Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Static taint analysis and symbolic execution-based Android application vulnerability discovery method

A taint analysis and symbolic execution technology, applied in computer security devices, instruments, computing, etc., can solve the problems of static taint analysis, large memory consumption and time, false positives of analysis results, complex analysis process, etc., and achieve the insensitivity of the path Problems, increase operating efficiency, and the effect of accurate analysis results

Active Publication Date: 2017-05-24
XIDIAN UNIV
View PDF5 Cites 46 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Compared with the number of control flows of a program, the data flow is often several times more, and due to the language characteristics, its analysis process is also quite complicated, so redundant data flow analysis will directly cause huge memory consumption and time consumption of static taint analysis
[0012] 3. Since static taint analysis has the theoretical characteristic of "one-time comprehensive analysis", its analysis process is "path-insensitive", that is, when a conditional branch statement is encountered during the analysis process, the direction of the program cannot be identified, and only the full path analysis can be performed. Do not introduce new technologies for optimization, which may lead to false positives in the final analysis results, for example, a pollution path may be reported, but in the execution of the program, the path will be completely unreachable due to the control of conditional statements

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Static taint analysis and symbolic execution-based Android application vulnerability discovery method
  • Static taint analysis and symbolic execution-based Android application vulnerability discovery method
  • Static taint analysis and symbolic execution-based Android application vulnerability discovery method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0047] In today's society, the number of users of mobile smart devices has far exceeded the number of users of the host terminal, and Android mobile phone users account for the vast majority of end users, and the open source nature of the Android system framework makes Android mobile phone applications always vulnerable This has seriously affected personal information security and social security.

[0048]Under the current technical conditions, the dynamic analysis method mainly used for vulnerability mining of Android mobile phone applications, although the accuracy is high, requires program analysts to have rich experience in security analysis, and manual dynamic analysis will consume a lot of human resources. and time. Therefore, how to more efficiently and automatically exploit vulnerabilities in Android applications has become an urgent problem in the field of information security.

[0049] The present invention is based on the theory of program static taint analysis, on...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a static taint analysis and symbolic execution-based Android application vulnerability discovery method, and mainly aims at solving the problems that the analysis range is fixed, the memory consumption is huge and the analysis result is mistakenly reported in the process of discovering vulnerabilities by using the existing static taint analysis method. The method is realized through the following steps of: 1) configuring an analysis target and decompiling a program source code; 2) carrying out control flow analysis on the decompilation result; 3) selecting a source function by a user according to the control flow analysis result, so as to narrow an analysis target; 4) carrying out data flow analysis according to the control flow analysis result, so as to generate a vulnerability path; and 5) filtering the data flow analysis result by adoption of a static symbolic execution technology, taking the residual parts after the filtration as discovered vulnerabilities, warning the user and printing the vulnerability path. On the basis of the existing static taint analysis technology, the method disclosed by the invention has the advantages of extending the vulnerability discovery range, decreasing the memory consumption of vulnerability discovery and improving the accuracy of vulnerability discovery results, and can be applied to the discovery and research of Android application program vulnerabilities.

Description

technical field [0001] The invention belongs to the field of network and system security, and specifically relates to a method for mining Android application loopholes, which can be used for analysis and research of Android program loopholes caused by external injection. Background technique [0002] Taint propagation analysis is a technique for analyzing programs based on data dependencies. It is often used to detect data-related vulnerabilities in binary programs, such as privacy disclosure vulnerabilities and component hijacking vulnerabilities. According to whether the target program is required to run, taint propagation analysis can be divided into two types: static and dynamic. [0003] The static taint analysis method, compared with the dynamic taint analysis based on multiple executions, only needs to be executed once to obtain the overall analysis result, which has the advantages of a more comprehensive analysis path and higher efficiency. The analysis process main...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/57
CPCG06F21/577
Inventor 付胧玉杨超杨力马建峰罗丹卢璐
Owner XIDIAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com