the mode based on the mode of capacity expansion transmission, analyzing a capacity expansion statement of the capacity expansion transmission object to judge whether a cycle condition is met, and detecting to obtain a Binder communication overload vulnerability conforming to the cycle capacity expansion transmission mode.
2. The method for detecting the Binder communication overload vulnerability based on the static analysis of claim 1, wherein in the step S1, the process of analyzing the android frame source code to establish the function call graph and determining the Binder communication interface function exposed by the android frame based on the transfer function forward analysis comprises the following steps:
statically analyzing the android frame code and establishing a function call relation graph;
based on a Binder communication transmission principle, starting from a function transaction at the lowest layer of a Binder transmission Java layer, analyzing a function call relational graph through context insensitivity, flow insensitivity and path insensitivity forward static analysis to obtain all functions directly or indirectly calling the transfer function transaction in an android frame source code, and taking the functions exposed to a developer as Binder transmission interface functions provided by the android frame.
3. The method for detecting the Binder communication overload vulnerability based on the static analysis as claimed in claim 2, wherein the process of obtaining all the functions in the android framework source code which directly or indirectly call the transfer function transact comprises the following steps:
starting from a bottom function transact transmitted on a Java layer by a Binder, putting the transact function into a function queue Q to be analyzed;
taking a transact function from Q as a current analysis function m, analyzing the inheritance realization relation of the class where m is located to obtain a parent class of the function, adding a function with the same signature as m in the parent class into Q, analyzing a function call relational graph to obtain all functions which are called m, and adding the functions into Q;
and (4) iterating the analysis functions until Q is empty, wherein all analyzed functions are all functions directly or indirectly calling the transfer function transact.
4. The method for detecting the Binder communication overload vulnerability based on the static analysis of claim 1, wherein in the step S2, the process of establishing the ContainerMap of the single function through the inter-function data flow analysis technique of context insensitivity, flow sensitivity and path insensitivity comprises the following steps:
creating an empty ContainerMap and a data dependency relationship table DependencyMap for the current function;
starting from the starting statement of the current function, the statements are analyzed one by one and the conteinermap and DependencyMap are updated.
The method comprises the steps that a Def-Use mode is used for updating a dependencyMap, when an assignment statement is analyzed, a left value variable of the assignment statement is an assigned variable, if a right value variable is a new object, the definition of the left value variable in the dependencyMap is updated to be the new object, and otherwise, the definition of the left value variable in the dependencyMap is updated to be the definition of the current right value object. When the analyzed statement uses a variable in the DependencyMap, acquiring the definition of the variable in the statement analysis;
the updating of the ContainerMap comprises the processing of a capacity expansion statement and a function calling statement, and the repeated analysis is carried out until the ContainerMap of the current function is not changed;
and continuously analyzing until a ContainerMap is generated for all the function related to the Binder transmission interface function, and establishing a mapping between the function and the ContainerMap, namely the ContainerMap _ app.
5. The method for detecting the Binder communication overload vulnerability based on the static analysis of claim 4, wherein the updating of the ContainerMap comprises:
for a container capacity expansion statement with complete definition, adding a container object and an element object into a ContainerMap; the container capacity expansion statement refers to an operation function of a container object, and the operation can add elements to the container object;
for the function calling statement, if the called function m has ContainerMap _ m, the ContainerMap _ m is used for carrying out the containing relation mapping, and if the ContainerMap _ m does not exist, the called function is analyzed to generate the ContainerMap _ m.
6. The method for detecting the Binder communication overload vulnerability based on the static analysis of claim 4, wherein the dependency map and the containment map both take the form of hash tables stored in the form of key value pairs, keys are unique, and one key can only correspond to one value;
the key of the ContainerMap represents a container object, and the value represents the collection of element objects contained in the container object; when a new capacity expansion operation is analyzed each time, adding an element object corresponding to the capacity expansion operation to an element object set corresponding to a container object in the current ContainerMap;
the key of the DependencyMap is a data object, the value is a definition set corresponding to the data object, the definition set represents a possible definition set of the object pointed by the key when the statement is analyzed currently, and the current DependencyMap is updated when the statement is analyzed to be defined each time.
7. The method for detecting the Binder communication overload vulnerability based on the static analysis of claim 1, wherein in the step S3, the process of detecting the Binder communication overload vulnerability according to the cyclic capacity expansion transmission mode comprises the following steps:
starting from a Binder transmission interface function, screening out a transmitted capacity expansion object by using a ContainerMap and a function call graph of the function;
for all transmitted capacity-expansion objects, traversing all statements in the current function to find the corresponding capacity-expansion statements, and recording the capacity-expansion statements corresponding to the transmitted capacity-expansion objects, namely obtaining a program path meeting a capacity-expansion transmission mode;
based on the program path meeting the capacity expansion transmission mode, judging whether the capacity expansion statement is in a loop through a depth-first search algorithm, judging whether the transmission statement is in the loop, and if the capacity expansion statement is in the loop and the transmission statement does not exist in the loop, obtaining the program path meeting the capacity expansion loop transmission.
8. A detection device for Binder communication overload vulnerability based on static analysis is characterized in that the detection device comprises:
the Binder communication interface function acquisition module is used for analyzing the android frame source code to establish a function call graph and determining the Binder communication interface function exposed by the android frame based on the transfer function forward analysis;
the context map _ app building module is used for carrying out static analysis on the android application codes, starting from a Binder communication interface function used in the android application, and carrying out context insensitive, flow sensitive and path insensitive inter-function data flow analysis technology, wherein the iteration termination condition of the data flow analysis is that the context map is not changed any more; selecting a function related to the Binder communication interface function to establish a ContainerMap _ app;
and the Binder communication overload vulnerability detection module is used for searching for capacity expansion transmission objects which accord with the mode based on the ContainerMap _ app and the mode of capacity expansion transmission, analyzing capacity expansion sentences of the capacity expansion transmission objects to judge whether the circulation condition is met, and detecting to obtain Binder communication overload vulnerabilities which accord with the circulation capacity expansion transmission mode.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the detection method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110390864.9A CN113139184B (en) | 2021-04-12 | 2021-04-12 | Binder communication overload vulnerability detection method based on static analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110390864.9A CN113139184B (en) | 2021-04-12 | 2021-04-12 | Binder communication overload vulnerability detection method based on static analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113139184A true CN113139184A (en) | 2021-07-20 |
| CN113139184B CN113139184B (en) | 2024-07-19 |
Family
ID=76810784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110390864.9A Active CN113139184B (en) | 2021-04-12 | 2021-04-12 | Binder communication overload vulnerability detection method based on static analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113139184B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116185520A (en) * | 2022-12-08 | 2023-05-30 | 华中科技大学 | Construction method, system, equipment and medium for An Zhuo Diaoyong graph |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030167356A1 (en) * | 2001-07-10 | 2003-09-04 | Smith Adam W. | Application program interface for network software platform |
| US20090328013A1 (en) * | 2008-06-27 | 2009-12-31 | Microsoft Corporation | Componentization of compiler functionality |
| US20190288932A1 (en) * | 2011-01-12 | 2019-09-19 | Assia Spe, Llc | Systems and methods for jointly optimizing wan and lan network communications |
| CN111090880A (en) * | 2019-12-16 | 2020-05-01 | 中山大学 | Method and system for intercepting and stealing user privacy behaviors by utilizing camera vulnerability |
-
2021
- 2021-04-12 CN CN202110390864.9A patent/CN113139184B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030167356A1 (en) * | 2001-07-10 | 2003-09-04 | Smith Adam W. | Application program interface for network software platform |
| US20090328013A1 (en) * | 2008-06-27 | 2009-12-31 | Microsoft Corporation | Componentization of compiler functionality |
| US20190288932A1 (en) * | 2011-01-12 | 2019-09-19 | Assia Spe, Llc | Systems and methods for jointly optimizing wan and lan network communications |
| CN111090880A (en) * | 2019-12-16 | 2020-05-01 | 中山大学 | Method and system for intercepting and stealing user privacy behaviors by utilizing camera vulnerability |
Non-Patent Citations (2)
| Title |
|---|
| COSTA: "Security Threats Management in Android Systems", 《UNIVERSIDADE DO MINHO(PORTUGAL) PROQUEST DISSERTATIONS PUBLISHING》, 31 December 2017 (2017-12-31), pages 1 - 18 * |
| 刘少聪: "基于静态分析的安卓应用Binder通信过载问题检测技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, no. 5, 15 May 2022 (2022-05-15), pages 136 - 32 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116185520A (en) * | 2022-12-08 | 2023-05-30 | 华中科技大学 | Construction method, system, equipment and medium for An Zhuo Diaoyong graph |
| CN116185520B (en) * | 2022-12-08 | 2024-06-11 | 华中科技大学 | An Zhuo Diaoyong diagram construction method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113139184B (en) | 2024-07-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109426722B (en) | SQL injection defect detection method, system, equipment and storage medium | |
| CN107832619B (en) | Automatic application program vulnerability mining system and method under Android platform | |
| CN106778254B (en) | Privacy disclosure detection method and system | |
| CN110909358A (en) | Shaping vulnerability detection method based on dynamic and static analysis | |
| CN105550594A (en) | Security detection method for android application file | |
| CN112733158B (en) | Android system vulnerability detection method, electronic equipment and storage medium | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN111859380B (en) | Zero false alarm detection method for Android App loopholes | |
| CN106295346B (en) | Application vulnerability detection method and device and computing equipment | |
| CN113590454A (en) | Test method, test device, computer equipment and storage medium | |
| CN110826057B (en) | Analysis method for data processing path, computer device, and storage medium | |
| CN113268243A (en) | Memory prediction method and device, storage medium and electronic equipment | |
| CN115150261A (en) | Alarm analysis method and device, electronic equipment and storage medium | |
| CN111709026A (en) | Static security detection method and device, computer equipment and storage medium | |
| CN113419971B (en) | Android system service vulnerability detection method and related device | |
| CN108932199B (en) | Automatic taint analysis system based on user interface analysis | |
| CN114389978A (en) | Network protocol side channel detection method and system based on static taint analysis | |
| CN113139184A (en) | Method for detecting Binder communication overload vulnerability based on static analysis | |
| CN113778897A (en) | Automatic test method, device, equipment and storage medium of interface | |
| CN116305131B (en) | Static confusion removing method and system for script | |
| CN116933267A (en) | Intelligent contract vulnerability detection method, system and equipment for symbol execution | |
| CN112115041A (en) | Dynamic point burying method and device for application program, storage medium and computer equipment | |
| CN113656044B (en) | Android installation package compression method and device, computer equipment and storage medium | |
| CN115292178A (en) | Test data searching method, device, storage medium and terminal | |
| CN117009972A (en) | Vulnerability detection method, vulnerability detection device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |