[1]姜海涛,郭雅娟,陈 昊,等.基于状态机的移动应用越权访问漏洞检测方法[J].南京理工大学学报(自然科学版),2017,41(04):434.[doi:10.14177/j.cnki.32-1397n.2017.41.04.006]
 Jiang Haitao,Guo Yajuan,Chen Hao,et al.Unauthorized access vulnerability detection method based on finite state machines for mobile applications[J].Journal of Nanjing University of Science and Technology,2017,41(04):434.[doi:10.14177/j.cnki.32-1397n.2017.41.04.006]
点击复制

基于状态机的移动应用越权访问漏洞检测方法()
分享到:

《南京理工大学学报》(自然科学版)[ISSN:1005-9830/CN:32-1397/N]

卷:
41卷
期数:
2017年04期
页码:
434
栏目:
出版日期:
2017-08-31

文章信息/Info

Title:
Unauthorized access vulnerability detection method based on finite state machines for mobile applications
文章编号:
1005-9830(2017)04-0434-08
作者:
姜海涛1郭雅娟1陈 昊1郭 静1周 超1徐 建2
1.国网江苏省电力公司 电力科学研究院,江苏 南京 211103; 2.南京理工大学 计算机科学与工程学院,江苏 南京 210094
Author(s):
Jiang Haitao1Guo Yajuan1Chen Hao1Guo Jing1Zhou Chao1Xu Jian2
1.Jiangsu Electric Power Company Research Institute,Nanjing 211103,China; 2.School of ComputerScience and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China
关键词:
移动应用 状态机 越权访问 漏洞检测 动态重构
Keywords:
mobile applications finite state machines unauthorized access vulnerability detection dynamic reconstruction
分类号:
TP309.2
DOI:
10.14177/j.cnki.32-1397n.2017.41.04.006
摘要:
为了解决移动应用平台缺乏权限验证所导致的越权访问问题,研究了一种基于状态机的移动应用越权访问漏洞检测方法。该文为不同角色的用户分别建立各自的有限状态机,并合成出移动应用的完整状态机。在此基础上,通过对完整状态机中的每个请求进行动态重构和执行结果分析实现越权访问漏洞的高效完备测试。选择企业内部移动应用进行实验,结果表明该方法能发现了隐藏的越权访问漏洞。检测方法能被用于准确地识别出越权访问漏洞。
Abstract:
In order to solve the problem of unauthorized access vulnerability in mobile applications due to the lack of permission verification in the background,this paper proposes a method of mobile applications unauthorized access vulnerability detection based on finite state machines.By constructing the finite state machines of different users,the complete state machine of mobile application is synthesized.Each request in the complete state machine is dynamically reconstructed and the execution result is analyzed to realize the efficient and complete test of the unauthorized access vulnerabilities.Internal mobile applications are selected to do experiments.The experimental results show that the proposed method finds all hidden unauthorized access vulnerabilities.Unauthorized access vulnerabilities can be accurately detected through the proposed unauthorized access vulnerability detection method.

参考文献/References:

[1] 卿斯汉.Android安全研究进展[J].软件学报,2016,27(1):45-71.
Qing Sihan.Research progress on Android security[J].Journal of Software,2016,27(1):45-71.
[2]张玉清,方喆君,王凯,等.Android安全综述[J].计算机研究与发展,2015,52(10):2167-2177.
Zhang Yuqing,Fang Zhejun,Wang Kai,et al.Survey of Android OS security[J].Journal of Computer Research and Development,2015,52(10):2167-2177.
[3]Chin E,Felt A P,Greenwood K,et al.Analyzing inter-application communication in Android[C]//Proceedings of the 9th International Conference on Mobile Systems,Applications,and Services.New York,USA:Association for Computing Machinery,2011:239-252.
[4]Chan P P F,Hui L C K,Yiu S M.DroidChecker:analyzing Android applications for capability leak[C]//Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks.New York,USA:Association for Computing Machinery,2012:125-136.
[5]Gibler C,Crussell J,Erickson J,et al.AndroidLeaks:automatically detecting potential privacy leaks in Android applications on a large scale[C]//Proceedings of the 5th International Conference on Trust and Trustworthy Computing.Heidelberg,Germany:Springer,2012:291-307.
[6]Enck W,Gilbert P,Han S,et al.TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones[J].ACM Transactions on Computer Systems,2014,32(2):393-407.
[7]王凯,刘奇旭,张玉清.基于Fuzzing的Android应用通信过程漏洞挖掘技术[J].中国科学院大学学报,2014,31(6):827-835.
Wang Kai,Liu Qixu,Zhang Yuqing.Android Inter-application communication vulnerability mining technique based on fuzzing[J].Journal of University of Chinese Academy of Sciences,2014,31(6):827-835.
[8]Wolfe B,Elish K,Yao D F.High precision screening for Android malware with dimensionality reduction[C]//Proceedings of the 13th International Conference on Machine Learning and Applications.Detroit,USA:IEEE,2014:21-28.
[9]黄伟,陈昊,郭雅娟,等.基于集成分类的恶意应用检测方法[J].南京理工大学学报,2016,40(1):35-40.
Huang Wei,Chen Hao,Guo Yajuan,et al.Mobile malware detection approach using ensemble classification[J].Journal of Nanjing University of Science and Technology,2016,40(1):35-40.
[10]李宇翔,林柏钢.基于Android重打包的应用程序安全策略加固系统设计[J].信息网络安全,2014(1):43-47.
Li Yuxiang,Lin Baigang.Repackaging Android applications for enforcing security policy[J].Information Network Security,2014(1):43-47.
[11]胡扬波,王成现,袁杰.配网抢修移动应用系统的设计与实现[J].江苏电机工程,2014,33(3):49-52.
Hu Yangbo,Wang Chenxian,Yuan Jie.Design and realization of a mobile application system for electric distribution network rush repair[J].Jiangsu Electrical Engineering,2014,33(3):49-52.
[12]李云鹏,季晨宇,范国祥.基于物联网技术的用电侧移动营销系统设计[J].江苏电机工程,2015,34(5):80-84.
Li Yunpeng,Ji Chenyu,Fan Guoxiang.Designing of mobile marketing system based on the internet of things technique[J].Jiangsu Electrical Engineering,2015,34(5):80-84.

备注/Memo

备注/Memo:
收稿日期:2017-01-14 修回日期:2017-03-07基金项目:国网江苏省电力公司科技项目资助(J2016022)
作者简介:姜海涛(1985-),男,博士,工程师,主要研究方向:电力系统网络与信息安全,E-mail:jianghaitaoxin@163.com; 通讯作者:徐建(1979-),男,博士,副教授,主要研究方向:信息安全,E-mail:dolphin.xu@njust.edu.cn。
引文格式:姜海涛,郭雅娟,陈昊,等.基于状态机的移动应用越权访问漏洞检测方法[J].南京理工大学学报,2017,41(4):434-441.
投稿网址:http://zrxuebao.njust.edu.cn
更新日期/Last Update: 2017-08-31