Computer Engineering and Applications ›› 2018, Vol. 54 ›› Issue (6): 86-94.DOI: 10.3778/j.issn.1002-8331.1611-0187

Previous Articles     Next Articles

Dynamic event sequence guidance for Android application vulnerability verification technology

SUN Xiaoyong1,2, WANG Wei1, HUO Wei1,2, ZHOU Jianhua1   

  1. 1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100195, China
    2.School of Cyber Security, University of Chinese Academy of Sciences(UCAS), Beijing 100190, China
  • Online:2018-03-15 Published:2018-04-03

动态事件序列制导的Android应用漏洞验证技术

孙骁永1,2,王  伟1,霍  玮1,2,周建华1   

  1. 1.中国科学院 信息工程研究所,北京 100195
    2.中国科学院大学 网络空间安全学院,北京 100190

Abstract: At present, Android application vulnerability detection methods have static analysis and dynamic analysis. The static analysis has high rate of false positive. Although dynamic analysis reduces the rate of false positive, its operating efficiency and coverage are low. In order to solve the problem of dynamic analysis, this paper proposes the dynamic event sequence guidance for Android application vulnerability verification technology. This technology generates the activity jump graph by using the method of automated UI trigger. Then precisely guiding the suspicious path of vulnerability. Finally, verifying the suspicious path of vulnerability is whether executing. Automatically analyzing 10, 122 applications, the recall rate is 96.12% and false positive rate is 2.66%. The results show that the dynamic event sequence guidance for Android application vulnerability verification technology has good effective on automatically analyzing application.

Key words: dynamic event sequence, automated UI trigger, guidance verification, Android

摘要: 目前Android应用漏洞检测方法分为静态分析和动态分析。其中,静态分析存在误报率较高的问题,动态分析降低了误报率,但是存在运行效率和覆盖率较低的问题。针对动态分析存在的问题,首次提出了动态事件序列制导的Android应用漏洞验证技术,该技术使用自动化UI触发的方法生成Activity跳转关系图,然后对漏洞嫌疑路径进行精确制导,最后对漏洞触发嫌疑路径是否执行进行验证。经过对10 122个应用进行自动化漏洞分析,结果为召回率96.12%,误报率2.66%。实验结果表明,动态事件序列制导的Android应用漏洞验证技术对于自动化分析应用漏洞有很好的效果。

关键词: 动态事件序列, 自动化UI触发, 制导验证, Android