Method and device for detecting misuse of android cryptography based on graph structure code slicing
By performing reverse engineering and graph slicing on Android applications and utilizing neural network models to detect cryptographic misuse, this approach addresses the security issues in Android applications caused by developers' lack of knowledge, thereby improving the accuracy and efficiency of detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
- Filing Date
- 2023-01-31
- Publication Date
- 2026-06-05
AI Technical Summary
In Android application development, the lack of cryptographic knowledge among developers leads to misuse of cryptography, affecting application security. Existing rule-based detection methods have unavoidable errors, affecting the accuracy of detection results.
By reverse engineering an Android application, the program dependency graph of the source code is obtained and the graph structure is sliced. A neural network model is used to detect candidate cryptographic misuses in the structured code slices. The model includes a reverse analysis module, a graph structure slicing module, a graph information representation module, and a model training module, and outputs the results of cryptographic misuses.
It enables timely detection of encryption misuse in Android applications, identifies potential threats, and improves the accuracy and efficiency of detection.
Smart Images

Figure CN116204423B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to a method and apparatus for detecting cryptographic misuse in Android based on graph structure code slicing, belonging to the field of cryptographic misuse detection technology. Background Technology
[0002] With the development of smartphones and internet technology, various mobile applications based on the Android system have emerged, profoundly impacting modern lifestyles. Due to its open-source and open-source characteristics, Android has become the operating system with the highest global market share for smart mobile devices.
[0003] During Android application development, due to developers' lack of cryptographic knowledge, errors often occur when implementing these cryptographic algorithms in the code, resulting in security vulnerabilities in the application. Attackers can exploit these cryptographic vulnerabilities to obtain sensitive user information, threatening citizens' personal information and property security.
[0004] Currently, the detection of password misuse on Android mainly adopts rule-based detection methods. However, because such methods rely on manual definition, they inevitably produce errors and inaccuracies, thus affecting the accuracy of the final detection results. Summary of the Invention
[0005] To address the aforementioned issues, this invention proposes a method and apparatus for detecting cryptographic misuse in Android applications based on graph structure code slicing, which can detect potential threats of encryption misuse in Android applications.
[0006] The technical solution adopted by this invention to solve its technical problem is as follows:
[0007] In a first aspect, the present invention provides a method for detecting Android cryptographic misuse based on graph structure code slicing, comprising the following steps:
[0008] The source code of the Android application to be tested is obtained through reverse engineering.
[0009] Obtain the source code dependency graph of the Android application and perform graph structure slicing to obtain the encrypted misuse candidate graph structured code slice;
[0010] Represent cryptographic misuse by constructing structured code slices of candidate graphs and using their graph information as a dataset for neural network model learning.
[0011] Training neural network models using datasets;
[0012] Utilize a trained neural network model to detect Android applications and output results of cryptographic misuse.
[0013] As one possible implementation of this embodiment, the reverse engineering of the Android application to be detected to obtain the source code includes:
[0014] The Zhuoying application to be tested is reverse engineered, and the program code in the compiled Zhuoying application APK file is reverse-engineered back into Java source code.
[0015] As one possible implementation of this embodiment, the step of obtaining the source code program dependency graph of the Android application and performing graph structure slicing includes:
[0016] Analyze the control flow and data flow of the program source code to obtain a program dependency graph based on functions in the source code;
[0017] If the code statements corresponding to the nodes in the program dependency graph conform to the syntax features of cryptographic algorithms, they are identified as candidate encryption misuse nodes.
[0018] The program slicing technique is used to separate candidate encryption misuse nodes from the program dependency graph, and based on the candidate encryption misuse nodes, nodes and corresponding edges that have data dependency or control dependency relationships with the candidate nodes are extracted from the program dependency graph to form a structured code slice of the encryption misuse candidate graph;
[0019] If a node in the structured code slice of the candidate cryptographic misuse graph contains a cryptographic misuse, the slice to which the node belongs is marked as a code slice with cryptographic misuse.
[0020] As one possible implementation of this embodiment, the analysis of the control flow and data flow of the program source code to obtain a program dependency graph based on functions in the source code includes:
[0021] Construct the control flow graph of the source code:
[0022] G = (N, E, entry, exit) | E = { <n i ,n j >|n i ,n j ∈N}
[0023] Where G represents the control flow graph, N is the set of nodes, equivalent to relatively independent modules in the program; E represents the set of edges in the control flow graph, E = { <n i ,n j >|n i ,n j ∈N}, where <n i ,n j > indicates a directed edge from any node to another node, representing a possible control transfer between the two nodes; entry and exit are the program's entry and exit nodes, respectively.
[0024] Analyze control dependencies: If node n i The execution status determines node n j Whether it is executed, and node n j Not node n i If a node is a necessary next node, then it starts from node n. j to node n i There exists an executable path P, and for any node on path P except node n... i and node n j Other nodes n k For example, node n j All of these are its necessary subsequent nodes, that is, representing n j Control depends on n i , represented as CD(n) j ,n i );
[0025] Analyze data dependencies: If there exists a variable v, node n i A variable v is defined, and node n j If variable v is used, then from node n i to node n j There exists an executable path, which represents node n. j The data regarding variable v depends on node n. i , represented as DD(n) j ,n i If at node n i to node n j If variable v is not redefined on the executable path between nodes n, then node n is n. j The data regarding variable v directly depends on node n. i ;
[0026] Based on the control flow graph, remove the control flow edges, add data and new control flow edges, and obtain the program dependency graph:
[0027] PDG=(V',E')|E'={ i ,s j >|s i ,s j ∈V'}
[0028] Where PDG represents the program dependency graph, V' represents the set of nodes in the program dependency graph, E' represents the set of edges in the program dependency graph, and s i s j Represent two nodes in the node set of the program dependency graph; any node s i Or s j The statement or control predicate expression represents the edge set E', which represents the dependencies between program components, including control dependencies and data dependencies.
[0029] As one possible implementation of this embodiment, the cryptographic algorithm syntax features include, but are not limited to, cryptographic API code, key initialization code, cryptographic algorithm initialization code, start vector initialization code, and initialization assignment code for all parameters used in the cryptographic algorithm.
[0030] As one possible implementation of this embodiment, the program slicing refers to: identifying instruction sets that affect or are affected by program variables, including forward and backward program slicing techniques.
[0031] As one possible implementation of this embodiment, the slicing criteria of the program slicing technology are: one program slice corresponds to one specific slicing criterion, denoted as...<V,n> Here, n refers to a point of interest in the program, usually a statement, while V refers to the set of variables defined or used in n.
[0032] As one possible implementation of this embodiment, the representation of cryptographic misuse candidate graph structured code slices, which represents their graph information as a dataset for neural network model learning, includes:
[0033] We performed word segmentation on the code lines in the candidate graph structure slices of cryptographic misuse in the experimental data, divided the code lines into symbol sets, and constructed a corpus from all the symbols.
[0034] Convert the code symbol set into a vector, which serves as the dataset.
[0035] As one possible implementation of this embodiment, the step of training the neural network model using the dataset includes:
[0036] Create a neural network model consisting of three graph convolution-pooling modules;
[0037] The graph-structured code slices are used as input to the neural network model. After multiple convolutions, pooling, and ReadOut loops, a trained neural network model is obtained.
[0038] Secondly, an embodiment of the present invention provides an apparatus for detecting Android cryptographic misuse based on graph structure code slicing, comprising:
[0039] The reverse engineering module is used to perform reverse engineering on the Android application to be tested and obtain its source code.
[0040] The graph structure slicing module is used to obtain the source code program dependency graph of an Android application and perform graph structure slicing to obtain candidate graph structured code slices for encryption misuse.
[0041] The graph information representation module is used to represent the structured code slices of candidate graphs for cryptographic misuse, and to represent their graph information as a dataset for neural network model learning.
[0042] The model training module is used to train neural network models using datasets.
[0043] The misuse detection module is used to detect cryptographic misuse in Android applications using a trained neural network model and output the results.
[0044] Thirdly, an embodiment of the present invention provides a computer device including a processor, a memory, and a bus. The memory stores machine-readable instructions executable by the processor. When the computer device is running, the processor communicates with the memory via the bus, and the processor executes the machine-readable instructions to perform the steps of any of the methods described above for detecting Android cryptographic misuse based on graph structure code slicing.
[0045] Fourthly, embodiments of the present invention provide a storage medium storing a computer program, which, when run by a processor, executes the steps of any of the methods described above for detecting Android cryptographic misuse based on graph structure code slicing.
[0046] The technical solutions of the embodiments of the present invention can have the following beneficial effects:
[0047] This invention first performs reverse engineering on the Android application to be detected to obtain its source code. Second, it obtains the application's source code dependency graph and performs graph structure slicing to obtain structured code slices as candidate cryptographic misuse graphs. Third, it characterizes these structured code slices, using their graph information as a dataset for a neural network model. Then, it trains the neural network model using this dataset. Finally, it uses the trained neural network model to detect the Android application and outputs the cryptographic misuse results. This invention extracts graph structure source code slices based on cryptographic misuse features from the source code dependency graph, then characterizes the graph structure slice information and uses a graph neural network model to detect cryptographic misuse, thereby enabling the detection of cryptographic misuse in Android applications and timely discovery of potential threats. Attached Figure Description
[0048] Figure 1 This is a flowchart illustrating a method for detecting Android cryptographic misuse based on graph structure code slicing, according to an exemplary embodiment.
[0049] Figure 2 This is a schematic diagram of an apparatus for detecting Android cryptographic misuse based on graph structure code slicing, according to an exemplary embodiment.
[0050] Figure 3 This is a flowchart illustrating a specific implementation of the method for detecting Android cryptographic misuse using the apparatus described in this invention based on graph structure code slicing, according to an exemplary embodiment. Detailed Implementation
[0051] The present invention will be further described below with reference to the accompanying drawings and embodiments:
[0052] To clearly illustrate the technical features of this solution, the invention will be described in detail below through specific embodiments and in conjunction with the accompanying drawings. The following disclosure provides many different embodiments or examples for implementing different structures of the invention. To simplify the disclosure of the invention, components and arrangements of specific examples are described below. Furthermore, reference numerals and / or letters may be repeated in different examples. This repetition is for simplification and clarity and does not in itself indicate a relationship between the various embodiments and / or arrangements discussed. It should be noted that the components illustrated in the drawings are not necessarily drawn to scale. Descriptions of well-known components, processing techniques, and processes are omitted in this invention to avoid unnecessarily limiting the invention.
[0053] like Figure 1 As shown in the figure, an embodiment of the present invention provides a method for detecting Android cryptographic misuse based on graph structure code slicing, which includes the following steps:
[0054] The source code of the Android application to be tested is obtained through reverse engineering.
[0055] Obtain the source code dependency graph of the Android application and perform graph structure slicing to obtain the encrypted misuse candidate graph structured code slice;
[0056] Represent cryptographic misuse by constructing structured code slices of candidate graphs and using their graph information as a dataset for neural network model learning.
[0057] Training neural network models using datasets;
[0058] Utilize a trained neural network model to detect Android applications and output results of cryptographic misuse.
[0059] As one possible implementation of this embodiment, the reverse engineering of the Android application to be detected to obtain the source code includes:
[0060] Existing Android application reverse engineering techniques are used to reverse engineer the Zhuoying application to be tested, converting the program code in the compiled Zhuoying application APK file back into Java source code.
[0061] As one possible implementation of this embodiment, the step of obtaining the source code program dependency graph of the Android application and performing graph structure slicing includes:
[0062] Analyze the control flow and data flow of the program source code to obtain the program dependency graph (PDG) based on the functions in the source code;
[0063] If the code statements corresponding to the nodes in the program dependency graph conform to the syntax features of cryptographic algorithms, they are identified as candidate encryption misuse nodes.
[0064] The program slicing technique is used to separate candidate encryption misuse nodes from the program dependency graph, and based on the candidate encryption misuse nodes, nodes and corresponding edges that have data dependency or control dependency relationships with the candidate nodes are extracted from the program dependency graph to form a structured code slice of the encryption misuse candidate graph;
[0065] If a node in the structured code slice of the candidate cryptographic misuse graph contains a cryptographic misuse, the slice to which the node belongs is marked as a code slice with cryptographic misuse.
[0066] As one possible implementation of this embodiment, the analysis of the control flow and data flow of the program source code to obtain a program dependency graph based on functions in the source code includes:
[0067] Construct the control flow graph of the source code:
[0068] G = (N, E, entry, exit) | E = { <n i ,n j >|n i ,n j ∈N}
[0069] Where G represents the control flow graph, N is the set of nodes, equivalent to relatively independent modules in the program; E represents the set of edges in the control flow graph, E = { <n i ,n j >|n i ,n j ∈N}, where <n i ,n j > indicates a directed edge from any node to another node, representing a possible control transfer between the two nodes; entry and exit are the program's entry and exit nodes, respectively.
[0070] Analyze control dependencies: If node n i The execution status determines node n j Whether it is executed, and node n j Not node n i If a node is a necessary next node, then it starts from node n. j to node n i There exists an executable path P, and for any node on path P except node n... iand node n j Other nodes n k For example, node n j All of these are its necessary subsequent nodes, that is, representing n j Control depends on n i , represented as CD(n) j ,n i );
[0071] Analyze data dependencies: If there exists a variable v, node n i A variable v is defined, and node n j If variable v is used, then from node n i to node n j There exists an executable path, which represents node n. j The data regarding variable v depends on node n. i , represented as DD(n) j ,n i If at node n i to node n j If variable v is not redefined on the executable path between nodes n, then node n is n. j The data regarding variable v directly depends on node n. i ;
[0072] Based on the control flow graph, remove the control flow edges, add data and new control flow edges, and obtain the program dependency graph:
[0073] PDG=(V',E')|E'={ i ,s j >|s i ,s j ∈V'}
[0074] Where PDG represents the program dependency graph, V' represents the set of nodes in the program dependency graph, E' represents the set of edges in the program dependency graph, and s i and s j Represent two nodes in the node set of the program dependency graph; any node s i Or s j The statement or control predicate expression represents the edge set E', which represents the dependencies between program components, including control dependencies and data dependencies.
[0075] As one possible implementation of this embodiment, the cryptographic algorithm syntax features include, but are not limited to, cryptographic API code, key initialization code, cryptographic algorithm initialization code, start vector initialization code, and initialization assignment code for all parameters used in the cryptographic algorithm.
[0076] As one possible implementation of this embodiment, the program slicing refers to: identifying instruction sets that affect or are affected by program variables, including forward and backward program slicing techniques. This invention identifies nodes that use cryptography from the obtained Program Dependency Graph (PDG). That is, if the code statements corresponding to a node conform to the syntax features of a cryptographic algorithm, they are identified as candidate encryption misuse nodes. Program slicing techniques are used to extract these candidate encryption misuse nodes from the PDG. Based on the candidate encryption misuse nodes, nodes and corresponding edges that have data or control dependencies with the candidate nodes are extracted from the PDG to form structured code slices of the encryption misuse candidate graph.
[0077] As one possible implementation of this embodiment, the slicing criteria of the program slicing technology are: one program slice corresponds to one specific slicing criterion, denoted as...<V,n> Here, n refers to a point of interest in the program, usually a statement, while V refers to the set of variables defined or used in n.
[0078] As one possible implementation of this embodiment, the representation of cryptographic misuse candidate graph structured code slices, which represents their graph information as a dataset for neural network model learning, includes:
[0079] We performed word segmentation on the code lines in the candidate graph structure slices of cryptographic misuse in the experimental data, divided the code lines into symbol sets, and constructed a corpus from all the symbols.
[0080] Convert the code symbol set into a vector, which serves as the dataset.
[0081] As one possible implementation of this embodiment, the step of training the neural network model using the dataset includes:
[0082] Create a neural network model consisting of three graph convolution-pooling modules;
[0083] The graph-structured code slices are used as input to the neural network model. After multiple convolutions, pooling, and ReadOut loops, a trained neural network model is obtained.
[0084] This invention adopts the idea of combining global pooling and hierarchical pooling to create a model consisting of three "graph convolution-pooling" modules. The node features after pooling in each module are aggregated by the ReadOut layer and finally connected in the linear layer (MLP) for graph classification.
[0085] Secondly, an embodiment of the present invention provides an apparatus for detecting Android cryptographic misuse based on graph structure code slicing, comprising:
[0086] The reverse engineering module is used to perform reverse engineering on the Android application to be tested and obtain its source code.
[0087] The graph structure slicing module is used to obtain the source code program dependency graph of an Android application and perform graph structure slicing to obtain candidate graph structured code slices for encryption misuse.
[0088] The graph information representation module is used to represent the structured code slices of candidate graphs for cryptographic misuse, and to represent their graph information as a dataset for neural network model learning.
[0089] The model training module is used to train neural network models using datasets.
[0090] The misuse detection module is used to detect cryptographic misuse in Android applications using a trained neural network model and output the results.
[0091] like Figure 3 As shown, the specific process of detecting Android cryptographic misuse using the device described in this invention is as follows.
[0092] The first step is to perform reverse engineering on the application to be tested to obtain its source code.
[0093] Decompilation tools (Apktool, dex2jar, jd-gui) are used to reverse engineer the application to be tested, converting the program code in the compiled Android application APK file back into Java code.
[0094] The second step is to obtain the dependency graph of the Android application source code and perform graph structure slicing.
[0095] 2.1 Construct the control flow graph of the source code.
[0096] A control flow graph (CFG) is an abstract representation of a process or program. It's an abstract data structure used in compilers, maintained internally, and represents all paths a program will traverse during execution. It uses a graph to represent the possible flow of execution for all basic blocks within a process, and can also reflect the real-time execution process of a process.
[0097] A control flow graph G is a directed graph consisting of a finite number of nodes with a unique entry and a unique exit. Each node represents a relatively independent basic module, which is a set of continuously related basic statements. If one module controls another module, then there is a directed edge between the two modules. Every node in the graph exists on a path formed by a directed edge from the entry to the exit of the control flow graph. It is represented as G = (N, E, entry, exit) | E = { <n i ,n j >|n i ,nj ∈N}, where G represents the control flow graph, N is the set of nodes, equivalent to relatively independent modules in the program; E represents the set of edges in the control flow graph, E={ <n i ,n j >|n i ,n j ∈N}, where <n i ,n j The term ">" indicates a directed edge connecting any two nodes, representing a possible control transfer between them; "entry" and "exit" are the program's entry and exit nodes, respectively. It has a unique starting node (START) and a unique ending node (STOP). Each node in the CFG can have at most two direct successors. For a node v with two direct successors, its outgoing edges have the attribute "T" or "F", and for any node N in the CFG, there exists a path from START through N to STOP.
[0098] Control dependency: In a control flow graph G, the dependencies between modules caused by control flow are called control dependencies. If node n i The execution state determines n j Whether it is executed, and node n j Not node n i If the next necessary node is n, then from n j to n i There exists an executable path P, and for any node on P except n... i and n j node n k For example, node n j All of these are its necessary subsequent nodes, that is, representing n j Control depends on n i , represented as CD(n) j ,n i ).
[0099] Data dependency: In a control flow graph G, the dependencies between variables caused by data flow are called data dependencies. The generation of data flow manifests as the definition and referencing of data. If there exists a variable v, node n i A variable v is defined, and node n j If variable v is used, then from node n i to node n j There exists an executable path, which represents node n. j The data regarding variable v depends on node n. i Represented as DD(n) j ,n i If at node n i to node n jIf variable v is not redefined on the executable path between nodes n, then node n is n. j The data regarding variable v directly depends on node n. i .
[0100] 2.2 Based on the control flow graph, construct the program dependency graph of the source code.
[0101] A program dependency graph (PDG) is a graphical representation of a program; it is a labeled directed multigraph. A PDG can represent the control dependencies and data dependencies of a program. Specifically, it involves: based on the control flow graph, removing the control flow edges, adding data and new control flow edges, resulting in the program dependency graph PDG = (V', E') | E' = { i ,s j >|s i ,s j ∈V'} where PDG represents the program dependency graph, V' represents the set of nodes in the program dependency graph, E' represents the set of edges in the program dependency graph, and s i s j Represent two nodes in the node set of the program dependency graph. Any node s i Or s j The statement or control predicate expression represents the boundary set E', which represents the dependencies between program components, including control dependencies and data dependencies. If the statement s in PDG... i and s j If two points can be related through control flow or data flow, then there is an edge between them. A program dependency graph includes a data dependency graph and a control dependency graph. The data dependency graph defines the constraints between data, while the control dependency graph defines the constraints on statement execution. Therefore, a program dependency graph (PDG) contains both data dependencies and control dependencies between statements in a program.
[0102] 2.3 Identify candidate cryptographic misuse nodes from the Program Dependency Graph (PDG) obtained in the previous step. That is, if the code statement corresponding to the node conforms to the characteristics of cryptographic algorithms (including but not limited to key APIs of Java cryptography libraries, characteristic strings of common cryptographic algorithms, etc.), then the byte is determined to be a candidate cryptographic misuse byte.
[0103] 2.4 This invention extracts nodes and corresponding edges from the PDG (Programmable Graph) that have control or data dependencies on candidate cryptographic misuse nodes to form a relevant cryptographic misuse graph structure slice. For example, if a node contains cryptographic API-related code, this node will be identified as a candidate node. Starting from the located node, nodes with control or data dependencies are searched. The set of nodes related to this node is extracted from the PDG obtained in the previous step, and the edges contained in the node set are also extracted to form a PDG subgraph. This subgraph is one of the candidate slices related to cryptographic misuse.
[0104] 2.5 This invention uses a supervised training method to train the model. During training, the label of each test data point needs to be known, i.e., whether it contains cryptographic misuse or is normal data. In the training data, the label of a subgraph depends on whether there is cryptographic misuse in the line containing the corresponding sensitive point of the program, which requires manual judgment. If a line of code in the original code dataset is marked as having cryptographic misuse, then the slice obtained from that line of code is labeled "1", indicating that misuse exists; otherwise, it is labeled "0", indicating that no misuse exists.
[0105] The third step is to represent cryptographic misuse candidate graph structured code slices, which represent graph information as data that can be learned by neural network models.
[0106] 3.1 For the generated PDG subgraph, the custom function names and variable names in the candidate slices of cryptographic API misuse in the experimental data are first renamed to the form "FUN_" and "VAR_" respectively. The underscore "_" represents a number, and the incrementing number from 0 indicates that each slice depends on a function or variable in the graph. This is to eliminate custom function and variable names to avoid custom functions and vectors affecting the accuracy of mapping code text to vectors.
[0107] 3.2 To ensure that the vector length is consistent after each line of code is converted, the symbol set corresponding to each line of code will be completed or truncated. If the symbol set corresponding to each line of code contains the same number of symbols, the vector length will also be consistent.
[0108] This invention employs the Word2Vec model to convert a set of code symbols into vectors. In this example, the Skip-gram training mode is selected. This mode uses the middle word as input and expects the model output to be the surrounding words. The mathematical formula is as follows:
[0109]
[0110] Among them, w i As the central word, w i-1 To predict surrounding words, u is the context word vector, v is the center word vector, and the numerator is... It is the context word vector within the window. It is calculated by accumulating the center word vector and the surrounding word vectors, given a word sequence w1, w2, w3, ... w T The objective function of the Skip-gram model is to maximize the following expression:
[0111]
[0112] Where θ is the window size and T is the length of the word sequence. logp(w t+j |w t This model takes the middle word as input and outputs the probability of the surrounding words. The goal of this model is to maximize the probability of the surrounding words. It also needs to calculate logp(w) t+j |w t Let v wl The vector representing word w in the first matrix, u wo Let w be the vector representing word w in the second matrix. Thus, given word w as input, the probability corresponding to word w is:
[0113]
[0114] The above process generates the code line vector of the node, v. w and v′ w Let w represent the input vector and output vector of word w, respectively.
[0115] 3.3 In this invention, the word embedding parameter size generated by the word2vec algorithm is set to 256, that is, the size of the basic block initialization vector is 256.
[0116] This embodiment uses the PyTorch deep learning framework for developing and training neural network models. PyG (pytorch_geometric) is a graph neural network framework based on PyTorch, which defines a data type for representing graph structure data. The Data structure is used to store vectorized graph structure code slices, specifically including edge feature vectors of 2×num_edges dimension, node feature vectors of num_nodes×num_node_features dimension, a one-dimensional global label vector, and the position of the corresponding line of code in the source code. Here, num_edges is the number of edges in the slice subgraph, num_nodes is the number of nodes in the slice subgraph (i.e., the number of basic blocks), and num_node_features represents the feature dimension of the code lines of the basic block nodes, which is related to the output of the word2vec algorithm.
[0117] Step 4: Training the neural network model.
[0118] 4.1 This embodiment selects a message-passing graph neural network, where the message-passing paradigm is a paradigm that aggregates neighbor node information to update the central node information. It extends the convolution operator to the domain of irregular data, realizing the link between graphs and neural networks. This paradigm includes three steps: neighbor node information transformation; neighbor node information aggregation to the central node; and aggregated information transformation. The formula is expressed as:
[0119]
[0120] In formula (4) Let e represent the node characteristics of node i in layer (k-1). j,i ∈R D Let f represent the characteristics of the edges from node j to node i, where f is a differentiable function that is permutation invariant (the function's output is independent of the permutation of its input parameters). Functions with permutation invariance include sum functions, mean functions, and maximum functions. γ and φ represent differentiable functions.
[0121]
[0122] During message passing, the read-out phase uses a read-out function R (commonly including mean aggregator, maximum aggregator, and LSTM aggregator) to calculate the feature vector of the entire image G. This represents the feature from the previous iteration. The state of the hidden layer nodes can be updated, and the key part lies in the multiple information propagation and state updates in between. The readout function R aggregates all node states into the predicted label value output, as shown in Equation (2).
[0123] This invention is implemented using a convolutional neural network. The mathematical definition of a graph convolutional neural network is:
[0124]
[0125] Representation of adjacent nodes First, the transformation is performed by multiplying with the weight matrix Θ, then normalization is performed according to the degree of the endpoints deg(i) and deg(j), and finally the summation is performed. This formula can be divided into the following steps: (1) Add self-loop edges to the adjacency matrix; (2) Linearly transform the node feature matrix; (3) Calculate the normalization coefficients; (4) Normalize the node features in j; (5) Add the features of adjacent nodes.
[0126] 4.2 The graph neural network structure proposed in this invention uses three sets of graph convolutional and pooling layers as basic units to complete the classification learning problem at the graph level and employs a self-attention mechanism. Specifically, in each set of graph convolutional and pooling layers, the feature vector of each node in each graph sample is transformed into a representation with a fixed number of dimensions by using the graph convolutional layer, and the representation of the entire graph is obtained by pooling the representation vectors of all nodes in the graph. Multiple sets of basic units are used to extract features of each node in the graph structure at different levels. Multiple sets of basic units can be directly concatenated or connected through residual methods. The formula for the residual method is:
[0127]
[0128] In formula (7), x l For input, M(x) l The output is M, which typically includes operations such as convolution and activation. Finally, a multilayer perceptron (MLP) and a softmax layer are applied to obtain the final graph label prediction.
[0129] 4.3 The network parameters set in this invention include the number of input and output channels of the intermediate layer graph convolutional hidden layer, all of which are 128. This invention selects Adam as the optimizer for model training, sets the learning rate to 0.001, and selects cross-entropy as the loss function.
[0130] Step 5: Detection of cryptographic misuse.
[0131] After the Android application to be identified is processed in the first, second, and third steps, it is input into the neural network model trained in the fourth step. The trained neural network model outputs the cryptographic misuse prediction result for the input Android application.
[0132] An embodiment of the present invention provides a computer device including a processor, a memory, and a bus. The memory stores machine-readable instructions executable by the processor. When the device is running, the processor communicates with the memory via the bus, and the processor executes the machine-readable instructions to perform the steps of any of the above-described methods for detecting Android cryptographic misuse based on graph structure code slicing.
[0133] Specifically, the aforementioned memory and processor can be general-purpose memory and processor, without any specific limitations. When the processor runs the computer program stored in the memory, it can execute the aforementioned method for detecting Android cryptographic misuse based on graph structure code slicing.
[0134] Those skilled in the art will understand that the structure of the computer device does not constitute a limitation on the computer device, and may include more or fewer components than shown in the figure, or combine some components, or split some components, or have different component arrangements.
[0135] In some embodiments, the computer device may further include a touchscreen for displaying a graphical user interface (e.g., an application launch screen) and receiving user actions on the graphical user interface (e.g., launching an application). Specifically, the touchscreen may include a display panel and a touch panel. The display panel may be configured as an LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), or similar type. The touch panel can collect user touch or non-touch operations on or near it and generate pre-set operation instructions, such as user actions using fingers, styluses, or any suitable object or accessory on or near the touch panel. Additionally, the touch panel may include a touch detection device and a touch controller. The touch detection device detects the user's touch orientation and posture, and detects the signals generated by the touch operation, transmitting the signals to the touch controller. The touch controller receives touch information from the touch detection device, converts it into information that the processor can process, sends it to the processor, and can also receive and execute commands from the processor. Furthermore, touch panels can be implemented using various types of sensors, including resistive, capacitive, infrared, and surface acoustic wave sensors, as well as any future technologies. Moreover, the touch panel can cover the display panel. Users can operate on or near the touch panel, which is covered by the graphical user interface displayed on the display panel. After detecting the operation on or near the touch panel, the touch panel transmits it to the processor to determine the user input. The processor then responds to the user input by providing corresponding visual output on the display panel. Additionally, the touch panel and display panel can be implemented as two separate components or integrated together.
[0136] Corresponding to the above application launch method, this embodiment of the invention also provides a storage medium storing a computer program, which is executed by a processor to perform the steps of the above-described method for detecting Android cryptographic misuse based on graph structure code slicing.
[0137] The application launch device provided in this application embodiment can be specific hardware on the device or software or firmware installed on the device. The device provided in this application embodiment has the same implementation principle and technical effects as the foregoing method embodiments. For the sake of brevity, any parts not mentioned in the device embodiment can be referred to the corresponding content in the foregoing method embodiments. Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can all be referred to the corresponding processes in the above method embodiments, and will not be repeated here.
[0138] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0139] In the embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. The apparatus embodiments described above are merely illustrative. For example, the division of modules is only a logical functional division, and there may be other division methods in actual implementation. Furthermore, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Additionally, the coupling or direct coupling or communication connection shown or discussed may be through some communication interface; the indirect coupling or communication connection between apparatuses or modules may be electrical, mechanical, or other forms.
[0140] The modules described as separate components may or may not be physically separate. Similarly, the components shown as modules may or may not be physical modules; they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of this embodiment, depending on actual needs.
[0141] In addition, the functional modules in the embodiments provided in this application can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module.
[0142] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0143] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0144] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0145] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.
Claims
1. A method for detecting cryptographic misuse in Android based on graph structure code slicing, characterized in that, Includes the following steps: The source code of the Android application to be tested is obtained through reverse engineering. Obtain the source code dependency graph of the Android application and perform graph structure slicing to obtain the encrypted misuse candidate graph structured code slice; Represent cryptographic misuse by constructing structured code slices of candidate graphs and using their graph information as a dataset for neural network model learning. Training neural network models using datasets; Detect Android applications using a trained neural network model and output results of cryptographic misuse. The process of obtaining the source code dependency graph of an Android application and performing graph structure slicing includes: Analyze the control flow and data flow of the program source code to obtain a program dependency graph based on functions in the source code. Specifically, first construct the source code control flow graph, then analyze the control dependency relationship and data dependency relationship between nodes respectively. Based on the control flow graph, remove the original control flow edges and add data dependency edges and new control flow edges to obtain a program dependency graph based on functions. If the code statements corresponding to the nodes in the program dependency graph conform to the syntax features of cryptographic algorithms, they are identified as candidate encryption misuse nodes. The program slicing technique is used to separate candidate encryption misuse nodes from the program dependency graph, and based on the candidate encryption misuse nodes, nodes and corresponding edges that have data dependency or control dependency relationships with the candidate nodes are extracted from the program dependency graph to form a structured code slice of the encryption misuse candidate graph; If a node in the structured code slice of the candidate cryptographic misuse graph contains a cryptographic misuse, the slice to which the node belongs is marked as a code slice with cryptographic misuse.
2. The method for detecting Android cryptographic misuse based on graph structure code slicing according to claim 1, characterized in that, The reverse engineering of the Android application to be tested yields the source code, including: The Zhuoying application to be tested is reverse engineered, and the program code in the compiled Zhuoying application APK file is reverse-engineered back into Java source code.
3. The method for detecting Android cryptographic misuse based on graph structure code slicing according to claim 1, characterized in that, The analysis program analyzes the control flow and data flow of its source code to obtain a program dependency graph based on functions within the source code, specifically including: Construct the control flow graph of the source code: Where G represents the control flow graph, N is the set of nodes, which are equivalent to relatively independent modules in the program; E represents the set of edges in the control flow graph. ,in A directed edge is formed from any node to another node, indicating a possible control transfer between the two nodes; entry and exit are the program's entry and exit nodes, respectively. Analyze control dependencies: if nodes The execution status determines the node Whether it is executed, and the node Not a node If a node is a necessary next node, then it starts from node 1. To the node There is an executable path between them. And for the path any node above and nodes Other nodes In other words, nodes All of these are its necessary subsequent nodes, that is to say Control depends , represented as ; Analyze data dependencies: If there is a variable ,node Defined variables And nodes Used variables Then from node To the node There exists an executable path, which represents the node. Regarding variables Data depends on nodes , represented as If at node To the node On the executable path between, variables If not redefined, it represents a node. Regarding variables Data directly depends on nodes ; Based on the control flow graph, remove the control flow edges, add data and new control flow edges, and obtain the program dependency graph: Wherein, PDG represents the program dependency graph. The set of nodes representing the program dependency graph. Represents the edge set of the program dependency graph. , Represents two nodes in the node set of a program dependency graph; any node or Represents a statement or control predicate expression, edge set It represents the dependencies between program components, including control dependencies and data dependencies.
4. The method for detecting Android cryptographic misuse based on graph structure code slicing according to claim 1, characterized in that, The cryptographic algorithm syntax features include, but are not limited to, cryptographic API code, key initialization code, cryptographic algorithm initialization code, start vector initialization code, and initialization assignment code for all parameters used in the cryptographic algorithm.
5. The method for detecting Android cryptographic misuse based on graph structure code slicing according to any one of claims 1-4, characterized in that, The structured code slices representing candidate graphs for cryptographic misuse, which represent their graph information as a dataset for neural network model learning, include: We performed word segmentation on the code lines in the candidate graph structure slices of cryptographic misuse in the experimental data, divided the code lines into symbol sets, and constructed a corpus from all the symbols. Convert the code symbol set into a vector, which serves as the dataset.
6. The method for detecting Android cryptographic misuse based on graph structure code slicing according to any one of claims 1-4, characterized in that, The training of neural network models using datasets includes: Create a graph convolution with 3 layers A neural network model composed of "pooling" modules; The graph-structured code slices are used as input to the neural network model. After multiple convolutions, pooling, and ReadOut loops, a trained neural network model is obtained.
7. A device for detecting Android cryptographic misuse based on graph structure code slicing, characterized in that, include: The reverse engineering module is used to perform reverse engineering on the Android application to be tested and obtain its source code. The graph structure slicing module is used to obtain the source code program dependency graph of an Android application and perform graph structure slicing to obtain candidate graph structured code slices for encryption misuse. The graph information representation module is used to represent the structured code slices of candidate graphs for cryptographic misuse, and to represent their graph information as a dataset for neural network model learning. The model training module is used to train neural network models using datasets. The misuse detection module is used to detect Android applications using a trained neural network model and output cryptographic misuse results. The process by which the graph structure slicing module obtains the source code program dependency graph of the Android application and performs graph structure slicing is as follows: Analyze the control flow and data flow of the program source code to obtain a program dependency graph based on functions in the source code. Specifically, first construct the source code control flow graph, then analyze the control dependency relationship and data dependency relationship between nodes respectively. Based on the control flow graph, remove the original control flow edges and add data dependency edges and new control flow edges to obtain a program dependency graph based on functions. If the code statements corresponding to the nodes in the program dependency graph conform to the syntax features of cryptographic algorithms, they are identified as candidate encryption misuse nodes. The program slicing technique is used to separate candidate encryption misuse nodes from the program dependency graph, and based on the candidate encryption misuse nodes, nodes and corresponding edges that have data dependency or control dependency relationships with the candidate nodes are extracted from the program dependency graph to form a structured code slice of the encryption misuse candidate graph; If a node in the structured code slice of the candidate cryptographic misuse graph contains a cryptographic misuse, the slice to which the node belongs is marked as a code slice with cryptographic misuse.
8. A computer device, characterized in that, The device includes a processor, a memory, and a bus. The memory stores machine-readable instructions executable by the processor. When the computer device is running, the processor communicates with the memory via the bus, and the processor executes the machine-readable instructions to perform the steps of the method for detecting Android cryptographic misuse based on graph structure code slicing as described in any one of claims 1-6.
9. A storage medium, characterized in that, The storage medium stores a computer program that, when executed by a processor, performs the steps of the method for detecting Android cryptographic misuse based on graph structure code slicing as described in any one of claims 1-6.