关键词: 权限泄露, 漏洞挖掘, 并行, Android

Abstract: Permission leakage is a common kind of vulnerability among Android applications. This kind of vulnerability can lead to serious security problem. Fuzzing the Intent to discover the expose of components and find the permission leakage from the exposed components is an efficient method to mine permission leakage. However, existing works based on Intent Fuzz to test this kind of vulnerability are only running on single machine, which leads to low availability. A parallel fuzzing system based on dynamic task distribution, named ParaIntentFuzz, is implemented. It first extracts extra information from application by static analysis and then constructs Intent commands. After sending commands to target application via Drozer, ParaIntentFuzz can effectively fuzz the target application. The system is deployed on four computers. With ParaIntentFuzz, it analyzes 10 064 Android applications and finds 7 367 of them having permission leakage problem.

Key words: permission leakage, vulnerability mining, parallel, Android