WO2023029325A1 - Android privilege escalation attack discovery method based on dynamic permission set - Google Patents

Android privilege escalation attack discovery method based on dynamic permission set Download PDF

Info

Publication number
WO2023029325A1
WO2023029325A1 PCT/CN2021/142968 CN2021142968W WO2023029325A1 WO 2023029325 A1 WO2023029325 A1 WO 2023029325A1 CN 2021142968 W CN2021142968 W CN 2021142968W WO 2023029325 A1 WO2023029325 A1 WO 2023029325A1
Authority
WO
WIPO (PCT)
Prior art keywords
permission
communication
decision
android
privilege escalation
Prior art date
Application number
PCT/CN2021/142968
Other languages
French (fr)
Chinese (zh)
Inventor
徐潜
章庆
贺伟
马颂华
Original Assignee
天翼电子商务有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天翼电子商务有限公司 filed Critical 天翼电子商务有限公司
Priority to JP2023519839A priority Critical patent/JP2023543605A/en
Publication of WO2023029325A1 publication Critical patent/WO2023029325A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the invention relates to the field of system security and privacy protection under the environment of Android security, mobile Internet and industrial Internet, in particular to a method for discovering Android privilege escalation attacks based on a dynamic permission set.
  • the Android system has become the mainstream operating system on the mobile platform, and its security issues are attracting more and more attention.
  • Android uses permission mechanism, isolation mechanism, application signature and other methods to ensure the security of the platform, but there are serious defects: 1) the authorization of the application is entrusted to users who lack security protection vigilance; 2) there are privilege escalation attacks.
  • the work on Android security mainly includes permission analysis, runtime detection and data tracking, static analysis, etc.
  • these mechanisms have no effective defense against privilege escalation attacks, especially runtime multi-application collusion attacks.
  • Many access control strategies introduce directed graphs into the Android security model, but there are problems of high time complexity and dependence on the communication direction between Apps. Aiming at these problems, the present invention builds a strongly connected aggregation graph on the basis of a directed graph of process communication, replaces a single application permission with a dynamic permission set, and tracks the permission set through the merge search and permission promotion path to realize the shared meaning The linear-time decision-making algorithm under .
  • the technical problem to be solved by the present invention is to overcome the defects of the prior art and provide a method for discovering Android privilege escalation attacks based on dynamic permission sets.
  • the path of privilege escalation is abstracted; finally, a linear time access control algorithm is proposed, and fine-grained decision-making control is realized by dynamically tracking the permission set; the proposed security model is very good against privilege escalation attacks , reducing the time complexity.
  • the present invention provides the following technical solutions:
  • the present invention provides a method for discovering an Android privilege escalation attack based on a dynamic authority set, which is characterized in that a malicious APP privilege escalation attack detection method is designed by using the characteristic that the application authority sets in the strongly connected branch in the communication state diagram are equal. Equivalently divide system applications with dynamic permission sets, construct an application group "group” to simplify the search space, and use a permission set-based "privilege escalation path" to replace the permission chain formed by the application process itself, specifically including the following steps:
  • System View is responsible for storing the communication state diagram of the computing system;
  • Decision Checker is a component responsible for checking the current communication according to the communication state diagram and the system's dangerous permission set (here provided by the MAC Policy component) Requests, including ICC calls, socket communication, and file IO operations, etc.;
  • SELinux is at the kernel layer and is mainly responsible for controlling covert channels. Here it mainly refers to IO operations, socket operations, etc.;
  • New program installation When a new application is installed, the native Android system extracts the permissions in the Manifest file and stores them in the Permission permission library. Here, the node creation work in the System view is added, and the nodes are assigned according to the permissions of the Manifest P_SET_STATIC attribute; similarly, when the program is uninstalled, the Permission database will be deleted, and the nodes of the System view will also be deleted. Run Algorithm 3 to update the P_SET set of the whole graph;
  • ICC call Same as the native Android, the call is processed by the reference monitor. First, it is judged according to the Permission permission library. If the original Android permission requirements are not met, the communication is directly rejected. Otherwise, the call Decision Checker judges, first query the Decision database to see if the system state diagram and the communication requester are in the database, if so, return directly according to the previous calculation result; otherwise, send the communication request to the System view, and communicate with the Graph maker The strongly connected aggregate calculation of the state diagram, and then the system view performs the P_SET set comparison according to Algorithm 3 (here, the MAC Policy provides the dangerous permission set), and if the communication is allowed, the result is returned to the Decision Checker, and the decision made and The current system communication state diagram is stored in the Decision database, which can be used directly in the next communication judgment to improve efficiency;
  • Algorithm 3 here, the MAC Policy provides the dangerous permission set
  • File operations and socket operations involve access control at the kernel layer, which is judged the same as ICC, except that the communication requests intercepted by the reference monitor in ICC are intercepted by SELinux here, and the subsequent process is the same as ICC, SELinux sends communication requests Give Decision Checker a decision.
  • the scheme of the present invention aims at the problem of privilege elevation attack of Android malicious APPs, and realizes fine-grained detection of malicious attack paths through the method of dynamically tracking privilege sets by using the abstract privilege elevation path of the strongly connected aggregation graph.
  • the attack example model proves that the proposed Android privilege escalation attack detection method has good performance and security in terms of time complexity, space complexity, and the ability to resist privilege escalation attacks. Privacy protection has a positive effect.
  • Fig. 1 is the overall architecture diagram of the security model of the present invention
  • Fig. 2 is a flow chart of V1 initiating a communication connection request to V2;
  • Fig. 3 is a flow chart of V1 initiating a communication disconnection request to V2;
  • Figure 4 is a schematic diagram of an example attack model
  • Figure 5 is a schematic diagram of a privilege escalation attack
  • Figure 6 is a schematic diagram of a Soundcomber attack instance.
  • the present invention is shown in Figures 1-6.
  • the present invention provides a dynamic permission set-based Android privilege escalation attack discovery method, which uses the characteristic that the application permission sets in the strongly connected branch of the communication state diagram are equal to design mandatory access control.
  • Model DP_ManDroid uses dynamic permission sets to divide system applications equivalently, builds application group "group” to simplify the search space, and uses permission set-based "privilege escalation path" to replace the permission chain formed by the application process itself, including the following steps :
  • System View is responsible for storing the communication state diagram of the computing system.
  • Decision Checker is a component responsible for judging current communication requests, including ICC calls, socket communication, and file IO operations, according to the communication state diagram and the system's dangerous permission set (here provided by the MAC Policy component).
  • SELinux is at the kernel layer and is mainly responsible for controlling covert channels, here mainly refers to IO operations, socket operations, etc.;
  • New program installation When a new application is installed, the native Android system extracts the permissions in the Manifest file and stores them in the Permission permission library. Here, the node creation work in the System view is added, and the nodes are assigned according to the permissions of the Manifest. P_SET_STATIC attribute. Similarly, when the program is uninstalled, the Permission database will be deleted, and the nodes of the System view will also be deleted. Run Algorithm 3 to update the P_SET set of the whole graph.
  • ICC call Same as native Android, the call is processed by the reference monitor. First, it is judged according to the Permission permission library. If the native Android permission requirements are not met, the communication is directly rejected. Otherwise, the call Decision Checker judges, first query the Decision database to see if the system state diagram and the communication requester are in the database, if so, return directly according to the previous calculation result; otherwise, send the communication request to the System view, and communicate with the Graph maker The strongly connected aggregate calculation of the state diagram, and then the system view performs the P_SET set comparison according to Algorithm 3 (here, the MAC Policy provides the dangerous permission set), and if the communication is allowed, the result is returned to the Decision Checker, and the decision made and The current system communication state diagram is stored in the Decision database, which can be used directly in the next communication judgment to improve efficiency.
  • Algorithm 3 here, the MAC Policy provides the dangerous permission set
  • File operations and socket operations involve access control at the kernel layer, which is judged the same as ICC, except that the communication requests intercepted by the reference monitor in ICC are intercepted by SELinux here, and the subsequent process is the same as ICC, SELinux sends communication requests Give Decision Checker a decision.
  • the prepositional theorem firstly, the definition of the system communication state diagram is given.
  • the dynamics of the permission set comes from two aspects: 1) If the permission set of V_i changes ⁇ , where i ⁇ k, then the permission set of V_(i+1), V_(i+2),...V_k also change ⁇ ; 2)
  • the strongly connected aggregation graph of the system changes with the change of the communication situation, that is, the strongly connected branches and corresponding permission sets will also change.
  • the privilege escalation path degenerates into a privilege chain, so the privilege chain is a special case of the privilege escalation path.
  • the access control rules of the model are defined by "Rules 1.1 ⁇ 2.2", and are considered separately from the establishment and disconnection of communication connections.
  • tw(v 1 , v 2 ) is the event that v 1 initiates a two-way communication connection to v 2
  • sw(v 1 , v 2 ) is the event that v 1 initiates a one-way communication connection to v 2
  • v 1 and v 2 belong to
  • V ⁇ P_SET V 1 ⁇ P_SET ⁇ V 2 ⁇ P_SET, at the same time update the node permission set on the permission escalation path starting from V, and only when all the updated P_SETs do not match the dangerous permission set, the communication connection is allowed to be established.
  • the communication connection is allowed to be established only if none of the updated P_SETs match the dangerous permission set.
  • the permission sets of each point on the ring will be updated and equal to each other after updating, maintaining the distribution characteristics of strongly connected branch permissions.
  • Input node x; parent pointer p.
  • Output The strongly connected branch to which x belongs.
  • the time complexity of the FIND algorithm is O( ⁇ (n)), where ⁇ (n) is a function of growth and its slowness, usually ⁇ (n) ⁇ 4, it can be considered that the FIND algorithm is completed in a constant time O(1) .
  • Input the root nodes x and y of the two union-find sets to be merged; Boolean variable ch.
  • the worst-case time complexity of the UNION algorithm is O(V SCC ) ⁇ O(V).
  • the algorithm DFS_TARJAN calculates the strongly connected aggregation graph G SCC based on the original graph G, constructs the G SCC tree topology, and updates the neighbors attribute of each node and the global count array.
  • Input the adjacency list description of the directed graph G; array dfn: record the vertex access time; array low: record the minimum dfn value reachable by the vertex in the stack; and check the root node root.
  • Output A strongly connected aggregation graph G SCC of the directed graph G.
  • root UNION(u, v, 0)
  • Algorithm BFS_UPDATE updates the privilege escalation path from point u ⁇ V SCC in G SCC , uses the breadth-first search method to traverse the vertex privilege set on the directed tree rooted at u, and judges whether there is a privilege escalation attack.
  • Input node u to be updated; label set ⁇ P_SET to be deleted or added; Boolean variable ch; auxiliary queue queue.
  • Algorithm BFS_UPDATE adopts the breadth-first method to update, which avoids repeated updates of multi-branch nodes and improves efficiency, and the non-loop feature of G SCC ensures that the upper limit of time complexity is O(V SCC +E SCC ) ⁇ O(V+ E).
  • FIG. 2 and FIG. 3 respectively describe the flow charts when v1 initiates a communication connection request and a communication disconnection request to v2 .
  • the time complexity of judging by the security model is O(1) in the optimal case.
  • the worst case is that when reconstructing the strongly connected aggregation graph of the system, it is only necessary to change the input parameter u of the algorithm BFS_UPDATE to the set of nodes with an in-degree of 0 in G SCC .
  • each node in the BFS_UPDATE algorithm has Enter and exit the queue once, so the upper limit of the time complexity of the algorithm is still O(V+E), within the linear time bound.
  • Model correctness Model decision-making algorithms can resist collusion attacks from multiple applications and multiple communication directions.
  • nodes are defined to represent 6 applications, and the directed edges between them represent the transmission of information, and the direction of the edges is the opposite direction of the information flow.
  • v 4 can release data to a third party, which is likely to be used for sensitive data transmission;
  • node v 0 represents some applications that provide content services, such as phonebook, communication voice information, etc., which may contain sensitive data;
  • node v 1 and v 2 are applications that initiate a communication connection request, and the communication direction is v 1 ⁇ v 2 (the direction of the edge shown in the figure is v 2 ⁇ v 1 ).
  • v 1 obtains information from v 0
  • v 4 and v 3 obtain information from v 2
  • v 5 obtains information from v 3 and v 4 .
  • v 4 has permission A (A may be INTERNET), v 0 has permission B (B may be PROCESS_OUTGOING_CALL, GPS, SMS, etc.), v 3 has permission C, and v 1 v 2 v 5 has arbitrary permissions.
  • v i has authority X i , where i ⁇ 1, 2, 5 ⁇ .
  • the longest path of two simply connected components leads to a privilege
  • the system state diagram restores the initial three single-connected branches, and re-runs Algorithm 2 to restore the permission set of each node.
  • Android introduces a permission label mechanism to ensure the security of communication.
  • the application can specify the required Permissions label and obtain user authorization, and the system also has many built-in security labels. Through this tag matching mechanism, communication can be established or resources obtained only when the initiator of the communication or the resource requester has the corresponding permission tag.
  • the permission label mechanism prevents illegal applications from directly obtaining resources or sensitive data, it lacks an effective defense method when faced with privilege escalation attacks that use services protected by unauthorized permissions to expand permissions.
  • the components of application C are only allowed to be accessed by applications with permissions. Therefore, the components of application A do not have permission to directly access, but they have access permissions, and those with permissions can access. At this time, they can be accessed through illegally obtained data.
  • the essence of a privilege escalation attack is to establish a "permission transfer link" between system applications, and finally implement a "dangerous permission set" on an application, such as ⁇ INTERNET, FINE_LOCATION ⁇ .
  • an application When an application has a dangerous permission set, it will There is a risk of privacy data leakage.
  • the scheme of the present invention utilizes the feature that the permission sets of the applications in the strongly connected branches of the communication state graph are equal, and uses the dynamic permission set to divide the system applications into equivalence, and constructs the DAG simplification problem of the directed acyclic graph.
  • the Audio Recorder records the microphone, and the COLLACTION and TRANSMITION modules perform semantic analysis and data transmission respectively.
  • the application Call Process has the permission PROCESS_OUTGOING_CALL, and establishes an ICC two-way communication connection with the application Audio Recorder to form a strongly connected branch.
  • the corresponding dynamic permission set is: ⁇ PROCESS_OUTGOING_CALL, RECORDER_AUDIO ⁇ .
  • Malicious application A obtains the data of the Audio Recorder module, so the permission set of A is: ⁇ PROCESS_OUTGOING_CALL, RECORDER_AUDIO ⁇ .
  • Application B can establish one-way communication (file writing operation) with Deliver App, and B passes the data to Deliver App and then sends it to the Internet.
  • Adopt the XmanDroid security model enumerate two applications each time, because the dangerous permission set has three permission labels, so the permission label set composed of any two programs in Call Process, Audio Recorder, Malware A, Malware B, and Deliver App None of them can match the dangerous permission set, and the decision fails.
  • the security model using the historical permission set is: ⁇ PROCESS_OUTGOING_CALL, RECORDER_AUDIO ⁇
  • the History attribute of application B is NULL
  • the algorithm merges application A
  • the History attribute of B is: ⁇ PROCESS_OUTGOING_CALL, RECORDER_AUDIO ⁇ , which do not match Dangerous permission set, allowing communication to be established, and then applying the Deliver App to B’s adjacency to update the History.
  • sensitive data is sent to the Internet through A, B, and the Deliver App, and the decision becomes invalid.

Abstract

The present invention relates to the fields of system security and privacy protection under environments of Android security, mobile Internet, and industrial Internet, and provides an Android privilege escalation attack discovery method based on a dynamic permission set. For a privilege escalation attack problem existing in an Android platform, a malicious App privilege escalation attack discovery method based on a dynamic permission set is provided. Permission distribution characteristics of strongly connected branches are first constructed and analyzed, and dynamic permission set division is designed; a permission escalation path is abstracted on the basis of coupling of an information flow and a permission set; and finally, a dynamic permission set updating algorithm of linear time is provided, and the decision control of fine granularity is achieved by tracking the permission set during operation. The provided security detection algorithm well resists privilege escalation attacks and reduces time complexity.

Description

一种基于动态权限集的安卓特权提升攻击发现方法A method for discovering Android privilege escalation attacks based on dynamic permission sets 技术领域technical field
本发明涉及Android安全、移动互联网及工业互联网环境下的系统安全与隐私保护领域,特别涉及一种基于动态权限集的安卓特权提升攻击发现方法。The invention relates to the field of system security and privacy protection under the environment of Android security, mobile Internet and industrial Internet, in particular to a method for discovering Android privilege escalation attacks based on a dynamic permission set.
背景技术Background technique
安卓系统目前已经成为移动平台上主流操作系统,其安全问题也越来越引人关注。安卓采用了权限机制、隔离机制、应用签名等方式保证平台的安全性,但存在严重的缺陷:1)应用程序的授权被委托给缺乏安全保护警觉的用户;2)存在特权提升攻击。The Android system has become the mainstream operating system on the mobile platform, and its security issues are attracting more and more attention. Android uses permission mechanism, isolation mechanism, application signature and other methods to ensure the security of the platform, but there are serious defects: 1) the authorization of the application is entrusted to users who lack security protection vigilance; 2) there are privilege escalation attacks.
目前针对Android安全的工作主要有权限分析,运行时检测与数据追踪,静态分析等。然而这些机制在面对特权提升攻击,特别是运行时多应用合谋攻击时没有有效的抵御方法。很多访问控制策略将有向图引入了Android安全模型中,但是存在时间复杂度过高且依赖App间通信方向的问题。针对这些问题,本发明方案在进程通信有向图的基础上构建强连通聚合图,用动态的权限集取代单个的应用权限,通过并查集与权限提升路径进行权限集追踪,实现平摊意义下的线性时间决策算法。At present, the work on Android security mainly includes permission analysis, runtime detection and data tracking, static analysis, etc. However, these mechanisms have no effective defense against privilege escalation attacks, especially runtime multi-application collusion attacks. Many access control strategies introduce directed graphs into the Android security model, but there are problems of high time complexity and dependence on the communication direction between Apps. Aiming at these problems, the present invention builds a strongly connected aggregation graph on the basis of a directed graph of process communication, replaces a single application permission with a dynamic permission set, and tracks the permission set through the merge search and permission promotion path to realize the shared meaning The linear-time decision-making algorithm under .
发明内容Contents of the invention
本发明要解决的技术问题是克服现有技术的缺陷,提供一种基于动态权限集的安卓特权提升攻击发现方法,首先分析强连通分支的权限分布特性,构建动态的权限集划分;然后在信息流与权限集耦合的基础上,抽象权限提升路径;最后提出线性时间的访问控制算法,通过动态追踪权限集,实现了细粒度的决策控制;所提出的安全模型很好的抵御了特权提升攻击,降低了时间复杂度。The technical problem to be solved by the present invention is to overcome the defects of the prior art and provide a method for discovering Android privilege escalation attacks based on dynamic permission sets. On the basis of the coupling of flow and permission set, the path of privilege escalation is abstracted; finally, a linear time access control algorithm is proposed, and fine-grained decision-making control is realized by dynamically tracking the permission set; the proposed security model is very good against privilege escalation attacks , reducing the time complexity.
为了解决上述技术问题,本发明提供了如下的技术方案:In order to solve the problems of the technologies described above, the present invention provides the following technical solutions:
本发明提供一种基于动态权限集的安卓特权提升攻击发现方法,其特征 在于,利用通信状态图中强连通分支内的应用的权限集相等这一特点,设计了恶意APP特权提升攻击检测方法,用动态权限集对系统应用进行等价划分,构建应用组“group”以简化搜索空间,并利用基于权限集的“权限提升路径”取代应用进程自身构成的权限链,具体包括以下步骤:The present invention provides a method for discovering an Android privilege escalation attack based on a dynamic authority set, which is characterized in that a malicious APP privilege escalation attack detection method is designed by using the characteristic that the application authority sets in the strongly connected branch in the communication state diagram are equal. Equivalently divide system applications with dynamic permission sets, construct an application group "group" to simplify the search space, and use a permission set-based "privilege escalation path" to replace the permission chain formed by the application process itself, specifically including the following steps:
在DP_ManDroid模型的整体架构中,其中,System View负责存储计算系统的通信状态图;Decision Checker是一个组件,负责按照通信状态图以及系统的危险权限集(这里由MAC Policy组件提供)对当前的通信请求,包括ICC调用,套接字通信以及文件IO操作等进行判断;SELinux处于内核层,主要负责对隐蔽信道进行控制,这里主要指IO操作,套接字操作等;In the overall architecture of the DP_ManDroid model, System View is responsible for storing the communication state diagram of the computing system; Decision Checker is a component responsible for checking the current communication according to the communication state diagram and the system's dangerous permission set (here provided by the MAC Policy component) Requests, including ICC calls, socket communication, and file IO operations, etc.; SELinux is at the kernel layer and is mainly responsible for controlling covert channels. Here it mainly refers to IO operations, socket operations, etc.;
下面分别对几个通信操作进行说明:The following describes several communication operations:
1)新程序安装:新的应用程序安装时,原生的安卓系统提取Manifest文件中的权限并存储在Permission权限库,这里增加了在System view中的节点创建工作,并按Manifest的权限赋值节点的P_SET_STATIC属性;同理在程序卸载时,Permission数据库进行删除操作,System view的节点也将删除,运行算法3对全图的P_SET集进行更新;1) New program installation: When a new application is installed, the native Android system extracts the permissions in the Manifest file and stores them in the Permission permission library. Here, the node creation work in the System view is added, and the nodes are assigned according to the permissions of the Manifest P_SET_STATIC attribute; similarly, when the program is uninstalled, the Permission database will be deleted, and the nodes of the System view will also be deleted. Run Algorithm 3 to update the P_SET set of the whole graph;
2)ICC调用:与原生安卓一样,由引用监视器(reference monitor)对调用进行处理,首先是按照Permission权限库进行判断,如果不满足原生的安卓权限要求,通信直接被拒绝,否则的话,调用Decision Checker进行判断,首先查询Decision数据库看系统状态图与通信请求方是否以在数据库中,如果在,则按照之前计算的结果直接返回;否则将通信请求送入System view中,由Graph maker进行通信状态图的强连通聚集计算,再由System view按算法3进行P_SET集比对(这里由MAC Policy提供危险权限集),如果通信被允许,将结果返回给Decision Checker,并将做出的决策以及当前系统通信状态图存储在Decision数据库中,用来在下次的通信判断中直接取用,提高效率;2) ICC call: Same as the native Android, the call is processed by the reference monitor. First, it is judged according to the Permission permission library. If the original Android permission requirements are not met, the communication is directly rejected. Otherwise, the call Decision Checker judges, first query the Decision database to see if the system state diagram and the communication requester are in the database, if so, return directly according to the previous calculation result; otherwise, send the communication request to the System view, and communicate with the Graph maker The strongly connected aggregate calculation of the state diagram, and then the system view performs the P_SET set comparison according to Algorithm 3 (here, the MAC Policy provides the dangerous permission set), and if the communication is allowed, the result is returned to the Decision Checker, and the decision made and The current system communication state diagram is stored in the Decision database, which can be used directly in the next communication judgment to improve efficiency;
3)文件操作以及套接字操作涉及内核层的访问控制,与ICC一样进行判断,只不过ICC中由引用监视器截获的通信请求这里由SELinux截获,之后的过程与ICC一样,SELinux发送通信请求给Decision Checker进行判定。3) File operations and socket operations involve access control at the kernel layer, which is judged the same as ICC, except that the communication requests intercepted by the reference monitor in ICC are intercepted by SELinux here, and the subsequent process is the same as ICC, SELinux sends communication requests Give Decision Checker a decision.
与现有技术相比,本发明的有益效果如下:Compared with the prior art, the beneficial effects of the present invention are as follows:
本发明方案针对安卓恶意APP的特权提升攻击问题,利用强连通聚合图抽象权限提升路径,通过动态追踪权限集的方法实现了细粒度的恶意攻击路径探测。同时,通过攻击实例模型证明了提出的安卓特权提升攻击发现方法在时间复杂度、空间复杂度和抵御特权提升攻击的能力等方面均具有良好的性能和安全性,对安卓系统下的应用安全与隐私保护具有积极作用。The scheme of the present invention aims at the problem of privilege elevation attack of Android malicious APPs, and realizes fine-grained detection of malicious attack paths through the method of dynamically tracking privilege sets by using the abstract privilege elevation path of the strongly connected aggregation graph. At the same time, the attack example model proves that the proposed Android privilege escalation attack detection method has good performance and security in terms of time complexity, space complexity, and the ability to resist privilege escalation attacks. Privacy protection has a positive effect.
附图说明Description of drawings
附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明的实施例一起用于解释本发明,并不构成对本发明的限制。在附图中:The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the present invention, and do not constitute a limitation to the present invention. In the attached picture:
图1是本发明的安全模型整体架构图;Fig. 1 is the overall architecture diagram of the security model of the present invention;
图2是V1向V2发起通信连接请求流程图;Fig. 2 is a flow chart of V1 initiating a communication connection request to V2;
图3是V1向V2发起通信断开请求流程图;Fig. 3 is a flow chart of V1 initiating a communication disconnection request to V2;
图4是攻击模型实例示意图;Figure 4 is a schematic diagram of an example attack model;
图5是特权提升攻击示意图;Figure 5 is a schematic diagram of a privilege escalation attack;
图6是Soundcomber攻击实例示意图。Figure 6 is a schematic diagram of a Soundcomber attack instance.
具体实施方式Detailed ways
以下结合附图对本发明的优选实施例进行说明,应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments of the present invention will be described below in conjunction with the accompanying drawings. It should be understood that the preferred embodiments described here are only used to illustrate and explain the present invention, and are not intended to limit the present invention.
实施例1Example 1
本发明如图1-6所示,本发明提供一种基于动态权限集的安卓特权提升攻击发现方法,利用通信状态图中强连通分支内的应用的权限集相等这一特点,设计强制访问控制模型DP_ManDroid,用动态权限集对系统应用进行等价 划分,构建应用组“group”以简化搜索空间,并利用基于权限集的“权限提升路径”取代应用进程自身构成的权限链,具体包括以下步骤:The present invention is shown in Figures 1-6. The present invention provides a dynamic permission set-based Android privilege escalation attack discovery method, which uses the characteristic that the application permission sets in the strongly connected branch of the communication state diagram are equal to design mandatory access control. Model DP_ManDroid uses dynamic permission sets to divide system applications equivalently, builds application group "group" to simplify the search space, and uses permission set-based "privilege escalation path" to replace the permission chain formed by the application process itself, including the following steps :
如图1所示,在DP_ManDroid模型的整体架构中,其中,System View负责存储计算系统的通信状态图。Decision Checker是一个组件,负责按照通信状态图以及系统的危险权限集(这里由MAC Policy组件提供)对当前的通信请求,包括ICC调用,套接字通信以及文件IO操作等进行判断。SELinux处于内核层,主要负责对隐蔽信道进行控制,这里主要指IO操作,套接字操作等;As shown in Figure 1, in the overall architecture of the DP_ManDroid model, System View is responsible for storing the communication state diagram of the computing system. Decision Checker is a component responsible for judging current communication requests, including ICC calls, socket communication, and file IO operations, according to the communication state diagram and the system's dangerous permission set (here provided by the MAC Policy component). SELinux is at the kernel layer and is mainly responsible for controlling covert channels, here mainly refers to IO operations, socket operations, etc.;
下面分别对几个通信操作进行说明:The following describes several communication operations:
1)新程序安装:新的应用程序安装时,原生的Android系统提取Manifest文件中的权限并存储在Permission权限库,这里增加了在System view中的节点创建工作,并按Manifest的权限赋值节点的P_SET_STATIC属性。同理在程序卸载时,Permission数据库进行删除操作,System view的节点也将删除,运行算法3对全图的P_SET集进行更新。1) New program installation: When a new application is installed, the native Android system extracts the permissions in the Manifest file and stores them in the Permission permission library. Here, the node creation work in the System view is added, and the nodes are assigned according to the permissions of the Manifest. P_SET_STATIC attribute. Similarly, when the program is uninstalled, the Permission database will be deleted, and the nodes of the System view will also be deleted. Run Algorithm 3 to update the P_SET set of the whole graph.
2)ICC调用:与原生Android一样,由引用监视器(reference monitor)对调用进行处理,首先是按照Permission权限库进行判断,如果不满足原生的Android权限要求,通信直接被拒绝,否则的话,调用Decision Checker进行判断,首先查询Decision数据库看系统状态图与通信请求方是否以在数据库中,如果在,则按照之前计算的结果直接返回;否则将通信请求送入System view中,由Graph maker进行通信状态图的强连通聚集计算,再由System view按算法3进行P_SET集比对(这里由MAC Policy提供危险权限集),如果通信被允许,将结果返回给Decision Checker,并将做出的决策以及当前系统通信状态图存储在Decision数据库中,用来在下次的通信判断中直接取用,提高效率。2) ICC call: Same as native Android, the call is processed by the reference monitor. First, it is judged according to the Permission permission library. If the native Android permission requirements are not met, the communication is directly rejected. Otherwise, the call Decision Checker judges, first query the Decision database to see if the system state diagram and the communication requester are in the database, if so, return directly according to the previous calculation result; otherwise, send the communication request to the System view, and communicate with the Graph maker The strongly connected aggregate calculation of the state diagram, and then the system view performs the P_SET set comparison according to Algorithm 3 (here, the MAC Policy provides the dangerous permission set), and if the communication is allowed, the result is returned to the Decision Checker, and the decision made and The current system communication state diagram is stored in the Decision database, which can be used directly in the next communication judgment to improve efficiency.
3)文件操作以及套接字操作涉及内核层的访问控制,与ICC一样进行判 断,只不过ICC中由引用监视器截获的通信请求这里由SELinux截获,之后的过程与ICC一样,SELinux发送通信请求给Decision Checker进行判定。3) File operations and socket operations involve access control at the kernel layer, which is judged the same as ICC, except that the communication requests intercepted by the reference monitor in ICC are intercepted by SELinux here, and the subsequent process is the same as ICC, SELinux sends communication requests Give Decision Checker a decision.
具体的,前置定理:首先给出系统通信状态图的定义。Specifically, the prepositional theorem: firstly, the definition of the system communication state diagram is given.
定义1系统通信有向图G=(V,E),顶点集V表示通信主体,E为通信连接,E的方向指定通信信息流的方向。顶点V的属性P_SET定义了节点在通信连接中所具有的权限集。 Definition 1 System communication directed graph G = (V, E), vertex set V represents the communication subject, E is the communication connection, and the direction of E specifies the direction of the communication information flow. The attribute P_SET of the vertex V defines the permission set that the node has in the communication connection.
定义G_SCC=(V_SCC,E_SCC)为将G=(V,E)中的每个强连通分支抽象为单个节点形成的强连通聚合图。Define G_SCC=(V_SCC, E_SCC) as a strongly connected aggregation graph formed by abstracting each strongly connected branch in G=(V, E) into a single node.
定义2G=(V,E)中的边集E包含单向与双向通信连接,主要有ICC调用,文件访问和Internet套接字操作。Define the edge set E in 2G=(V, E) to include one-way and two-way communication connections, mainly including ICC calls, file access and Internet socket operations.
1)双向通信:设v_1,v_2∈V,若存在v_1→v_2(v_2→v_1)的ICC调用,套接字调用,双向文件读写访问等,则:
Figure PCTCN2021142968-appb-000001
e_2∈E∧e_1=(v_1,v_2)∧e_2=(v_2,v_1)。 1) Two-way communication: Let v_1, v_2∈V, if there are ICC calls of v_1→v_2 (v_2→v_1), socket calls, two-way file read and write access, etc., then:
Figure PCTCN2021142968-appb-000001
e_2∈E∧e_1=(v_1,v_2)∧e_2=(v_2,v_1).
2)单向通信:设v_1,v_2∈V,若存在v_1→v_2(v_2→v_1)的单向文件读写访问,则:
Figure PCTCN2021142968-appb-000002
2) One-way communication: Let v_1, v_2∈V, if there is one-way file read and write access of v_1→v_2(v_2→v_1), then:
Figure PCTCN2021142968-appb-000002
定理1权限传递特性:设v_1,v_2∈V且
Figure PCTCN2021142968-appb-000003
e=(v_1,v_2),则:
Figure PCTCN2021142968-appb-000004
Figure PCTCN2021142968-appb-000005
 Theorem 1. Permission transmission characteristics: Let v_1, v_2∈V and
Figure PCTCN2021142968-appb-000003
e=(v_1,v_2), then:
Figure PCTCN2021142968-appb-000004
Figure PCTCN2021142968-appb-000005
证明:若e=(v_1,v_2),则由定义1知信息从v_1流向v_2,若v_1具有某些权限可以获得某些信息,则v_2也可以获得,相当于v_1的权限传递到v_2,从而
Figure PCTCN2021142968-appb-000006
Proof: If e=(v_1,v_2), then it is known from definition 1 that information flows from v_1 to v_2, if v_1 has certain permissions to obtain certain information, then v_2 can also obtain it, which is equivalent to passing the permissions of v_1 to v_2, thus
Figure PCTCN2021142968-appb-000006
推论1权限链:若G=(V,E)中存在单源有向路径p=(v_1,v_2,…,v_k)其中v_1,v_2,…,v_k∈V,则v_i→P_SET=v_1→P_SET∪v_2→P_SET∪…∪v_i→P_SET。即节点的权限集P_SET具有沿有向路径传递的特性,传递方向与信息流同向。此时称路径p为一条“权限链”,方向为v_1→v_k,其中v_1为权限链起点,v_k为终点。Corollary 1 Authority chain: If there is a single-source directed path p=(v_1,v_2,…,v_k) in G=(V,E), where v_1,v_2,…,v_k∈V, then v_i→P_SET=v_1→P_SET ∪v_2→P_SET∪…∪v_i→P_SET. That is, the permission set P_SET of a node has the characteristic of being transmitted along a directed path, and the transmission direction is in the same direction as the information flow. At this time, the path p is called a "authority chain", and the direction is v_1→v_k, where v_1 is the starting point of the authority chain, and v_k is the end point.
定理2动态权限集:强连通分支内各个节点的权限集相等,为各个节点的P_SET的并集。此时称强连通分支内顶点权限的并集为“动态权限集”。即若
Figure PCTCN2021142968-appb-000007
则动态权限集V_i→P_SET=v_1→P_SET∪v_2→P_SET∪…∪v_k→P_SET。 Theorem 2. Dynamic permission set: The permission set of each node in the strongly connected branch is equal, which is the union of P_SET of each node. At this time, the union of vertex permissions in the strongly connected branch is called "dynamic permission set". That is if
Figure PCTCN2021142968-appb-000007
Then the dynamic permission set V_i→P_SET=v_1→P_SET∪v_2→P_SET∪...∪v_k→P_SET.
证明:若v_1→P_SET≠v_2→P_SET,则
Figure PCTCN2021142968-appb-000008
Figure PCTCN2021142968-appb-000009
由强连通的定义,v_1,v_2相互可达,因此相互可以进行权限传递,从而由推论1可推出:
Figure PCTCN2021142968-appb-000010
导出矛盾,从而定理得证。 Proof: If v_1→P_SET≠v_2→P_SET, then
Figure PCTCN2021142968-appb-000008
Figure PCTCN2021142968-appb-000009
According to the definition of strong connectivity, v_1 and v_2 are reachable to each other, so they can transfer permissions to each other, so it can be deduced from Corollary 1:
Figure PCTCN2021142968-appb-000010
The contradiction is derived, and the theorem is proved.
推论2权限提升路径:若强连通聚合图G_SCC中存在单源有向路径p=(V_1,V_2,…,V_k),其中V_1,V_2,…,V_k∈V_SCC,则V_i→P_SET=V_1→P_SET∪V_2→P_SET∪…∪V_i→P_SET。此时称路径p为系统的“权限提升路径”,即动态权限集的传递路径。从中可以得出权限集的动态性来自于两个方面:1)若V_i的权限集合改变Δ,其中i≤k,则V_(i+1),V_(i+2),…V_k的权限集也改变Δ;2)系统的强连通聚合图随通信情况改变而变化,即强连通分支与对应的权限集也会变化。特别的,当权限提升路径上每个V_i只包含一个节点v_i时,权限提升路径退化为权限链,因此权限链为权限提升路径的特例。Corollary 2 Privilege Escalation Path: If there is a single-source directed path p=(V_1,V_2,...,V_k) in the strongly connected aggregation graph G_SCC, where V_1,V_2,...,V_k∈V_SCC, then V_i→P_SET=V_1→P_SET ∪V_2→P_SET∪…∪V_i→P_SET. At this time, the path p is called the "privilege escalation path" of the system, that is, the transfer path of the dynamic permission set. It can be concluded that the dynamics of the permission set comes from two aspects: 1) If the permission set of V_i changes Δ, where i≤k, then the permission set of V_(i+1), V_(i+2),...V_k Also change Δ; 2) The strongly connected aggregation graph of the system changes with the change of the communication situation, that is, the strongly connected branches and corresponding permission sets will also change. In particular, when each V_i on the privilege escalation path contains only one node v_i, the privilege escalation path degenerates into a privilege chain, so the privilege chain is a special case of the privilege escalation path.
控制策略详述:Detailed control strategy:
模型的访问控制规则由“规则1.1~2.2”定义,并从通信连接的建立与断开情况分别考虑。The access control rules of the model are defined by "Rules 1.1~2.2", and are considered separately from the establishment and disconnection of communication connections.
定义tw(v 1,v 2)为v 1向v 2发起双向通信连接的事件,sw(v 1,v 2)为v 1向v 2发起单向通信连接事件,且v 1,v 2所属的强连通分支分别为V 1,V 2。假设若V 1,V 2之间存在k条有向边,则有count[V 1][V 2]=k。 Define tw(v 1 , v 2 ) as the event that v 1 initiates a two-way communication connection to v 2 , sw(v 1 , v 2 ) is the event that v 1 initiates a one-way communication connection to v 2 , and v 1 and v 2 belong to The strongly connected branches of are V 1 , V 2 . Assume that if there are k directed edges between V 1 and V 2 , then count[V 1 ][V 2 ]=k.
1)v 1,v 2建立通信连接。 1) v 1 and v 2 establish a communication connection.
规则1.1若tw(v 1,v 2)∧V 1=V 2,由定理2知v 1,v 2的P_SET相等,直接允许建立通信连接。 Rule 1.1 If tw(v 1 , v 2 )∧V 1 =V 2 , it is known from Theorem 2 that the P_SETs of v 1 and v 2 are equal, and the communication connection is directly allowed to be established.
规则1.2若tw(v 1,v 2)∧V 1≠V 2,则合并动态权限集V=V 1∪V 2Rule 1.2 If tw(v 1 , v 2 )∧V 1 ≠V 2 , then merge the dynamic permission set V=V 1 ∪V 2 and
V→P_SET=V 1→P_SET∪V 2→P_SET,同时更新从V出发的权限提升路径上的节点权限集,只有当所有更新的P_SET均不与危险权限集匹配时,才允许建立通信连接。 V→P_SET=V 1 →P_SET∪V 2 →P_SET, at the same time update the node permission set on the permission escalation path starting from V, and only when all the updated P_SETs do not match the dangerous permission set, the communication connection is allowed to be established.
规则1.3若sw(v 1,v 2)∧V 1=V 2,情况等同于规则1.1,直接允许建立通信连接。 Rule 1.3 If sw(v 1 , v 2 )∧V 1 =V 2 , the situation is the same as rule 1.1, and the communication connection is directly allowed to be established.
规则1.4若sw(v 1,v 2)∧V 1≠V 2,如果满足条件:count[V 1][V 2]≥1,直接允许建立通信连接;若count[V 2][V 1]≥1,则通信的建立导致V 1,V 2合并为同一个强连通分支V=V 1∪V 2,可以按照规则1.2判断;如果 Rule 1.4 If sw(v 1 , v 2 )∧V 1 ≠V 2 , if the condition is satisfied: count[V 1 ][V 2 ]≥1, the communication connection is directly allowed to be established; if count[V 2 ][V 1 ] ≥1, then the establishment of communication will lead to the merger of V 1 and V 2 into the same strongly connected branch V=V 1 ∪V 2 , which can be judged according to rule 1.2; if
count[V 2][V 1]=0,则V 1,V 2形成单连通分支,更新从V 2出发的权限提升路径上各点的P_SET为:V i→P_SET=V i→P_SET∪V 1→P_SET。只有当所有更新的P_SET均不与危险权限集匹配时,才允许建立通信连接。 count[V 2 ][V 1 ]=0, then V 1 and V 2 form a single connected branch, and update the P_SET of each point on the privilege escalation path starting from V 2 as follows: V i →P_SET=V i →P_SET∪V 1 → P_SET. The communication connection is allowed to be established only if none of the updated P_SETs match the dangerous permission set.
特例:当V 1≠V 2时,若满足条件:
Figure PCTCN2021142968-appb-000011
或者 Special case: when V 1 ≠ V 2 , if the conditions are met:
Figure PCTCN2021142968-appb-000011
or
Figure PCTCN2021142968-appb-000012
则V 1,V i,…,V 2形成环路,对于环路的判断不需要显式执行,只需按规则1.2或者规则1.4正常判断,更新从V=V 1∪V 2 出发的权限提升路径即可。显然环路上各点的权限集合均会得到更新,且更新后互相相等,保持强连通分支权限分布特性。
Figure PCTCN2021142968-appb-000012
Then V 1 , V i ,..., V 2 form a loop, and the judgment of the loop does not need to be explicitly executed, just follow the normal judgment of rule 1.2 or rule 1.4, and update the privilege escalation starting from V=V 1 ∪V 2 Just the path. Obviously, the permission sets of each point on the ring will be updated and equal to each other after updating, maintaining the distribution characteristics of strongly connected branch permissions.
2)v 1,v 2之间通信连接断开。此时不会生成危险权限集,只需考虑强连通聚合图G SCC的变化以及相应P_SET集合的改变。 2) The communication connection between v 1 and v 2 is disconnected. At this time, no dangerous permission set will be generated, only the change of the strongly connected aggregation graph G SCC and the change of the corresponding P_SET set should be considered.
规则2.1当V 1≠V 2时,若count[V 1][V 2]=1,则更新以V 2为根的有向树上各节点的权限集为:V i→P_SET=V i→P_SET\V 1→P_SET,且count[V 1][V 2]=0。 Rule 2.1 When V 1 ≠ V 2 , if count[V 1 ][V 2 ]=1, update the permission set of each node on the directed tree with V 2 as root: V i →P_SET=V i → P_SET\V 1 →P_SET, and count[V 1 ][V 2 ]=0.
规则2.2当V 1=V 2时,应重新计算强连通聚合图G SCC,并更新各个节点的P_SET。根据有向无回路图的特性,更新算法依然约束在线性时间内。 Rule 2.2 When V 1 =V 2 , the strongly connected aggregation graph G SCC should be recalculated, and P_SET of each node should be updated. According to the characteristics of directed acyclic graph, the update algorithm is still constrained in linear time.
为提高决策效率,引入“并查集”抽象强连通分支。算法FIND查找节点x所属的强连通分支(并查集的根节点)In order to improve the decision-making efficiency, the abstract strongly connected branch of "union search set" is introduced. Algorithm FIND finds the strongly connected branch to which node x belongs (root node of union search set)
算法FINDAlgorithm FIND
输入:节点x;父指针p。Input: node x; parent pointer p.
输出:x所属的强连通分支。Output: The strongly connected branch to which x belongs.
1)if p[x]≠x return p[x]=FIND(p[x])1) if p[x]≠x return p[x]=FIND(p[x])
2)return p[x]2) return p[x]
FIND算法时间复杂度为O(α(n)),其中α(n)为增长及其缓慢的函数,通常情况下α(n)≤4,可以认为FIND算法在常数时间O(1)内完成。The time complexity of the FIND algorithm is O(α(n)), where α(n) is a function of growth and its slowness, usually α(n)≤4, it can be considered that the FIND algorithm is completed in a constant time O(1) .
算法UNION合并两个强连通分支。Algorithm UNION merges two strongly connected branches.
算法UNIONAlgorithm UNION
输入:待合并的两个并查集的根节点x,y;布尔变量ch。Input: the root nodes x and y of the two union-find sets to be merged; Boolean variable ch.
1)p[y]=x1) p[y]=x
2)x→P_SET=x→P_SET+y→P_SET2) x→P_SET=x→P_SET+y→P_SET
3)x→neighbors=x→neighbors+y→neighbors3) x→neighbors=x→neighbors+y→neighbors
4)if ch=14) if ch=1
5)foreach vertex n in V SCC do 5) foreach vertex n in V SCC do
6)count[x][n]=count[x][n]+count[y][n]6) count[x][n]=count[x][n]+count[y][n]
7)count[n][x]=count[n][x]+count[n][y]7) count[n][x]=count[n][x]+count[n][y]
UNION算法最坏情况下的时间复杂度为O(V SCC)≤O(V)。 The worst-case time complexity of the UNION algorithm is O(V SCC )≤O(V).
算法DFS_TARJAN根据原图G计算强连通聚合图G SCC,构建G SCC树型拓扑结构,同时更新每个节点的neighbors属性以及全局count数组。 The algorithm DFS_TARJAN calculates the strongly connected aggregation graph G SCC based on the original graph G, constructs the G SCC tree topology, and updates the neighbors attribute of each node and the global count array.
算法1:DFS_TARJANAlgorithm 1: DFS_TARJAN
输入:有向图G的邻接表描述;数组dfn:记录顶点访问时刻;数组low:记录栈中顶点可达的的最小dfn值;并查集根节点root。Input: the adjacency list description of the directed graph G; array dfn: record the vertex access time; array low: record the minimum dfn value reachable by the vertex in the stack; and check the root node root.
输出:有向图G的强连通聚合图G SCCOutput: A strongly connected aggregation graph G SCC of the directed graph G.
1)foreach vertex u in G do1) foreach vertex u in G do
2)low[u]=dfn[u]=index+12) low[u]=dfn[u]=index+1
3)push u to stack3) push u to stack
4)foreach (u,v) in E do4) foreach (u, v) in E do
5)if v is not in stack then DFS_TARJAN(v)5)if v is not in stack then DFS_TARJAN(v)
6)low[u]=min(low[u],low[v])6) low[u]=min(low[u], low[v])
7)else if u is in stack7) else if u is in stack
8)low[u]=min(low[u],dfn[u])8) low[u]=min(low[u], dfn[u])
9)if dfn[u]=low[u] then pop the stack from top to u as a V SCC 9) if dfn[u]=low[u] then pop the stack from top to u as a V SCC
10)foreach vertex u,v in V SCC do 10) foreach vertex u,v in V SCC do
11)root=UNION(u,v,0)11) root = UNION(u, v, 0)
12)add root into G SCC 12) add root into G SCC
13)foreach edge e=(u,v) in G do13) foreach edge e=(u, v) in G do
14)if FIND(u)≠FIND(v)14)if FIND(u)≠FIND(v)
15)cont[FIND(u)][FIND(v)]++15) cont[FIND(u)][FIND(v)]++
16)FIND(u)→neighbors[k++]=FIND(v)16) FIND(u)→neighbors[k++]=FIND(v)
17)end17) end
由聚集分析,每个顶点只会入栈,出栈一次。所有的UNION操作一共执行O(V)次,由于调用UNION时参数ch=0,因此UNION算法的总时间复杂度为O(V),从而得到算法DFS_TARJAN的时间复杂度为O(V+E)。According to the aggregation analysis, each vertex will only be pushed into the stack and popped out once. All UNION operations are performed O(V) times in total. Since the parameter ch=0 when calling UNION, the total time complexity of the UNION algorithm is O(V), so the time complexity of the algorithm DFS_TARJAN is O(V+E) .
算法BFS_UPDATE在G SCC中从点u∈V SCC开始更新权限提升路径,采用广度优先的搜索方式遍历以u为根的有向树上的顶点权限集,并判断是否存在特权提升攻击。 Algorithm BFS_UPDATE updates the privilege escalation path from point u ∈ V SCC in G SCC , uses the breadth-first search method to traverse the vertex privilege set on the directed tree rooted at u, and judges whether there is a privilege escalation attack.
算法2:BFS_UPDATEAlgorithm 2: BFS_UPDATE
输入:待更新节点u;待删除或增加的标签集Δ→P_SET;布尔变量ch;辅助队列queue。Input: node u to be updated; label set Δ→P_SET to be deleted or added; Boolean variable ch; auxiliary queue queue.
输出:是否存在特权提升攻击。Output: Presence of a privilege escalation attack.
1)add u into queue1) add u into queue
2)while queue is not empty do2) while queue is not empty do
3)pop the top element n from queue3) pop the top element n from queue
4)if ch=14) if ch=1
5)n→P_SET=n→P_SET+Δ→P_SET5) n→P_SET=n→P_SET+Δ→P_SET
6)if P_SET dangerous=n→P_SET return true 6) if P_SET dangerous = n→P_SET return true
7)if ch=07) if ch=0
8)n→P_SET=n→P_SET-Δ→P_SET8) n→P_SET=n→P_SET-Δ→P_SET
9)foreach v in n→neighbors9) foreach v in n→neighbors
10)add v into queue10)add v into queue
算法BFS_UPDATE采用广度优先的方法更新,避免了对多分支节点的重复更新,提高了效率,且G SCC无回路的特性保证了时间复杂度上限为O(V SCC+E SCC)≤O(V+E)。 Algorithm BFS_UPDATE adopts the breadth-first method to update, which avoids repeated updates of multi-branch nodes and improves efficiency, and the non-loop feature of G SCC ensures that the upper limit of time complexity is O(V SCC +E SCC )≤O(V+ E).
图2和图3分别描述了v 1向v 2发起通信连接请求和通信断开请求时的流程图。安全模型进行判断的时间复杂度在最优情况下为O(1)。最坏情况是当重构系统强连通聚合图时,此时只需将算法BFS_UPDATE的输入参数 u更改为G SCC中入度为0的节点的集合,由聚集分析,BFS_UPDATE算法中每个节点均进出队列一次,因此算法的时间复杂度上限依然为O(V+E),在线性时间界内。 FIG. 2 and FIG. 3 respectively describe the flow charts when v1 initiates a communication connection request and a communication disconnection request to v2 . The time complexity of judging by the security model is O(1) in the optimal case. The worst case is that when reconstructing the strongly connected aggregation graph of the system, it is only necessary to change the input parameter u of the algorithm BFS_UPDATE to the set of nodes with an in-degree of 0 in G SCC . According to the aggregation analysis, each node in the BFS_UPDATE algorithm has Enter and exit the queue once, so the upper limit of the time complexity of the algorithm is still O(V+E), within the linear time bound.
方案正确性说明:Explanation of the correctness of the scheme:
定理3模型正确性:模型决策算法能够抵御多应用多通信方向的合谋攻击。Theorem 3. Model correctness: Model decision-making algorithms can resist collusion attacks from multiple applications and multiple communication directions.
证明:1)从控制粒度与效率上来看:首先,算法基于的通信状态图G耦合了信息流,且包含了内核层的隐蔽信道,较已有模型控制粒度更细;其次,通过对具体算法的分析,模型进行决策的最坏情况的时间复杂度为O(V+E),在线性界内,优于已有同类模型。Proof: 1) From the perspective of control granularity and efficiency: first, the communication state graph G based on the algorithm couples the information flow, and includes the covert channel of the kernel layer, which is finer than the existing model control granularity; secondly, through the specific algorithm According to the analysis, the worst-case time complexity of the decision-making model is O(V+E), which is better than the existing similar models in the linear bounds.
2)理论正确性:根据特权提升攻击的定义以及权限传递特性,无论参与攻击的应用数目多少,都是通过在系统中建立一条权限传递链以达到在某一点上扩充权限的目的。因此对多应用合谋攻击的检测可以归约为对系统中权限链的存在性的检测。若v 1,v 2建立通信导致v的权限发生扩充,则通信后必然生成权限链p=(v 1,v 2,…,v),否则,不论通信前就已经存在p或者通信后依然不存在p,v 1,v 2之间通信均不可能影响v的权限。由于权限链为权限提升路径的特例,因此在强连通聚合图中必然存在与p对应的权限提升路径p SCC=(V 1,V 2,…,V),其中V 1,V 2,V分别为v 1,v 2与v所属的强连通分支。 2) Theoretical correctness: According to the definition of privilege escalation attack and the characteristics of permission transmission, no matter how many applications participate in the attack, a permission transmission chain is established in the system to achieve the purpose of expanding permissions at a certain point. Therefore, the detection of multi-application collusion attacks can be reduced to the detection of the existence of permission chains in the system. If the establishment of communication between v 1 and v 2 leads to the expansion of v’s authority, then the authority chain p=(v 1 ,v 2 ,…,v) must be generated after the communication, otherwise, no matter whether p already exists before the communication or it still does not exist after the communication There is p, and the communication between v 1 and v 2 cannot affect the permission of v. Since the authority chain is a special case of the authority escalation path, there must be an authority escalation path p SCC =(V 1 , V 2 ,...,V) corresponding to p in the strongly connected aggregation graph, where V 1 , V 2 , V are respectively is v 1 , v 2 and the strongly connected branch to which v belongs.
基于以上分析,当v 1,v 2建立通信时,只需从v 1,v 2所属的权限集V 1,V 2出发,检测以V 1,V 2为起点的权限提升路径p SCC上是否存在危险权限集合,即规则1.2(双向通信)或规则1.4(单向通信)。从而算法正确性得证。 Based on the above analysis, when v 1 and v 2 establish communication, it is only necessary to start from the permission set V 1 and V 2 to which v 1 and v 2 belong, and check whether the permission elevation path p SCC starting from V 1 and V 2 is There is a set of dangerous permissions, rule 1.2 (two-way communication) or rule 1.4 (one-way communication). Thus the correctness of the algorithm is proved.
这里引入一个抽象的攻击模型实例(基于电话窃听应用)用来分析本文提出的算法的正确性。如图4所示。An abstract attack model example (based on the application of telephone wiretapping) is introduced here to analyze the correctness of the algorithm proposed in this paper. As shown in Figure 4.
图中定义了6个节点分别代表6个应用程序,它们之间的有向边代表了信息的传递,边的方向为信息流的反方向。其中,v 4可以向第三方发布数据,很可能被利用用来进行敏感数据传输;节点v 0代表了某一些提供内容服务的应用,比如电话本,通信语音信息等,可能包含敏感数据;节点v 1,v 2为发起通信连接请求的应用,通信方向为v 1→v 2(表现在图中边的方向为v 2→v 1)。根据图5可以看出,在v 1,v 2建立通信操作前,v 1从v 0获取信息,v 4,v 3从v 2获取信息,v 5从v 3,v 4获取信息。 In the figure, 6 nodes are defined to represent 6 applications, and the directed edges between them represent the transmission of information, and the direction of the edges is the opposite direction of the information flow. Among them, v 4 can release data to a third party, which is likely to be used for sensitive data transmission; node v 0 represents some applications that provide content services, such as phonebook, communication voice information, etc., which may contain sensitive data; node v 1 and v 2 are applications that initiate a communication connection request, and the communication direction is v 1 →v 2 (the direction of the edge shown in the figure is v 2 →v 1 ). According to Fig. 5, it can be seen that before v 1 and v 2 establish a communication operation, v 1 obtains information from v 0 , v 4 and v 3 obtain information from v 2 , and v 5 obtains information from v 3 and v 4 .
假设初始时v 4具有权限A(A可能为INTERNET),v 0具有权限B(B 可能为PROCESS_OUTGOING_CALL,GPS,SMS等),v 3具有权限C,v 1v 2v 5的权限是任意的,可以定义为v i拥有权限X i,其中i∈{1,2,5}。此时系统通信状态图中有三个单连通分支,分别为{v 1,v 4},{v 5,v 4,v 2},{v 5,v 3,v 2}。因此由算法2,v 0,v 2权限保持不变,依然为P_SET_STATIC i,v 4,v 1,v 3,v 5的权限集由算法2更新变为P_SET 4={A,X 2},P_SET 1={B,X 1},P_SET 3={X 2,C},P_SET 5={A,C,X 2,X 5}。危险权限集定义为{A,B,C},不与任何P_SET i匹配。 Assume that initially v 4 has permission A (A may be INTERNET), v 0 has permission B (B may be PROCESS_OUTGOING_CALL, GPS, SMS, etc.), v 3 has permission C, and v 1 v 2 v 5 has arbitrary permissions. It can be defined that v i has authority X i , where i∈{1, 2, 5}. At this time, there are three simply connected branches in the system communication state graph, which are {v 1 , v 4 }, {v 5 , v 4 , v 2 }, {v 5 , v 3 , v 2 }. Therefore, by Algorithm 2, the permissions of v 0 and v 2 remain unchanged, and the permission set of P_SET_STATIC i , v 4 , v 1 , v 3 , and v 5 is updated from Algorithm 2 to P_SET 4 ={A, X 2 }, P_SET 1 ={B,X 1 }, P_SET 3 ={X 2 ,C}, P_SET 5 ={A,C,X 2 ,X 5 }. A dangerous permission set is defined as {A, B, C}, which does not match any P_SET i .
当v 1向v 2通信连接请求(可能为用户启动或者在用户不知情的情况下由其他应用程序间接启动),此时单连通分支为{v 5,v 4,v 2,v 1,v 0}{v 5,v 3,v 2,v 1,v 0},同时由算法2,各个点的权限集为:P_SET 1={B,X 1},P_SET 2={B,X 1,X 2},P_SET 3={B,C,X 1,X 2},P_SET 4={A,B,X 1,X 2},P_SET 5={A,B,C,X 1,X 2},与危险权限集合{A,B,C}匹配的只有P_SET 5,因此通信请求被拒绝。两个单连通分支的最长路径导致特权提升攻击。 When v 1 requests a communication connection with v 2 (it may be initiated by the user or indirectly initiated by other applications without the user's knowledge), the single-connected branch at this time is {v 5 , v 4 , v 2 , v 1 , v 0 }{v 5 , v 3 , v 2 , v 1 , v 0 }, and by Algorithm 2, the permission set of each point is: P_SET 1 = {B, X 1 }, P_SET 2 = {B, X 1 , X 2 }, P_SET 3 = {B, C, X 1 , X 2 }, P_SET 4 = {A, B, X 1 , X 2 }, P_SET 5 = {A, B, C, X 1 , X 2 } , only P_SET 5 matches the dangerous permission set {A, B, C}, so the communication request is rejected. The longest path of two simply connected components leads to a privilege escalation attack.
当v 1,v 2的通信断开,系统状态图又恢复初始的3个单连通分支,重新运行算法2,恢复各个节点的权限集。 When the communication between v 1 and v 2 is disconnected, the system state diagram restores the initial three single-connected branches, and re-runs Algorithm 2 to restore the permission set of each node.
实用性说明如下:The practical description is as follows:
Android引入权限标签机制保证通信的安全性。应用程序可以指定所需的Permissions标签并获得用户授权,同时系统也内置了很多安全标签。通过这种标签匹配机制,只有当通信的发起者或者资源请求者拥有相应的权限标签时,才能建立通信或者获得资源。尽管权限标签机制很好的阻止了非法应用对资源或敏感数据的直接获取,但当面对利用未收权限保护的服务进行权限扩充的特权提升攻击时,缺乏有效的抵御方法。如图5所示,应用程序C的组件只允许拥有权限的应用来访问,因此应用程序A的组件没有权限直接访问,但是拥有访问的权限,而拥有权限可以访问,此时可以通过非法获取的数据。特权提升攻击的实质即是在系统应用间建立“权限传递链路”,最终在某个应用上实现“危险权限集合”,如{INTERNET,FINE_LOCATION},当某个应用具有危险权限集合时,就有隐私数据泄露的危险。传统的访问控制方法,如访问控制列表等无法解决特权提升攻击问题。本发明方案利用通信状 态图中强连通分支内的应用的权限集相等这一特点,用动态权限集对系统应用进行等价划分,构建有向无回路图DAG简化问题。用基于权限集的“权限提升路径”取代应用自身构成的权限链,在耦合信息流与动态权限集的基础上抽象权限提升路径并追踪权限变化,使模型具备运行时决策能力,同时,权限提升路径的建立使得模型可以抵御多应用多通信方向的合谋攻击。此外,由于考虑了内核层隐蔽信道如文件操作与套接字操作,可以抵御基于内核隐蔽信道的合谋攻击,且基于强连通分支构建动态权限划分,简化缩小了搜索空间,并利用并查集以及权限提升路径的特性,将算法在约束在线性时间界内。因此,本发明方案具有较好的实用性。Android introduces a permission label mechanism to ensure the security of communication. The application can specify the required Permissions label and obtain user authorization, and the system also has many built-in security labels. Through this tag matching mechanism, communication can be established or resources obtained only when the initiator of the communication or the resource requester has the corresponding permission tag. Although the permission label mechanism prevents illegal applications from directly obtaining resources or sensitive data, it lacks an effective defense method when faced with privilege escalation attacks that use services protected by unauthorized permissions to expand permissions. As shown in Figure 5, the components of application C are only allowed to be accessed by applications with permissions. Therefore, the components of application A do not have permission to directly access, but they have access permissions, and those with permissions can access. At this time, they can be accessed through illegally obtained data. The essence of a privilege escalation attack is to establish a "permission transfer link" between system applications, and finally implement a "dangerous permission set" on an application, such as {INTERNET, FINE_LOCATION}. When an application has a dangerous permission set, it will There is a risk of privacy data leakage. Traditional access control methods, such as access control lists, cannot solve the problem of privilege escalation attacks. The scheme of the present invention utilizes the feature that the permission sets of the applications in the strongly connected branches of the communication state graph are equal, and uses the dynamic permission set to divide the system applications into equivalence, and constructs the DAG simplification problem of the directed acyclic graph. Replace the permission chain formed by the application itself with the "privilege escalation path" based on the permission set, abstract the permission escalation path and track permission changes on the basis of coupling information flow and dynamic permission set, so that the model has runtime decision-making ability, and at the same time, the permission escalation The establishment of the path enables the model to resist the collusion attack of multi-application and multi-communication direction. In addition, due to the consideration of kernel layer covert channels such as file operations and socket operations, it can resist collusion attacks based on kernel covert channels, and construct dynamic permission division based on strongly connected branches, which simplifies and narrows the search space. The nature of the privilege escalation path constrains the algorithm within a linear time bound. Therefore, the scheme of the present invention has better practicability.
考虑Soundcomber窃听实例。如图6所示,应用A,B,C和Audio Recorder将通过隐蔽信道covert channel合谋窃取用户隐私会话信息;Consider the Soundcomber wiretapping example. As shown in Figure 6, applications A, B, C and Audio Recorder will conspire to steal user privacy session information through the covert channel;
定义危险权限集为:{PROCESS_OUTGOING_CALL,INTERNET,RECORDER_AUDIO}。Define the set of dangerous permissions as: {PROCESS_OUTGOING_CALL, INTERNET, RECORDER_AUDIO}.
Audio Recorder对麦克风进行录音,COLLACTION与TRANSMITION模块分别进行语义分析和数据传输。应用Call Process拥有权限PROCESS_OUTGOING_CALL,与应用Audio Recorder建立ICC双向通信连接,构成一个强连通分支,对应的动态权限集为:{PROCESS_OUTGOING_CALL,RECORDER_AUDIO}。The Audio Recorder records the microphone, and the COLLACTION and TRANSMITION modules perform semantic analysis and data transmission respectively. The application Call Process has the permission PROCESS_OUTGOING_CALL, and establishes an ICC two-way communication connection with the application Audio Recorder to form a strongly connected branch. The corresponding dynamic permission set is: {PROCESS_OUTGOING_CALL, RECORDER_AUDIO}.
恶意应用A获取Audio Recorder模块的数据,因此A的权限集为:{PROCESS_OUTGOING_CALL,RECORDER_AUDIO}。应用B可以和Deliver App建立单向通信(文件写操作),B将数据传递给Deliver App进而发送至Internet。Malicious application A obtains the data of the Audio Recorder module, so the permission set of A is: {PROCESS_OUTGOING_CALL, RECORDER_AUDIO}. Application B can establish one-way communication (file writing operation) with Deliver App, and B passes the data to Deliver App and then sends it to the Internet.
若A向B发起单向通信连接请求(写B的文件common file):If A initiates a one-way communication connection request to B (write B's file common file):
1)采用XmanDroid安全模型:每次枚举两个应用程序,由于危险权限集有三个权限标签,因此Call Process,Audio Recorder,Malware A,Malware B,Deliver App中任意两个程序组成的权限标签集均不能与危险权限集匹配, 决策失效。1) Adopt the XmanDroid security model: enumerate two applications each time, because the dangerous permission set has three permission labels, so the permission label set composed of any two programs in Call Process, Audio Recorder, Malware A, Malware B, and Deliver App None of them can match the dangerous permission set, and the decision fails.
2)采用历史权限集的安全模型:应用A的History属性为:{PROCESS_OUTGOING_CALL,RECORDER_AUDIO},应用B的History属性为NULL,算法合并应用A,B的History属性为:{PROCESS_OUTGOING_CALL,RECORDER_AUDIO},不匹配危险权限集,允许通信建立,之后对B的邻接点应用Deliver App进行History更新,此时敏感数据通过A,B,Deliver App发送到Internet,决策失效。2) The security model using the historical permission set: the History attribute of application A is: {PROCESS_OUTGOING_CALL, RECORDER_AUDIO}, the History attribute of application B is NULL, the algorithm merges application A, and the History attribute of B is: {PROCESS_OUTGOING_CALL, RECORDER_AUDIO}, which do not match Dangerous permission set, allowing communication to be established, and then applying the Deliver App to B’s adjacency to update the History. At this time, sensitive data is sent to the Internet through A, B, and the Deliver App, and the decision becomes invalid.
3)根据本发明提出的决策算法,由于为单向通信请求,按规则1.4,运行线性时间算法BFS_UPDATE沿权限提升路径{,A,B,Deliver App}更新权限集,发现Deliver App程序的权限集为:{PROCESS_OUTGOING_CALL,RECORDER_AUDIO,INTRNET},与危险权限集匹配,因此拒绝通信连接。3) According to the decision-making algorithm proposed by the present invention, since it is a one-way communication request, according to rule 1.4, run the linear time algorithm BFS_UPDATE to update the permission set along the permission promotion path {, A, B, Deliver App}, and find the permission set of the Deliver App program is: {PROCESS_OUTGOING_CALL,RECORDER_AUDIO,INTRNET}, which matches the dangerous permission set, so the communication connection is rejected.
最后应说明的是:以上所述仅为本发明的优选实施例而已,并不用于限制本发明,尽管参照前述实施例对本发明进行了详细的说明,对于本领域的技术人员来说,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。Finally, it should be noted that: the above is only a preferred embodiment of the present invention, and is not intended to limit the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, for those skilled in the art, it still The technical solutions recorded in the foregoing embodiments may be modified, or some technical features thereof may be equivalently replaced. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (1)

  1. 一种基于动态权限集的安卓特权提升攻击发现方法,其特征在于,利用通信状态图中强连通分支内的应用的权限集相等这一特点,设计了恶意APP特权提升攻击检测方法,用动态权限集对系统应用进行等价划分,构建应用组“group”以简化搜索空间,并利用基于权限集的“权限提升路径”取代应用进程自身构成的权限链,具体包括以下步骤:A method for discovering Android privilege escalation attacks based on dynamic privilege sets, characterized in that, using the feature that the privilege sets of applications in strongly connected branches in the communication state graph are equal, a malicious APP privilege escalation attack detection method is designed, using dynamic privileges The set divides the system applications into equivalents, constructs the application group "group" to simplify the search space, and uses the "privilege escalation path" based on the permission set to replace the permission chain formed by the application process itself, which specifically includes the following steps:
    在DP_ManDroid模型的整体架构中,其中,System View负责存储计算系统的通信状态图;Decision Checker是一个组件,负责按照通信状态图以及系统的危险权限集(这里由MAC Policy组件提供)对当前的通信请求,包括ICC调用,套接字通信以及文件IO操作等进行判断;SELinux处于内核层,主要负责对隐蔽信道进行控制,这里主要指IO操作,套接字操作等;In the overall architecture of the DP_ManDroid model, System View is responsible for storing the communication state diagram of the computing system; Decision Checker is a component responsible for checking the current communication according to the communication state diagram and the system's dangerous permission set (here provided by the MAC Policy component) Requests, including ICC calls, socket communication, and file IO operations, etc.; SELinux is at the kernel layer and is mainly responsible for controlling covert channels. Here it mainly refers to IO operations, socket operations, etc.;
    下面分别对几个通信操作进行说明:The following describes several communication operations:
    1)新程序安装:新的应用程序安装时,原生的安卓系统提取Manifest文件中的权限并存储在Permission权限库,这里增加了在System view中的节点创建工作,并按Manifest的权限赋值节点的P_SET_STATIC属性;同理在程序卸载时,Permission数据库进行删除操作,System view的节点也将删除,运行算法3对全图的P_SET集进行更新;1) New program installation: When a new application is installed, the native Android system extracts the permissions in the Manifest file and stores them in the Permission permission library. Here, the node creation work in the System view is added, and the nodes are assigned according to the permissions of the Manifest P_SET_STATIC attribute; similarly, when the program is uninstalled, the Permission database will be deleted, and the nodes of the System view will also be deleted. Run Algorithm 3 to update the P_SET set of the whole graph;
    2)ICC调用:与原生安卓一样,由引用监视器(reference monitor)对调用进行处理,首先是按照Permission权限库进行判断,如果不满足原生的安卓权限要求,通信直接被拒绝,否则的话,调用Decision Checker进行判断,首先查询Decision数据库看系统状态图与通信请求方是否以在数据库中,如果在,则按照之前计算的结果直接返回;否则将通信请求送入System view中,由Graph maker进行通信状态图的强连通聚集计算,再由System view按算法3进行P_SET集比对(这里由MAC Policy提供危险权限集),如果通信被允许,将结果返回给Decision Checker,并将做出的决策以及当前系统通信状态图存储在Decision数据库中,用来在下次的通信判断中直接取用, 提高效率;2) ICC call: Same as the native Android, the call is processed by the reference monitor. First, it is judged according to the Permission permission library. If the original Android permission requirements are not met, the communication is directly rejected. Otherwise, the call Decision Checker judges, first query the Decision database to see if the system state diagram and the communication requester are in the database, if so, return directly according to the previous calculation result; otherwise, send the communication request to the System view, and communicate with the Graph maker The strongly connected aggregate calculation of the state diagram, and then the system view performs the P_SET set comparison according to Algorithm 3 (here, the MAC Policy provides the dangerous permission set), and if the communication is allowed, the result is returned to the Decision Checker, and the decision made and The current system communication state diagram is stored in the Decision database, which can be used directly in the next communication judgment to improve efficiency;
    3)文件操作以及套接字操作涉及内核层的访问控制,与ICC一样进行判断,只不过ICC中由引用监视器截获的通信请求这里由SELinux截获,之后的过程与ICC一样,SELinux发送通信请求给Decision Checker进行判定。3) File operations and socket operations involve access control at the kernel layer, which is judged the same as ICC, except that the communication requests intercepted by the reference monitor in ICC are intercepted by SELinux here, and the subsequent process is the same as ICC, SELinux sends communication requests Give Decision Checker a decision.
PCT/CN2021/142968 2021-09-06 2021-12-30 Android privilege escalation attack discovery method based on dynamic permission set WO2023029325A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2023519839A JP2023543605A (en) 2021-09-06 2021-12-30 Android Privilege Escalation Attack Detection Method Based on Dynamic Privilege Set

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111040109.4 2021-09-06
CN202111040109.4A CN113923663A (en) 2021-09-06 2021-09-06 Android privilege elevation attack discovery method based on dynamic permission set

Publications (1)

Publication Number Publication Date
WO2023029325A1 true WO2023029325A1 (en) 2023-03-09

Family

ID=79234166

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/142968 WO2023029325A1 (en) 2021-09-06 2021-12-30 Android privilege escalation attack discovery method based on dynamic permission set

Country Status (3)

Country Link
JP (1) JP2023543605A (en)
CN (1) CN113923663A (en)
WO (1) WO2023029325A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104834862A (en) * 2015-03-25 2015-08-12 南京大学 Overall static analysis system for Android authority-escalated attack
US20190108330A1 (en) * 2017-10-10 2019-04-11 The Florida International University Board Of Trustees Context-aware intrusion detection method for smart devices with sensors

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104834862A (en) * 2015-03-25 2015-08-12 南京大学 Overall static analysis system for Android authority-escalated attack
US20190108330A1 (en) * 2017-10-10 2019-04-11 The Florida International University Board Of Trustees Context-aware intrusion detection method for smart devices with sensors

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FIFI_0617: "Selinux Permission Description and Problem Solving", BLOG CSDN, CSDN, CN, CN, pages 1 - 3, XP009544196, Retrieved from the Internet <URL:https://blog.csdn.net/zyfzhangyafei/article/details/107953965> *
KANG, YUCHENG: "Android Attack Methods and Security Analysis", BLOG CSDN, CSDN, CN, CN, pages 1 - 5, XP009544243, Retrieved from the Internet <URL:https://blog.csdn.net/kangyucheng/article/details/78823997> *

Also Published As

Publication number Publication date
CN113923663A (en) 2022-01-11
JP2023543605A (en) 2023-10-17

Similar Documents

Publication Publication Date Title
US10986114B1 (en) Graph-based user tracking and threat detection
US11483329B1 (en) Using a logical graph of a containerized network environment
US10949528B1 (en) System and method for secure, policy-based access control for mobile computing devices
US11785104B2 (en) Learning from similar cloud deployments
US7370050B2 (en) Discoverability and enumeration mechanisms in a hierarchically secure storage system
US20220329616A1 (en) Using static analysis for vulnerability detection
US11849000B2 (en) Using real-time monitoring to inform static analysis
KR101150128B1 (en) Method and system for merging security policies
WO2018214898A1 (en) Method and device for writing service data in block chain system
Cao et al. Castle: Continuously anonymizing data streams
US8397290B2 (en) Granting least privilege access for computing processes
US11502828B2 (en) Authenticating chaincode to chaincode invocations of a blockchain
US11201955B1 (en) Agent networking in a containerized environment
US11256759B1 (en) Hierarchical graph analysis
US11792284B1 (en) Using data transformations for monitoring a cloud compute environment
Zhang et al. MRMondrian: Scalable multidimensional anonymisation for big data privacy preservation
US20230319092A1 (en) Offline Workflows In An Edge-Based Data Platform
CN115017515A (en) Cross-contract reentry attack detection method and system
CN114006755A (en) Method, system, device, equipment and storage medium for identifying interface calling authority
WO2023029325A1 (en) Android privilege escalation attack discovery method based on dynamic permission set
US11818156B1 (en) Data lake-enabled security platform
KR20030086722A (en) System for detecting a kernel backdoor, method for detecting a kernel backdoor and method for recovering a kernel data using the same
Amiri et al. Prever: Towards private regulated verified data
Panda et al. Securing database integrity in intelligent government systems that employ fog computing technology
John et al. Data leakage free ABAC policy construction in multi-cloud collaboration

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2023519839

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21955853

Country of ref document: EP

Kind code of ref document: A1