基于安卓系统的手机恶意软件提权漏洞研究

随着互联网技术的发展,手机在人们日常生活中扮演着越来越重要的角色,安卓系统手机软件也越来越多,但手机应用软件漏洞也越来越严重。部分不法分子利用软件漏洞从事非法行为,对用户造成了较大影响。笔者主要研究了基于安卓系统的手机恶意软件提权漏洞发现和防护,通过分析安卓系统常见的可利用漏洞类型,分析安卓系统手机软件提权漏洞,提出了手机用户的防护应对措施。     

基于分布式信息流控制的无障碍辅助性服务安全加固

随着安卓系统的广泛使用,系统提供的功能也越来越多,其中一个重要特性是1.6版本中引入并在4.0及以上版本中优化的无障碍辅助性服务.通过无障碍辅助功能,应用不仅可以获得输入框输入文本等窗口元素信息,还可以与应用窗口自动地进行双向交互（如获得按钮信息点击按钮）.然而,这些特性一旦被滥用将会给用户带来巨大的安全威胁.本文对安卓系统中的无障碍辅助性服务进行深入研究,分析其可能被滥用的途径,并找出安全缺陷及产生原因.然后提出了基于分布式信息流的控制机制标记并跟踪无障碍辅助性服务和无障碍事件以进行安全加固.我们实现了一个名为的Tassel安全系统以防止无障碍辅助性服务滥用.经过测试,该系统可以在不影响系统其他功能正常使用的前提下,保证服务的使用安全,且系统整体的性能影响很小.     

基于安卓系统的手机恶意软件提权漏洞研究

研究基于安卓系统的手机恶意软件提权漏洞发现和防护,通过分析安卓系统常见的可利用漏洞类型,并结合案例剖析了利用漏洞实施恶意行为的恶意软件,提出了手机用户的防护应对措施.     

iOS与Android安全隐患不容忽视

在赛门铁克7月5日公布的《移动设备安全初探:针对苹果iOS和谷歌Android(安卓)平台安全应用的检测》白皮书中,安全专家提示:智能移动终端的OS仍存在安全隐患。这份白皮书对目前两款主流移动设备操作系统一苹果iOS系统和谷歌Android(安卓)系统进行了深入的技术评估,从而帮助企业了解在公司内部使用含有该操作平台的移动设备所面临的安全隐患。     

安卓操作系统的安全性研究

针对当前智能手机的快速普及,安卓操作系统进入到国计民生的各个领域,但由于安卓系统的开源性使得其软件漏洞层出不穷,其安全性也必须得到重视.文章主要研究了如何增强安卓系统的安全性,通过运用上下文的精细化处理,提高安全框架的完整性,提高对手机终端用户,安卓系统开发工程师和手机应用实际人员的安全机制,防范系统漏洞和手机病毒对于安卓系统和APP的攻击.     

基于OVAL的安卓漏洞检测评估系统

传统漏洞检测工具检测时间长,占用大量系统资源,需要对系统进行模拟攻击,难以应对越来越复杂的安卓漏洞威胁。提出了一种“C/S”架构的、基于开放漏洞评估语言(OVAL)的安卓漏洞检测评估系统。这种架构将大部分评估工作放在控制台端执行,减少了对安卓系统性能的影响,其以OVAL作为漏洞评估标准,在保证评估高精度的同时也具有更好的开放性和可扩展性。     

基于能量优化的Windows模糊测试系统

为解决模糊测试在Windows平台执行过程缓慢、漏洞识别误报率与漏报率均较高的问题,提出一种基于动态能量优化的模糊测试系统。利用静态污点分析在敏感位置进行风险判定与标记;依据不同属性标准将输入文件划分为3种状态进行样本能量的动态优化;设计一种有效性度量机制针对低效输入截断。通过对4类应用进行实验,验证了在覆盖率和漏洞检测方面相较目前先进的模糊测试引擎最高提升67.6%与50.8%,并发现了5个未公开漏洞,其中两个获得CNVD编号,一个获得CVE编号,验证了系统的有效性。     

多维度的安卓应用相似度分析

基于安卓的智能设备的普及和移动互联网的发展带来了安卓应用的繁荣,但同时也带来了移动应用的开发、维护、安全等方面的问题。采取了多种技术,提取了安卓应用的功能描述、权限声明及源代码,并基于这些信息对1173个安卓应用进行了统计分析、相似度计算、聚类以及交叉对比;利用多个维度的安卓应用特征相似度分析,初步得到了安卓应用多个维度的相关规律,其可辅助不同的安卓应用的开发和管理任务,如权限过度声明检测、重打包检测、应用描述完善、领域内的公共类库的发现和提取等,从而帮助改善安卓市场的生态并提高安卓应用的开发效率。     

基于自动代码生成的Android服务层测试框架

Android是应用广泛的移动操作系统,正面临着非法提权、资源耗尽攻击等威胁。许多攻击都利用了Android系统服务中的漏洞,如JNI全局引用耗尽攻击(JGRE)、Android重击漏洞(ASV)和权限泄漏,这些漏洞会导致系统冻结、重新启动和未经授权的权限升级。本文中提出了一个Android服务层自动测试框架,扫描Android服务中存在的漏洞,并命名为Android服务自动测试工具。Android服务自动测试工具可以根据系统服务接口(Service API)自动生成测试代码来自动验证漏洞,大幅度减少人工验证的工作量。将Android服务自动测试工具应用于Android 9上,自动生成了720套测试代码,在137个系统服务中,总共发现了33个漏洞,其中的19个系统服务有28个JGRE漏洞,其中3个系统服务有5个权限提升漏洞。     

一种基于污点分析的文件型软件漏洞发现方法

基于黑盒测试思想的Fuzzing是漏洞分析的主要方法,但效率较低且不能分析未知格式.基于污点分析,提出一种针对文件型软件的漏洞发现新方法.利用污点分析寻找输入中能导致执行流到达脆弱点的字节,再改变这些字节产生新输入;同时根据污点信息产生特征码.利用插桩工具实现了原型系统,对三个真实漏洞进行了测试.实验结果表明该方法能有效发现漏洞,生成的测试用例远小于Fuzzing,且不依赖输入格式;特征码的误报率漏报率均较低.     

A static technique for detecting input validation vulnerabilities in Android apps

Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.     

SSPFA: effective stack smashing protection for Android OS

In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack buffer overflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Android devices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA, the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows without changing the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is not intrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over the proposed solution.

     

Objective Risk Evaluation for Automated Security Management

Network security depends on a number of factors. And a common characteristic of these factors is that they are dynamic in nature. Such factors include new vulnerabilities and threats, the network policy structure and traffic. These factors can be divided into two broad categories. Network risk and service risk. As the name implies, the former one corresponds to risk associated with the network policy whereas the later one depends on the services and software running on the system. Therefore, evaluating security from both the service and policy perspective can allow the management system to make decisions regarding how a system should be changed to enhance security as par the management objective. Such decision making includes choosing between alternative security architectures, designing security countermeasures, and to systematically modify security configurations to improve security. As there may be real time changes to the network threat, this evaluation must be done dynamically to handle such changes. In this paper, we provide a security metric framework that quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of the remotely accessible services, prediction of potential vulnerabilities for these services and their estimated severity, unused address space and finally propagation of an attack within the network. These factors cover both the service aspect and the network aspect of risk toward a system. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management of services and policies in a system using risk measurement and mitigation. We also combine all the components into one single metric and present validation experiments using real-life vulnerability data from National Vulnerability Database (NVD) and show comparison with two existing risk measurement tools.     

Android应用安全缺陷的静态分析技术研究

随着移动互联网的快速发展,智能手机特别是Android智能手机的用户日益增多,Android应用的安全缺陷层出不穷。将Android应用安全缺陷分为漏洞缺陷、组件缺陷和配置缺陷等三方面,针对这些安全缺陷,对字节码文件进行静态分析,将解析的Android字节码作为检查载体,采用访问者模式为每一种脆弱性检测设计检测器。最后给出了部分代码实现,实践证明能够满足Android应用安全缺陷的静态检测需求。     

Assessment Of Vulnerability Scanners

Securing information over the Internet can be facilitated by a multitude of security technologies. Technologies such as intrusion detection systems, anti-virus software, firewalls and crypto devices have all contributed significantly to the security of information. This article focuses on vulnerability scanners (VSs). A VS has a vulnerability database containing hundreds of known vulnerabilities, which it scans for. VSs do not scan for the same type of vulnerabilities since the vulnerability databases for each VS differ extensively. In addition, there is an overlap of vulnerabilities between the vulnerability databases of various VSs. The concept of harmonised vulnerability categories is introduced in this paper. Harmonised vulnerability categories consider the entire scope of known vulnerabilities across various VSs in a bid to act as a mediator in assessing the vulnerabilities that VSs scan for. Harmonised vulnerability categories, thus, are used to do an objective assessment of the vulnerability database of a VS.     

VAnDroid: A framework for vulnerability analysis of Android applications using a model-driven reverse engineering technique

Android is extensively used worldwide by mobile application developers. Android provides applications with a message passing system to communicate within and between them. Due to the risks associated with this system, it is vital to detect its unsafe operations and potential vulnerabilities. To achieve this goal, a new framework, called VAnDroid, based on Model Driven Reverse Engineering (MDRE), is presented that identifies security risks and vulnerabilities related to the Android application communication model. In the proposed framework, some security-related information included in an Android app is automatically extracted and represented as a domain-specific model. Then, it is used for analyzing security configurations and identifying vulnerabilities in the corresponding application. The proposed framework is implemented as an Eclipse-based tool, which automatically identifies the Intent Spoofing and Unauthorized Intent Receipt as two attacks related to the Android application communication model. To evaluate the tool, it has been applied to several real-world Android applications, including 20 apps from Google Play and 110 apps from the F-Droid repository. VAnDroid is also compared with several existing analysis tools, and it is shown that it has a number of key advantages over those tools specifically regarding its high correctness, scalability, and usability in discovering vulnerabilities. The results well indicate the effectiveness and capacity of the VAnDroid as a promising approach in the field of Android security.     

软件漏洞静态检测模型及检测框架

软件漏洞静态分析是信息安全领域的重点研究方向,如何描述漏洞及判别漏洞是漏洞静态分析的核心问题。提出了一种用于描述和判别漏洞的漏洞静态检测模型。首先对软件漏洞的属性特征进行形式化定义,并对多种软件漏洞和其判定规则进行形式化描述;其次,针对传统的路径分析存在的状态空间爆炸问题,提出了一个新的程序中间表示——漏洞可执行路径集,以压缩程序状态空间。在该模型的基础上,设计了一个基于漏洞可执行路径集的软件漏洞静态检测框架,利用定义的漏洞语法规则求解漏洞可执行路径集上的漏洞相关节点集,利用漏洞判定规则对漏洞相关节点集进行判别得出漏洞报告。实验分析验证了该漏洞检测模型的正确性和可行性。     

基于机器学习的第三方SDK漏洞检测技术研究

随着智能手机的普及,手机应用市场的发展也变得如火如荼。开发人员在新应用的开发中,会用到一些第三方提供的SDK,但是其经常存在安全漏洞,对用户的隐私造成威胁。本文基于机器学习的方法设计了针对Android第三方SDK的漏洞检测系统,同时利用设计出的检测系统对常见的50款第三方SDK进行了漏洞测试,发现50个样本中有31个存在漏洞,漏洞类型主要包括恶意索取敏感权限、滥用HTTP协议、API误用以及本地服务器漏洞。     

Android系统服务信息分层获取方法

获取Android系统服务关键信息有利于实现对Android系统的漏洞挖掘和安全评估。为解决当前系统服务关键信息获取方法存在系统源码依赖度高、兼容性差导致的信息获取不全面的问题,提出一种Android系统服务信息分层获取方法。该方法通过在Android系统的应用层、框架层和内核层分别建立完整的Binder通信行为监控视图,解析服务依赖关系、服务进程信息与接口参数规范,在不依赖源码的前提下实现系统服务关键信息的自动化获取。在多个Android设备中进行系统服务关键信息获取实验,结果表明该方法能全面地获取多项系统服务关键信息,具备更强的实用性。