[go: up one dir, main page]

CN112733158B - Android system vulnerability detection method, electronic equipment and storage medium - Google Patents

Android system vulnerability detection method, electronic equipment and storage medium Download PDF

Info

Publication number
CN112733158B
CN112733158B CN202110365057.1A CN202110365057A CN112733158B CN 112733158 B CN112733158 B CN 112733158B CN 202110365057 A CN202110365057 A CN 202110365057A CN 112733158 B CN112733158 B CN 112733158B
Authority
CN
China
Prior art keywords
function
layer
information
relationship
class
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110365057.1A
Other languages
Chinese (zh)
Other versions
CN112733158A (en
Inventor
徐国爱
徐国胜
郭燕慧
王浩宇
张钦尧
高宇昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202110365057.1A priority Critical patent/CN112733158B/en
Publication of CN112733158A publication Critical patent/CN112733158A/en
Application granted granted Critical
Publication of CN112733158B publication Critical patent/CN112733158B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/31Programming languages or programming paradigms
    • G06F8/315Object-oriented languages

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides an Android system vulnerability detection method, electronic equipment and a storage medium, which can efficiently, conveniently, comprehensively and accurately realize vulnerability detection. Wherein the method comprises: acquiring a local system file and a source code file of an Android system, and respectively preprocessing the local system file and the source code file to obtain a byte code file and a key source code file; determining a first-level function call relation of a Java layer, a second-level function call relation of a C/C + + layer and an interlayer function incidence relation of the Java layer and the C/C + + layer according to the byte code files and the key source code files in decibels, and constructing a global function call graph of the Android system according to the first-level function call relation and the second-level function call relation; and selecting a vulnerability to be analyzed, and calling and analyzing the method function related to the vulnerability to be analyzed by using the global function call graph to determine whether the vulnerability to be analyzed exists in the Android system.

Description

Android system vulnerability detection method, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of computer system security technologies, and in particular, to a method for detecting Android system vulnerabilities, an electronic device, and a storage medium.
Background
The Android system is widely applied due to the characteristics of openness, compatibility, convenience and the like, functions and services including instant messaging, mobile payment, video sharing and the like developed and used based on the Android system are more abundant and more diverse, and convenience is brought to life and work of people. However, the security problems that are exposed therewith are increasing.
In the related technology, the research on the security problem of the Android system is mostly concentrated on vulnerability research at the Android system application program level, and the research range relates to communication vulnerability, permission vulnerability, denial of service vulnerability, privacy disclosure vulnerability and the like of the application program. Besides an application program layer, the rectifying frame of the Android system also comprises a Java frame layer, an Android system running layer, a hardware abstraction layer and a Linux kernel layer, and vulnerability research on the Android system level is less. Only a few researches aiming at vulnerability detection at the Android system level are carried out, or blind fuzzy tests are carried out, so that the path coverage rate is low, the vulnerability analysis process is complicated, and the detection efficiency is low; or only static analysis detection is carried out on the Java framework layer, and bugs existing in other components in the whole system layer are difficult to find; or rely on a large number of manual checks in addition to automated analysis, which is highly complex to perform.
Disclosure of Invention
In view of the above, an object of the present disclosure is to provide an Android system vulnerability detection method, an electronic device, and a storage medium.
Based on the above purpose, a first aspect of the present disclosure provides an Android system vulnerability detection method, wherein the Android system includes a Java layer and a C/C + + layer; the method comprises the following steps:
acquiring a local system file corresponding to the Java layer and a source code file corresponding to the C/C + + layer;
decompiling the local system file to determine a byte code file;
determining a file directory corresponding to the source code file, and screening out a key source code file from the source code file according to the file directory;
determining a first-level function call relation of the Java layer according to the byte code file;
determining a second-level function call relation of the C/C + + layer according to the key source code file;
determining an interlayer function incidence relation between the Java layer and the C/C + + layer according to the byte code file and the key source code file;
constructing a global function call graph of the Android system according to the first level function call relation, the second level function call relation and the interlayer function incidence relation;
selecting a vulnerability to be analyzed, and determining at least one related method function according to a system function corresponding to the vulnerability to be analyzed;
and calling and analyzing the method function according to the global function call graph to determine whether the vulnerability to be analyzed exists in the Android system.
In a second aspect of the present disclosure, an electronic device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the program, the method of the first aspect is implemented.
In a third aspect of the disclosure, a non-transitory computer-readable storage medium is provided, which stores a set of instructions of an electronic device for causing the electronic device to perform the method of the first aspect.
As can be seen from the above, according to the Android system vulnerability detection method, the electronic device and the storage medium provided by the present disclosure, bytecode files and key source code files corresponding to the Java layer and the C/C + + layer are respectively analyzed to determine a first-level function call relationship of the Java layer, a second-level function call relationship of the C/C + + layer and an inter-layer function association relationship between the Java layer and the C/C + + layer, a function call relationship is constructed according to different characteristics of different levels, and a global function call graph capable of comprehensively covering all levels of the Android system is determined according to the function call relationship; and then, extracting a function call path of the method function in the Android system based on the global function call graph to perform call analysis so as to determine whether a system bug exists. According to the Android system vulnerability detection method, the electronic equipment and the storage medium, firstly, a hierarchy function call relation is established according to different hierarchy characteristics aiming at the whole system, a function incidence relation between hierarchies is further determined, and finally a global function call relation is determined, and call analysis is carried out based on the function call relation to determine whether a system vulnerability exists.
Drawings
In order to more clearly illustrate the technical solutions in the present disclosure or related technologies, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of an Android system vulnerability detection method provided in an embodiment of the present disclosure;
fig. 2 is a schematic diagram illustrating a method for determining a first-level function call relationship in an Android system vulnerability detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a method for determining a second-level function call relationship in an Android system vulnerability detection method according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram illustrating a method for determining an inter-layer function association relationship in an Android system vulnerability detection method according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a method for constructing a global function call graph in an Android system vulnerability detection method provided by the embodiment of the present disclosure;
fig. 6 is a schematic diagram illustrating a method for call analysis of a method function in the Android system vulnerability detection method provided by the embodiment of the present disclosure;
fig. 7 is a schematic view of an electronic device for Android system vulnerability detection provided in an embodiment of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that technical terms or scientific terms used in the embodiments of the present disclosure should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the disclosure is not intended to indicate any order, quantity, or importance, but rather to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect.
The Android system is widely applied due to the characteristics of openness, compatibility, convenience and the like, functions and services including instant messaging, mobile payment, video sharing and the like developed and used based on the Android system are more abundant and more diverse, and convenience is brought to life and work of people. However, the security problems that are exposed therewith are increasing.
In the related technology, the research on the security problem of the Android system is mostly concentrated on vulnerability research at the Android system application program level, and the research range relates to communication vulnerability, permission vulnerability, denial of service vulnerability, privacy disclosure vulnerability and the like of the application program. Besides an application program layer, the rectifying frame of the Android system also comprises a Java frame layer, an Android system running layer, a hardware abstraction layer and a Linux kernel layer, and vulnerability research on the Android system level is less. Only a few researches aiming at vulnerability detection at the Android system level are carried out, or blind fuzzy tests are carried out, so that the path coverage rate is low, the vulnerability analysis process is complicated, and the detection efficiency is low; or only static analysis detection is carried out on the Java framework layer, and bugs existing in other components in the whole system layer are difficult to find; or rely on a large number of manual checks in addition to automated analysis, which is highly complex to perform.
In view of this, in the disclosure, system vulnerability detection is performed on an integral framework of an Android system, the Android system is constructed through a Java layer and a C/C + + layer of the Android system to construct a global function call relationship, and vulnerabilities that may exist in the system are detected based on the call relationship, so that the completeness, accuracy and efficiency of a vulnerability detection scheme can be ensured.
Based on the above thought, the first aspect of the disclosure provides an Android system vulnerability detection method.
The Android system comprises an overall framework, a hardware abstraction layer and a Linux kernel layer, wherein the application layer and the Java framework layer can be divided into Java layers, codes in the Android system running layer, the hardware abstraction layer and the Linux kernel layer are mainly in C/C + + language, and therefore the three layers can be collectively called as the C/C + + layer.
As shown in fig. 1, some optional embodiments of the present disclosure provide an Android system vulnerability detection method, which includes:
s1: and acquiring a local system file corresponding to the Java layer and a source code file corresponding to the C/C + + layer.
S2: and performing decompiling on the local system file to determine a byte code file.
The byte code file is a file obtained by compiling Java layer source codes in an Android system, the type of file is further compiled and stored in the Android device, and the byte code file of the Java layer can be obtained by pulling a local system file corresponding to the Java layer to perform decompiling.
In the previous version of the Android system 5.0, the "frame" framework layer directory can be directly exported from the system directory of the Android device, and the odex file or the dex file in the "frame" framework layer directory is decompiled to obtain the byte code file. Whereas in the Android system 5.0 and later, there is no more dex/odex file in the "frame" directory, but a new boot at file appears in its subdirectory arm or arm64, the at file is a special ELF file that includes the native machine code translated from the dex file and the original dex file content, from which the byte code file can be obtained.
S3: and determining a file directory corresponding to the source code file, and screening out a key source code file from the source code file according to the file directory.
The method mainly focuses on the source code files related to function calling, and selectively focuses on the source code files through analysis of C/C + + layer source codes in the Android system and research on the file directories: the method comprises the following steps of selecting directories of frames/base/core/jni, frames/base/libs/media, frames/native, bionic, libcore, "libnativehelper" and hardware, and selecting source code files corresponding to the directories as the key source code files. It should be noted that the selection of the key source code file is determined according to the specific code content of the source code of the C/C + + layer in the Android system, and the above list is only an exemplary code directory.
S4: and determining a first-level function call relation of the Java layer according to the byte code file.
The class information of a plurality of classes and the function information of a plurality of functions in the Java layer can be determined according to the bytecode file, and accordingly, the relationships between classes, classes and functions, and between functions are determined, and finally, the first-level function call relationship of the Java layer is determined.
S5: and determining a second-level function call relation of the C/C + + layer according to the key source code file.
The key source code file can be analyzed by lexical and syntactic methods to construct an abstract syntax tree, the function call relations and the corresponding function call type information of a plurality of functions of the C/C + + layer are determined according to the node information and the relationship among the nodes in the abstract syntax tree, and the second-level function call relation of the C/C + + layer is further determined.
S6: and determining the interlayer function incidence relation between the Java layer and the C/C + + layer according to the byte code file and the key source code file.
Mapping relations and communication calling relations exist between a plurality of functions of the Java layer and a plurality of functions of the C/C + + layer, the mapping relations and the communication calling relations can be determined according to the byte code files and the key source code files, and the mapping relations and the communication calling relations are further combined to construct the inter-layer function association relations.
S7: and constructing a global function call graph of the Android system according to the first-level function call relation, the second-level function call relation and the interlayer function incidence relation.
S8: and selecting a vulnerability to be analyzed, and determining at least one related method function according to a system function corresponding to the vulnerability to be analyzed.
The method comprises the steps of selecting vulnerabilities one by one from a plurality of vulnerabilities in a preset vulnerability library to serve as vulnerabilities to be analyzed, and determining corresponding system functions according to information such as a forming principle, a vulnerability mechanism and characteristics of the vulnerabilities to be analyzed, namely determining which system functions the Android system may have when the Android system achieves the vulnerabilities to be analyzed. And the Android system function is realized by calling at least one method function. For example, calling a single method function to implement a corresponding method function; or to invoke two or more method functions that are interrelated to each other to implement more complex system functions. Thus, at least one method function involved in the system function may be further determined.
For example, the vulnerability to be analyzed may be a vulnerability with inconsistent Android serialization. Android provides a unique method for realizing serialization through a Parcellable interface, as long as the interface is realized, serialization can be realized for an object of one class and the object can be transmitted through Intent or Binder, wherein two key methods exist: the method comprises the following steps of 'writeToParcel' and 'readFromParcel', wherein the two methods respectively call a series of write methods and read methods in the Parcel class to realize serialization and deserialization, and are shown as follows:
public void writeToParcel(Parcel out, int flags) { out.writeInt(mData);}
public void readFromParcel(Parcel reply) {mData = in.readInt(); }
an attacker may take advantage of this asymmetry to raise privileges if the asymmetry in the data types of the write method invoked upon serialization and the read method invoked upon deserialization causes serious security problems.
Therefore, for the vulnerability of inconsistent Android serialization, the related method functions comprise a 'writeToParcel' method and a 'readFromParcel' method.
S9: and calling and analyzing the method function according to the global function call graph to determine whether the vulnerability to be analyzed exists in the Android system.
Call analysis may be performed by determining a call path of the method function in the global function call graph. When the vulnerability to be analyzed does not exist in the Android system, the calling path of the method function corresponding to the vulnerability to be analyzed is embodied as a normal path, and when the vulnerability to be analyzed exists in the Android system, the calling path of the method function is abnormal, such as unreachable calling path, unmatched calling path, conflicting calling path and the like. In the present disclosure, whether the vulnerability to be analyzed exists may be determined by analyzing a call path of the method function.
The Android system vulnerability detection method comprises the steps of analyzing byte code files and key source code files corresponding to a Java layer and a C/C + + layer respectively to determine a first-level function call relation of the Java layer, a second-level function call relation of the C/C + + layer and an interlayer function incidence relation of the Java layer and the C/C + + layer, constructing the function call relations according to different characteristics of different levels, and accordingly determining a global function call graph capable of comprehensively covering all levels of an Android system; and then, extracting a function call path of the method function in the Android system based on the global function call graph to perform call analysis so as to determine whether a system bug exists. According to the Android system vulnerability detection method, the electronic equipment and the storage medium, firstly, a hierarchy function call relation is established according to different hierarchy characteristics aiming at the whole system, a function incidence relation between hierarchies is further determined, and finally a global function call relation is determined, and call analysis is carried out based on the function call relation to determine whether a system vulnerability exists.
Because dynamic detection is difficult to trigger and apply all logics, a data stream analysis technology required by privacy disclosure detection is difficult to dynamically realize on a high-version Android system, and static data stream analysis does not influence the detection accuracy, the Android system vulnerability detection method disclosed by the invention adopts a static data stream analysis method, so that the detection time can be effectively reduced by colleagues who guarantee the detection result accuracy.
As shown in fig. 2, in the Android system vulnerability detection method provided in some optional embodiments of the present disclosure, determining a first-level function call relationship S4 of the Java layer according to the bytecode file, further includes:
s201: obtaining class information according to the byte code file, and determining a class association relation according to the class information;
the class information comprises class names of a plurality of classes, corresponding parent class names and an interface list;
the determining a class association relationship according to the class information further includes:
associating a plurality of classes with corresponding parent classes according to the class names and the parent class names;
and associating the plurality of classes with the corresponding interfaces according to the interface list.
S202: and acquiring function definition information according to the byte code file, and determining a class inclusion relationship according to the function definition information, wherein the class inclusion relationship refers to the inclusion relationship between a function and a corresponding class.
S203: and acquiring function calling information according to the byte code file, and determining a first inter-function calling relationship of a plurality of functions of the Java layer according to the function calling information.
S204: and constructing a function rewriting relation according to the class association relation and the class inclusion relation.
S205: and determining the calling relationship of the first-level function according to the class incidence relationship, the class inclusion relationship, the calling relationship among the first functions and the function rewriting relationship.
In some optional embodiments of the present disclosure, the information in the bytecode file may be read using a bytecode manipulation framework (e.g., ASM framework).
The bytecode file (. class file) can be read by using a class reader class in the ASM library, then an accept method of the class is called, and a specific class accessor (class visitor) object is accepted, so that the bytecode file is analyzed. And obtaining the class information, the function definition information and the function calling information by utilizing a class accessor, a method accessor and a rewritten class access method, a class access method (visit), a function block access method (visitMethod) and a function calling instruction access method (visitMethodInsn) in the ASM library so as to construct the function calling relationship.
In the Android system, the byte code file of the Java layer is huge, and the function call relationship of a plurality of functions in the corresponding Java layer is also very complex. The bytecode file includes Android library functions and non-Android library functions, wherein the Android library functions need more attention. Therefore, in some optional embodiments of the present disclosure, when the function definition information is obtained according to the bytecode file, the function definition information of the Android library function is obtained; and acquiring function calling information according to the bytecode file, and acquiring the function calling information of the Android library function. And then determining the first-level function calling relationship according to the function definition information of the Android library function and the function calling information of the Android library function.
As shown in fig. 3, in the Android system vulnerability detection method provided in some optional embodiments of the present disclosure, the determining, according to the key source code file, a second-level function call relation S5 of the C/C + + layer further includes:
s301: analyzing the key source code file by using a syntax analysis tool to construct a corresponding abstract syntax tree;
in computer science, syntactic analysis (syntactical analysis) is a process of analyzing an input text composed of a sequence of words (e.g., program code) according to some given formal grammar and determining its grammatical structure. The key source code files may be parsed using a parsing tool to determine the syntax structure of the C/C + + layer. Some optional embodiments of the present disclosure may select an ANTLR parsing tool to analyze the key source code file and construct a corresponding abstract syntax tree. The lister mechanism in the ANTLR parser can implement traversal access to the nodes in the abstract syntax tree.
The nodes in the abstract syntax tree comprise definition nodes, variable nodes, function definition nodes and function calling nodes.
S302: traversing and accessing nodes in the abstract syntax tree to obtain function definition information, function call information and domain information and variable information of a plurality of functions of the C/C + + layer, wherein the function definition information, the function call information and the domain information and the variable information are related to the plurality of functions, and the method comprises the following steps:
analyzing the definitional node to determine the definitional domain information;
analyzing the variable nodes to determine the variable information;
analyzing the function definition node to determine the function definition information;
analyzing the function call node to determine the function call information;
the definition nodes comprise a name space definition node, a class definition node and a structure definition node, and the definition domain information comprises a function definition domain and a field scope.
S303: determining a second inter-function call relationship of a plurality of functions of the C/C + + layer according to the function definition information and the function call information;
s304: determining calling type information of a plurality of functions of the C/C + + layer according to the function calling information, the domain defining information and the variable information, wherein the calling type information comprises a function calling type and related parameter types;
s305: and determining the calling relation of the second level function according to the calling relation between the second functions and the calling type information.
According to the Android system vulnerability detection method, an abstract syntax tree is constructed to access various nodes in a traversing mode so as to obtain function definition information, function calling information and definition domain information and variable information related to a plurality of functions of a C/C + + layer, firstly, the calling relation among the functions of the functions in the C/C + + layer is determined according to the function definition information and the function calling information, and on the basis, the type tracking is carried out on the function calling type and the related parameter type in the function calling information according to the function calling information, the definition domain information and the variable information, so that the function calling relation is used as supplement to the calling relation among the functions, and finally, the second-level function calling relation is determined.
Analyzing the global inter-function call relation of the Android system, and besides analyzing the first-level function call relation of the Java layer and the second-level function call relation of the C/C + + layer, further considering the association relation between Java layer functions and C/C + + layer functions, including the mapping relation between functions and the communication call relation between functions. As shown in fig. 4, in the Android system vulnerability detection method according to some optional embodiments of the present disclosure, the determining an inter-layer function association relationship S6 between the Java layer and the C/C + + layer according to the bytecode file and the key source code file further includes:
s401: analyzing the key source code file by using a syntax analysis tool to construct a corresponding abstract syntax tree;
s402: traversing and accessing Java local interface nodes and registration method nodes in the abstract syntax tree to determine the mapping relation between the Java layer function and the C/C + + layer function and corresponding Java layer function information and C/C + + layer function information;
a mapping relationship between a Java layer function and a C/C + + layer function is recorded in a Java Native Interface (JNI) of the Android system, and specifically, the mapping relationship between the Java layer function and the C/C + + layer function is recorded in a g _ methods variable in a JNI Native method (jnimationmethod) structure.
In the method, the Java native interface node refers to a jnimationmethod structure definition node, and may traverse and access the jnimationmethod structure definition node to extract g _ methods array content, and determine a mapping relationship between Java layer functions and C/C + + layer functions according to the g _ methods array content.
On the basis of the mapping relationship between the Java layer function and the C/C + + layer function, Java layer function information and C/C + + layer function information corresponding to the mapping relationship also need to be further acquired.
The Java layer function information comprises class information of the Java layer function. Class information of the Java method is indicated when JNI registration is performed, and the JNI registration method is generally inside a method named as "register _ package name _ class name". Therefore, the corresponding information can be obtained by traversing and accessing the registration method node. Traversing the method nodes named by 'register _ package name _ class name', acquiring JNI registration function calling statements in the method nodes to determine class information of Java layer functions, and splicing according to the class information to obtain complete Java layer function information.
For example, in some optional embodiments of the present disclosure, traversing the registration method nodes in the abstract syntax tree, the determined JNI registration methods include "register methods oridie", "JNI register methods", "backup totar", "register national methods". The second parameter in these methods is the class information of the Java layer function.
Regarding the C/C + + layer function information, function information of a complete C/C + + layer function corresponding to the Java layer function mapping may be determined through function name matching.
S403: determining a Java local interface mapping relation according to the inter-function mapping relation, the Java layer function information and the C/C + + layer function information;
the Java layer function information and the C/. C + + layer function information are used for completely supplementing the mapping relation between the functions to obtain the JNI mapping relation of the Java native interface.
S404: acquiring an interface definition file of the Android system, determining a plurality of communication interface classes by analyzing the interface definition file, and determining a plurality of agent classes and a plurality of stub classes for realizing the communication interface classes;
s405: associating the proxy class with a homonymous function in the stub class to determine a communication function call relationship;
an Interface Definition file (AIDL) in an Android system defines a communication function Interface, and a Proxy class (Proxy) associated with a client and a Stub class (Stub) associated with a server are automatically generated at the time of compiling.
Accordingly, a plurality of proxy classes and a plurality of stub classes may be determined by parsing the interface definition file to determine a plurality of communication interface classes. The proxy class and the stub class respectively comprise a plurality of functions, all homonymous functions in the plurality of functions of the proxy class and the stub class are connected, and the connection direction points to the functions in the stub class from the functions in the proxy class, so that the proxy class is associated with the homonymous functions in the stub class, and the communication function calling relation is determined.
S406: and determining the inter-layer function incidence relation according to the mapping relation of the Java local interface and the communication function calling relation.
The method comprises the steps of carrying out call analysis on a method function related to a vulnerability to be analyzed, firstly generating a global function call graph according to a global function call relation of the Android system, then determining a call path of the method function in the global function call graph, and analyzing the call path. As shown in fig. 5, in the Android system vulnerability detection method according to some optional embodiments of the present disclosure, the constructing a global function call graph S7 of the Android system according to the first-level function call relationship, the second-level function call relationship, and the inter-layer function association relationship further includes:
s501: taking a plurality of functions related to the first-level function call relation, the second-level function call relation and the inter-layer function incidence relation as function nodes;
s502: adding a directed edge between a calling function node and a called function node in a plurality of function nodes according to the calling relation of the first-level function, the calling relation of the second-level function and the calling relation of the communication function;
s503: and adding directed edges between Java layer function nodes and C/C + + function nodes in the plurality of function nodes according to the mapping relation of the Java local interface.
In some optional embodiments of the present disclosure, the global function call graph may be built using a network graph analysis tool (e.g., a network graph analysis library "NetworkX") that provides classes of graphical objects, generators for creating standard graphs, IO routines for reading existing datasets, algorithms for analyzing graphs, and some basic drawing tools that a user may use to create, manipulate, and learn about complex networks.
A global function call graph g of the Android system can be constructed based on a 'NetworkX' library;
firstly, reading analysis results of a first-level function call relation of a Java layer, a second-level function call relation of a C/C + + layer and an inter-layer function incidence relation, adding function nodes of a caller and a callee into a graph g, and adding a directed edge from the function node of the caller to the function node of the callee, so that the call relations among a plurality of functions in the global function call graph g can be visually displayed;
in addition, mapping relationships also exist among a plurality of functions in the global function call graph g, analysis results of mapping relationships of Java local interfaces can be read, Java function nodes and corresponding C/C + + function nodes are added into the graph g, directed edges are added from the Java function nodes to the corresponding C/C + + function nodes, and the mapping relationships among the functions in the global function call graph g can be visually displayed.
And after the global function call graph is determined, carrying out call analysis on the method function corresponding to the vulnerability to be analyzed based on the global function call graph. As shown in fig. 6, in the Android system vulnerability detection method according to some optional embodiments of the present disclosure, the calling and analyzing the method function according to the global function call graph to determine whether the vulnerability to be analyzed exists in the Android system S9 further includes:
s601: determining a function node corresponding to the method function in the global function call graph;
s602: extracting a corresponding function call path in the global function call graph according to the function node;
the function call path may include a backward function call path, a forward function call path, and a shortest function call path.
Specifically, the function node may be used as a starting point, a depth-first traversal may be performed on the global function call graph g by using a "dfs _ success" method provided by a "network x" library, and a backward function call path may be extracted;
firstly, obtaining a reverse graph reverse _ g of an original global function call graph g by using a reverse _ view method of a 'network X' library, then performing depth-first traversal on the reverse graph reverse _ g by using a 'dfs _ success' method of the 'network X' library by using the function node as a starting point, and extracting to obtain a forward function call path;
when the number of the method functions related to the system function corresponding to the vulnerability to be analyzed is two or more, a plurality of function nodes corresponding to the plurality of method functions can be respectively determined in the global function call graph, and a starting point and an end point can be determined in the plurality of function nodes according to the method functions of the plurality of method functions. And then, acquiring the shortest function call path between the starting point and the end point from the global function call graph g by using a short _ path method provided by a 'NetworkX' library.
For example, for the "inconsistent Android serialization" vulnerability, the process is to construct an Android system global function call graph, and then extract function call paths respectively with the "writetopparcel method function" and the "readfromaprcel" method function as starting points.
S603: and determining an expected call path according to the system function, comparing and detecting the function call path and the expected call path, and determining whether the vulnerability to be analyzed exists according to a comparison and detection result.
The expected calling path refers to a correct calling path when the system has no loophole.
And performing corresponding qualitative analysis on the function call path of the method function according to the vulnerability to be analyzed, for example, performing path reachability judgment, function call path matching comparison and the like, and determining whether the vulnerability to be analyzed exists. For example, for the "inconsistent Android serialization" vulnerability, it is determined whether the function call paths in each "writetopparcel" and "readfrompparcel" method pair are of a type matching, and if not, it is determined that the "inconsistent Android serialization" vulnerability exists.
It should be noted that the method of the embodiments of the present disclosure may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may only perform one or more steps of the method of the embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above describes some embodiments of the disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, corresponding to the method of any embodiment, the present disclosure further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor executes the computer program to implement the method for detecting the Android system vulnerability according to any embodiment.
Fig. 7 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute a relevant program to implement the technical solution of the Android system vulnerability detection method provided in the embodiment of the present specification.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device of the embodiment is used for implementing the corresponding Android system vulnerability detection method in any one of the embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above embodiments, the present disclosure further provides a non-transitory computer-readable storage medium storing a computer instruction, where the computer instruction is used to enable the computer to execute the Android system vulnerability detection method according to any of the above embodiments.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to execute the Android system vulnerability detection method according to any embodiment, and have the beneficial effects of the corresponding method embodiment, which are not described herein again.
It should be noted that the embodiments of the present disclosure can be further described in the following ways:
the Android system vulnerability detection method comprises the steps that an Android system comprises a Java layer and a C/C + + layer; the method comprises the following steps:
acquiring a local system file corresponding to the Java layer and a source code file corresponding to the C/C + + layer;
decompiling the local system file to determine a byte code file;
determining a file directory corresponding to the source code file, and screening out a key source code file from the source code file according to the file directory;
determining a first-level function call relation of the Java layer according to the byte code file;
determining a second-level function call relation of the C/C + + layer according to the key source code file;
determining an interlayer function incidence relation between the Java layer and the C/C + + layer according to the byte code file and the key source code file;
constructing a global function call graph of the Android system according to the first level function call relation, the second level function call relation and the interlayer function incidence relation;
selecting a vulnerability to be analyzed, and determining at least one related method function according to a system function corresponding to the vulnerability to be analyzed;
and calling and analyzing the method function according to the global function call graph to determine whether the vulnerability to be analyzed exists in the Android system.
Optionally, the determining, according to the bytecode file, a first-level function call relationship of the Java layer further includes:
obtaining class information according to the byte code file, and determining a class association relation according to the class information;
acquiring function definition information according to the byte code file, and determining a class inclusion relationship according to the function definition information, wherein the class inclusion relationship refers to the inclusion relationship between a function and a corresponding class;
acquiring function calling information according to the byte code file, and determining a calling relation among first functions of a plurality of functions of the Java layer according to the function calling information;
constructing a function rewriting relation according to the class association relation and the class inclusion relation;
determining the first-level function call relation according to the class association relation, the class inclusion relation, the first inter-function call relation and the function rewrite relation;
the class information comprises class names of a plurality of classes, corresponding parent class names and an interface list;
the determining a class association relationship according to the class information further includes:
associating a plurality of classes with corresponding parent classes according to the class names and the parent class names;
and associating the plurality of classes with the corresponding interfaces according to the interface list.
Optionally, the bytecode file includes an Android library function;
the function definition information is obtained according to the bytecode file, and further function definition information of the Android library function is obtained;
and acquiring function calling information according to the bytecode file, and further acquiring the function calling information of the Android library function.
Optionally, the determining, according to the key source code file, a second-level function call relationship of the C/C + + layer further includes:
analyzing the key source code file by using a syntax analysis tool to construct a corresponding abstract syntax tree;
traversing and accessing nodes in the abstract syntax tree to acquire function definition information, function call information and definition domain information and variable information related to a plurality of functions of the C/C + + layer;
determining a second inter-function call relationship of a plurality of functions of the C/C + + layer according to the function definition information and the function call information;
determining calling type information of a plurality of functions of the C/C + + layer according to the function calling information, the domain defining information and the variable information;
and determining the calling relation of the second level function according to the calling relation between the second functions and the calling type information.
Optionally, the nodes in the abstract syntax tree include definition nodes, variable nodes, function definition nodes, and function call nodes;
the traversing accesses nodes in the abstract syntax tree to obtain function definition information, function call information, and domain information and variable information related to a plurality of functions of the C/C + + layer, and further includes:
analyzing the definitional node to determine the definitional domain information;
analyzing the variable nodes to determine the variable information;
analyzing the function definition node to determine the function definition information;
analyzing the function call node to determine the function call information;
the definition nodes comprise a name space definition node, a class definition node and a structure definition node, and the definition domain information comprises a function definition domain and a field scope.
Optionally, the determining, according to the bytecode file and the key source code file, an inter-layer function association relationship between the Java layer and the C/C + + layer further includes:
analyzing the key source code file by using a syntax analysis tool to construct a corresponding abstract syntax tree;
traversing and accessing Java local interface nodes and registration method nodes in the abstract syntax tree to determine the mapping relation between the Java layer function and the C/C + + layer function and corresponding Java layer function information and C/C + + layer function information;
determining a Java local interface mapping relation according to the inter-function mapping relation, the Java layer function information and the C/C + + layer function information;
acquiring an interface definition file of the Android system, determining a plurality of communication interface classes by analyzing the interface definition file, and determining a plurality of agent classes and a plurality of stub classes for realizing the communication interface classes;
associating the proxy class with a homonymous function in the stub class to determine a communication function call relationship;
and determining the inter-layer function incidence relation according to the mapping relation of the Java local interface and the communication function calling relation.
Optionally, the constructing a global function call graph of the Android system according to the first-level function call relationship, the second-level function call relationship, and the inter-layer function association relationship further includes:
taking a plurality of functions related to the first-level function call relation, the second-level function call relation and the inter-layer function incidence relation as function nodes;
adding a directed edge between a calling function node and a called function node in a plurality of function nodes according to the calling relation of the first-level function, the calling relation of the second-level function and the calling relation of the communication function;
and adding directed edges between Java layer function nodes and C/C + + function nodes in the plurality of function nodes according to the mapping relation of the Java local interface.
Optionally, the calling and analyzing the method function according to the global function call graph to determine whether the vulnerability to be analyzed exists in the Android system, further comprising:
determining a function node corresponding to the method function in the global function call graph;
extracting a corresponding function call path in the global function call graph according to the function node;
determining an expected call path according to the system function, comparing and detecting the function call path and the expected call path, and determining whether the vulnerability to be analyzed exists according to a comparison and detection result;
those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the present disclosure, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present disclosure as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the disclosure. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the present disclosure, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present disclosure are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that the embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The disclosed embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalents, improvements, and the like that may be made within the spirit and principles of the embodiments of the disclosure are intended to be included within the scope of the disclosure.

Claims (9)

1.一种Android系统漏洞检测方法,其中,所述Android系统包括Java层与C/C++层;所述方法包括:1. An Android system vulnerability detection method, wherein the Android system comprises a Java layer and a C/C++ layer; the method comprises: 获取与所述Java层相对应的本地系统文件以及与所述C/C++层相对应的源代码文件;Obtain the local system file corresponding to the Java layer and the source code file corresponding to the C/C++ layer; 对所述本地系统文件进行反编译确定字节码文件;Decompile the local system file to determine the bytecode file; 确定所述源代码文件相应的文件目录,根据所述文件目录从所述源代码文件中筛选出关键源码文件;Determine the corresponding file directory of the source code file, and filter out key source code files from the source code file according to the file directory; 根据所述字节码文件确定所述Java层的第一层级函数调用关系;Determine the first-level function calling relationship of the Java layer according to the bytecode file; 根据所述关键源码文件确定所述C/C++层的第二层级函数调用关系;Determine the second-level function calling relationship of the C/C++ layer according to the key source code file; 根据所述字节码文件与所述关键源码文件确定所述Java层与所述C/C++层的层间函数关联关系;Determine the inter-layer function association relationship between the Java layer and the C/C++ layer according to the bytecode file and the key source code file; 根据所述第一层级函数调用关系、所述第二层级函数调用关系以及所述层间函数关联关系构建所述Android系统的全局函数调用图;Build a global function call graph of the Android system according to the first-level function calling relationship, the second-level function calling relationship, and the inter-layer function association relationship; 选取待分析漏洞,根据所述待分析漏洞对应的系统功能确定所涉及的至少一个方法函数;Selecting a vulnerability to be analyzed, and determining at least one method function involved according to the system function corresponding to the vulnerability to be analyzed; 根据所述全局函数调用图对所述方法函数进行调用分析以确定所述Android系统中是否存在所述待分析漏洞;Perform call analysis on the method function according to the global function call graph to determine whether the to-be-analyzed vulnerability exists in the Android system; 其中,所述根据所述关键源码文件确定所述C/C++层的第二层级函数调用关系,进一步包括:Wherein, determining the second-level function calling relationship of the C/C++ layer according to the key source code file further includes: 利用语法分析工具对所述关键源码文件进行分析以构建相应的抽象语法树;Use a syntax analysis tool to analyze the key source code file to construct a corresponding abstract syntax tree; 遍历访问所述抽象语法树中的节点以获取所述C/C++层的多个函数的函数定义信息、函数调用信息以及多个函数所涉及的定义域信息与变量信息;Traversing and visiting the nodes in the abstract syntax tree to obtain function definition information, function call information, and definition domain information and variable information involved in multiple functions of the C/C++ layer; 根据所述函数定义信息与所述函数调用信息确定所述C/C++层的多个函数的第二函数间调用关系;determining the calling relationship between the second functions of the multiple functions of the C/C++ layer according to the function definition information and the function calling information; 根据所述函数调用信息、所述定义域信息与所述变量信息确定所述C/C++层的多个函数的调用类型信息;Determine call type information of multiple functions of the C/C++ layer according to the function call information, the definition domain information and the variable information; 根据所述第二函数间调用关系与所述调用类型信息确定所述第二层级函数调用关系。The second-level function calling relationship is determined according to the calling relationship between the second functions and the calling type information. 2.根据权利要求1所述的方法,其中,所述根据所述字节码文件确定所述Java层的第一层级函数调用关系,进一步包括:2. The method according to claim 1, wherein the determining the first-level function call relationship of the Java layer according to the bytecode file further comprises: 根据所述字节码文件获取类信息,根据所述类信息确定类关联关系;Obtain class information according to the bytecode file, and determine a class association according to the class information; 根据所述字节码文件获取函数定义信息,根据所述函数定义信息确定类包含关系,其中,所述类包含关系是指函数与相应的类之间的包含关系;Obtain function definition information according to the bytecode file, and determine a class inclusion relationship according to the function definition information, wherein the class inclusion relationship refers to the inclusion relationship between a function and a corresponding class; 根据所述字节码文件获取函数调用信息,根据所述函数调用信息确定所述Java层的多个函数的第一函数间调用关系;Obtain function call information according to the bytecode file, and determine a calling relationship between first functions of multiple functions of the Java layer according to the function call information; 根据所述类关联关系与所述类包含关系构建函数重写关系;Build a function rewriting relationship according to the class association relationship and the class inclusion relationship; 根据所述类关联关系、所述类包含关系、所述第一函数间调用关系以及所述函数重写关系确定所述第一层级函数调用关系;Determine the first-level function calling relationship according to the class association relationship, the class inclusion relationship, the calling relationship between the first functions, and the function rewriting relationship; 其中,所述类信息包括多个类的类名称、相应父类名称以及接口列表;Wherein, the class information includes class names of multiple classes, corresponding parent class names and interface lists; 所述根据所述类信息确定类关联关系,进一步包括:The determining the class association according to the class information further includes: 根据所述类名称与所述父类名称将多个类与相应父类进行关联;associating a plurality of classes with corresponding parent classes according to the class name and the parent class name; 根据所述接口列表将多个类与相应接口进行关联。A plurality of classes are associated with corresponding interfaces according to the interface list. 3.根据权利要求2所述的方法,其中,所述字节码文件包括Android库函数;3. The method of claim 2, wherein the bytecode file comprises an Android library function; 所述根据所述字节码文件获取函数定义信息,进一步包括获取所述Android库函数的函数定义信息;The obtaining function definition information according to the bytecode file further includes obtaining the function definition information of the Android library function; 所述根据所述字节码文件获取函数调用信息,进一步包括获取所述Android库函数的函数调用信息。The acquiring function call information according to the bytecode file further includes acquiring the function call information of the Android library function. 4.根据权利要求1所述的方法,其中,所述抽象语法树中的节点包括定义节点、变量节点、函数定义节点与函数调用节点;4. The method according to claim 1, wherein the nodes in the abstract syntax tree comprise definition nodes, variable nodes, function definition nodes and function call nodes; 所述遍历访问所述抽象语法树中的节点以获取所述C/C++层的多个函数的函数定义信息、函数调用信息以及多个函数所涉及的定义域信息与变量信息,进一步包括:The traversing and accessing the nodes in the abstract syntax tree to obtain the function definition information, function call information and the definition domain information and variable information involved in the multiple functions of the C/C++ layer further include: 对所述定义节点进行分析以确定所述定义域信息;analyzing the definition node to determine the domain information; 对所述变量节点进行分析以确定所述变量信息;analyzing the variable node to determine the variable information; 对所述函数定义节点进行分析以确定所述函数定义信息;analyzing the function definition node to determine the function definition information; 对所述函数调用节点进行分析以确定所述函数调用信息;analyzing the function call node to determine the function call information; 其中,所述定义节点包括命名空间定义节点、类定义节点与结构体定义节点,所述定义域信息包括函数定义域与字段作用域。The definition nodes include namespace definition nodes, class definition nodes, and structure definition nodes, and the definition domain information includes function definition domains and field scopes. 5.根据权利要求1所述的方法,其中,所述根据所述字节码文件与所述关键源码文件确定所述Java层与所述C/C++层的层间函数关联关系,进一步包括:5. The method according to claim 1, wherein the determining the inter-layer function association relationship between the Java layer and the C/C++ layer according to the bytecode file and the key source code file, further comprising: 利用语法分析工具对所述关键源码文件进行分析以构建相应的抽象语法树;Use a syntax analysis tool to analyze the key source code file to construct a corresponding abstract syntax tree; 遍历访问所述抽象语法树中的Java本地接口节点与注册方法节点,以确定所述Java层函数与所述C/C++层函数的函数间映射关系以及相对应的Java层函数信息与C/C++层函数信息;Traversing and visiting the Java native interface node and the registration method node in the abstract syntax tree to determine the function mapping relationship between the Java layer function and the C/C++ layer function and the corresponding Java layer function information and C/C++ layer function information layer function information; 根据所述函数间映射关系、所述Java层函数信息与所述C/C++层函数信息确定Java本地接口映射关系;Determine the Java native interface mapping relationship according to the mapping relationship between the functions, the Java layer function information and the C/C++ layer function information; 获取所述Android系统的接口定义文件,通过解析所述接口定义文件确定多个通信接口类,确定用于实现所述通信接口类的多个代理类与多个存根类;Obtain the interface definition file of the Android system, determine multiple communication interface classes by parsing the interface definition file, and determine multiple proxy classes and multiple stub classes for realizing the communication interface class; 将所述代理类与所述存根类中的同名函数进行关联以确定通信函数调用关系;Associating the proxy class with the function of the same name in the stub class to determine a communication function calling relationship; 根据所述Java本地接口映射关系与所述通信函数调用关系确定所述层间函数关联关系。The inter-layer function association relationship is determined according to the Java local interface mapping relationship and the communication function calling relationship. 6.根据权利要求5所述的方法,其中,所述根据所述第一层级函数调用关系、所述第二层级函数调用关系以及所述层间函数关联关系构建所述Android系统的全局函数调用图,进一步包括:6. The method according to claim 5, wherein the global function call of the Android system is constructed according to the first-level function call relationship, the second-level function call relationship, and the inter-layer function association relationship Figure, further including: 将所述第一层级函数调用关系、所述第二层级函数调用关系与所述层间函数关联关系所涉及的多个函数作为函数节点;Using the multiple functions involved in the first-level function calling relationship, the second-level function calling relationship, and the inter-layer function association relationship as function nodes; 根据所述第一层级函数调用关系、所述第二层级函数调用关系与所述通信函数调用关系,在多个函数节点中调用函数节点与被调用函数节点间添加有向边;According to the first-level function calling relationship, the second-level function calling relationship and the communication function calling relationship, a directed edge is added between the calling function node and the called function node in the plurality of function nodes; 根据所述Java本地接口映射关系,在多个函数节点中Java层函数节点与C/C++函数节点之间添加有向边。According to the Java native interface mapping relationship, a directed edge is added between the Java layer function node and the C/C++ function node in the plurality of function nodes. 7.根据权利要求1所述的方法,其中,所述根据所述全局函数调用图对所述方法函数进行调用分析以确定所述Android系统中是否存在所述待分析漏洞,进一步包括:7. The method according to claim 1, wherein the performing call analysis on the method function according to the global function call graph to determine whether the to-be-analyzed vulnerability exists in the Android system, further comprising: 在所述全局函数调用图中确定与所述方法函数相对应的函数节点;determining a function node corresponding to the method function in the global function call graph; 根据所述函数节点在所述全局函数调用图中提取相应的函数调用路径;Extracting corresponding function call paths in the global function call graph according to the function nodes; 根据所述系统功能确定期望调用路径,将所述函数调用路径与所述期望调用路径进行对比检测,根据对比检测结果确定是否存在所述待分析漏洞。An expected calling path is determined according to the system function, the function calling path is compared and detected with the expected calling path, and whether there is the to-be-analyzed vulnerability is determined according to the comparison detection result. 8.一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如权利要求1至7任意一项所述的方法。8. An electronic device, comprising a memory, a processor and a computer program stored on the memory and running on the processor, when the processor executes the program, the computer program according to any one of claims 1 to 7 is realized. method. 9.一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使计算机执行权利要求1至7任一所述方法。9. A non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 7.
CN202110365057.1A 2021-04-06 2021-04-06 Android system vulnerability detection method, electronic equipment and storage medium Active CN112733158B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110365057.1A CN112733158B (en) 2021-04-06 2021-04-06 Android system vulnerability detection method, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110365057.1A CN112733158B (en) 2021-04-06 2021-04-06 Android system vulnerability detection method, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112733158A CN112733158A (en) 2021-04-30
CN112733158B true CN112733158B (en) 2021-08-03

Family

ID=75596459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110365057.1A Active CN112733158B (en) 2021-04-06 2021-04-06 Android system vulnerability detection method, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112733158B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113296834B (en) * 2021-05-21 2023-11-03 南京大学 Android closed source service type information extraction method based on reverse engineering
KR102519639B1 (en) 2021-06-30 2023-04-06 삼성에스디에스 주식회사 Method for providing code inspection interface, and apparatus implementing the same method
CN113419971B (en) * 2021-08-25 2021-12-14 北京邮电大学 Android system service vulnerability detection method and related device
CN114363119B (en) * 2021-12-31 2024-04-26 广东智能化超声成像技术装备创新中心有限公司 Method for simultaneously using C++ socket communication and cellular network under Android system
CN115577363A (en) * 2022-09-15 2023-01-06 华北电力科学研究院有限责任公司 Malicious code deserialization exploit chain detection method and device
CN116881925B (en) * 2023-07-13 2024-04-26 广州筑粒信息科技有限公司 System safety test method and system based on demand analysis

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104732146A (en) * 2015-04-03 2015-06-24 上海斐讯数据通信技术有限公司 Android program bug detection method and system
CN109101819A (en) * 2017-06-21 2018-12-28 中兴通讯股份有限公司 A kind of leak detection method and terminal, storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9507945B2 (en) * 2013-04-01 2016-11-29 The Johns Hopkins University Method and apparatus for automated vulnerability detection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104732146A (en) * 2015-04-03 2015-06-24 上海斐讯数据通信技术有限公司 Android program bug detection method and system
CN109101819A (en) * 2017-06-21 2018-12-28 中兴通讯股份有限公司 A kind of leak detection method and terminal, storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Android 应用程序反编译工具研究与设计;郑兴生;《中国优秀硕士学位论文全文数据库》;20180630(第6期);摘要,第1-2页,第19页第5段-第24页,第31页-37段,图3-1 *

Also Published As

Publication number Publication date
CN112733158A (en) 2021-04-30

Similar Documents

Publication Publication Date Title
CN112733158B (en) Android system vulnerability detection method, electronic equipment and storage medium
US11650905B2 (en) Testing source code changes
US10169034B2 (en) Verification of backward compatibility of software components
US10713364B2 (en) System and method for identifying vulnerabilities in code due to open source usage
CN110007920B (en) Method and device for acquiring code dependency relationship and electronic equipment
CN112256321B (en) Static library packaging method, device, computer equipment and storage medium
CN109564540B (en) System, method, and apparatus for debugging of JIT compiler
US11093222B2 (en) Generating interfaces from annotated entity definitions for developing applications
US20150121533A1 (en) Dynamic analysis interpreter modification for application dataflow
US11093220B2 (en) Generating interfaces from data and service definitions for developing applications
CN112114810A (en) Compilation processing method and device
CN115599386A (en) Code generation method, device, equipment and storage medium
US9652358B1 (en) Type widening for source code analysis
US9569335B1 (en) Exploiting software compiler outputs for release-independent remote code vulnerability analysis
CN113312618A (en) Program vulnerability detection method and device, electronic equipment and medium
CN110727476B (en) Method, device, equipment and storage medium for generating authorization configuration file
CN114625372A (en) Automatic component compiling method and device, computer equipment and storage medium
US20160062748A1 (en) Embedded domain specific languages as first class code artifacts
US9519566B2 (en) Modeling memory use of applications
CN115659344B (en) Software supply chain detection method and device
CN112379915B (en) Source code processing method and device
US20220365758A1 (en) Tool for Introspection in Object-Oriented Source Code
CN116738432A (en) Digital currency wallet security detection methods, devices and electronic equipment
CN115809193A (en) Front-end reverse abnormal data robustness detection method, device and storage medium
CN115113898A (en) Dynamic update method, device, computer equipment and storage medium of micro-application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant