Chinese Journal of Network and Information Security ›› 2021, Vol. 7 ›› Issue (5): 156-168.doi: 10.11959/j.issn.2096-109x.2021086
• Papers • Previous Articles Next Articles
Zhanhui YUAN1, Zhi YANG1, Hongqi ZHANG1, Shuyuan JIN2, Xuehui DU1
Revised:
2021-09-23
Online:
2021-10-15
Published:
2021-10-01
Supported by:
CLC Number:
Zhanhui YUAN, Zhi YANG, Hongqi ZHANG, Shuyuan JIN, Xuehui DU. Android complex information flow analysis method based on communicating sequential process[J]. Chinese Journal of Network and Information Security, 2021, 7(5): 156-168.
"
参数名称 | 参数状态 |
staticTracking | true |
implicitFlows | true |
enableCallbacks | true |
enableExceptions | true |
accessPathLength | 5 |
flowSensitiveAliasing | true |
computeResultPaths | true |
aggressiveTaintWrapper | false |
librarySummaryTaintWrapper | false |
enableImplicitFlows | true |
enableStaticFields | true |
enableTypeChecking | true |
ignoreFlowsInSystemPackages | true |
inspectSources | false |
inspectSinks | false |
stopAfterFirstFlow | false |
"
信息流泄露漏洞名称 | FlowDroid | 本文方法 |
Insecure Contnt Provider access | ★ | ★ |
Insecure Webview implementation | ★ | ★ |
Sensitive Information in Memory | ★ | ★ |
Insecure Logging mechanism | ★ | ★ |
Android Pasteboard vulnerability | ★ | ★ |
Android keyboard cache issues | ★ | ★ |
Android Backup vulnerability | ★ | ★ |
Insecure SDCard storage | ★ | ★ |
Insecure HTTP connections | ★ | ★ |
"
DroidBench2.0类别 | 泄露路径数 | FlowDroid | 本文分析方法 | ||||
TP | FP | FN | TP | FP | FN | ||
Aliasing (1) | 0 | 0 | 1 | 0 | 0 | 1 | 0 |
Arrays and Lists (7) | 3 | 3 | 4 | 0 | 3 | 4 | 0 |
Callbacks (15) | 17 | 17 | 1 | 0 | 17 | 0 | 0 |
Field and Object Sensitivity (7) | 2 | 2 | 0 | 0 | 2 | 0 | 0 |
Inter-App Communication (3) | 3 | 3 | 0 | 0 | 3 | 0 | 0 |
ICC (18) | 19 | 17 | 0 | 2 | 17 | 0 | 2 |
Lifecycle (17) | 17 | 17 | 2 | 0 | 17 | 2 | 0 |
General Java (23) | 20 | 18 | 4 | 2 | 18 | 2 | 2 |
Android-Specific (13) | 11 | 7 | 1 | 4 | 7 | 1 | 4 |
Implicit Flows (4) | 8 | 7 | 0 | 1 | 7 | 0 | 1 |
Reflection (4) | 4 | 1 | 0 | 3 | 1 | 0 | 3 |
Threading (5) | 5 | 3 | 0 | 2 | 3 | 0 | 2 |
Emulator Detection (3) | 6 | 6 | 0 | 0 | 6 | 0 | 0 |
总数 | 115 | 101 | 13 | 14 | 101 | 10 | 14 |
准确率Precision=TP/(TP+FP) | 88.60% | 90.99% | |||||
召回率Recall=TP/(TP+FN) | 87.83% | 87.83% |
"
DroidBench2.0类别 | FlowDroid平均耗时/s | 代码转换平均耗时/s | 形式化建模平均耗时/s | 模型检测平均耗时/s | 本文方法总平均耗时/s |
Aliasing (1) | 266.51 | 9.62 | 5.50 | 259.98 | 275.10 |
Arrays and Lists (7) | 272.97 | 9.74 | 5.60 | 263.96 | 279.30 |
Callbacks (15) | 253.05 | 10.24 | 6.06 | 256.41 | 272.71 |
Field and Object Sensitivity (7) | 262.97 | 10.98 | 6.83 | 261.04 | 278.85 |
Inter-App Communication (3) | 281.27 | 10.65 | 6.50 | 273.98 | 291.13 |
ICC (18) | 302.77 | 10.10 | 5.90 | 294.47 | 310.47 |
Lifecycle (17) | 296.91 | 10.44 | 6.21 | 292.82 | 309.47 |
General Java (23) | 305.59 | 10.78 | 6.56 | 282.13 | 299.47 |
Android-Specific (13) | 304.88 | 10.89 | 6.73 | 277.82 | 295.44 |
Implicit Flows (4) | 306.32 | 10.31 | 6.14 | 290.75 | 307.20 |
Reflection (4) | 300.34 | 10.52 | 6.34 | 291.95 | 308.81 |
Threading (5) | 294.29 | 11.07 | 6.89 | 272.22 | 290.18 |
Emulator Detection (3) | 269.85 | 11.42 | 7.24 | 254.32 | 272.98 |
平均值 | 285.98 | 10.52 | 6.35 | 274.76 | 291.62 |
[1] | HOARE C A R . Communicating sequential processes[M]. NJ,USA: Prentice Hall, 1985. |
[2] | ENCK W , GILBERT P , CHUN B G ,et al. TaintDroid:an information-flow tracking system for realtime privacy monitoring on smartphones[J]. ACM Transactions on Computer Systems, 2010,57(3): 393-407. |
[3] | VACHHARAJANI N , BRIDGES M J , CHANG J ,et al. RIFLE:an architectural framework for user-centric information-flow security[C]// Proceedings of 37th International Symposium on Microarchitecture (MICRO-37'04). 2004: 243-254. |
[4] | BANERJEE S , DEVECSERY D , CHEN P M ,et al. Iodine:fast dynamic taint tracking using rollback-free optimistic hybrid analysis[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). 2019: 490-504. |
[5] | ZHANG M , YIN H . Efficient,context-aware privacy leakage confinement for android applications without firmware modding[C]// Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security. 2014: 259-270. |
[6] | JIA Y J , CHEN Q A , WANG S Q ,et al. ContexIoT:towards providing contextual integrity to appified IoT platforms[C]// Proceedings of 2017 Network and Distributed System Security Symposium. 2017. |
[7] | ZONG P , LV T , WANG D ,et al. FuzzGuard:filtering out unreachable inputs in directed grey-box fuzzing through deep learning[C]// Proceedings of 29th USENIX Security Symposium (USENIX-SS'20). 2020. |
[8] | SHE D D , CHEN Y Z , SHAH A ,et al. Neutaint:efficient dynamic taint analysis with neural networks[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). 2020: 1527-1543. |
[9] | NGUYEN-TUONG A , GUARNIERI S , GREENE D ,et al. Automatically hardening web applications using precise tainting[M]// Security and Privacy in the Age of Ubiquitous Computing. Boston,MA: Springer US, 2005: 295-307. |
[10] | NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C]// Proceedings of the Network and Distributed System Secu-rity Symposium (NDSS '05). 2005. |
[11] | KONG J F , ZOU C C , ZHOU H Y . Improving software security via runtime instruction-level taint checking[C]// Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability. 2006: 18-24. |
[12] | HALDAR V , CHANDRA D , FRANZ M . Dynamic taint propagation for Java[C]// Proceedings of 21st Annual Computer Security Applications Conference (ACSAC'05). 2005:311. |
[13] | VOGT P , NENTWICH F , JOVANOVIC N ,et al. Cross site scripting prevention with dynamic data tainting and static analysis[C]// Proceedings of the Network and Distributed System Security Symposium (NDSS '07). 2007. |
[14] | CABALLERO J , POOSANKAM P , MCCAMANT S ,et al. Input generation via decomposition and restitching:finding bugs in malware[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010: 413-425. |
[15] | ENCK W , GILBERT P , CHUN B G ,et al. TaintDroid:an information-flow tracking system for realtime privacy monitoring on smartphones[C]// Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation. 2019: 393-407. |
[16] | ZHU D Y , JUNG J , SONG D ,et al. TaintEraser[J]. ACM SIGOPS Operating Systems Review, 2011,45(1): 142-154. |
[17] | KANG M G , MCCAMANT S , POOSANKAM P ,et al. DTA++:dynamic taint analysis with targeted control-flow propagation[C]// Proceedings of the Network and Distributed System Security Symposium (NDSS '11). 2011. |
[18] | ARZT S , RASTHOFER S , FRITZ C ,et al. FlowDroid:precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for Android Apps[C]// Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. 2014: 259-269. |
[19] | WEI F G , ROY S , OU X M ,et al. Amandroid:a precise and general inter-component data flow analysis framework for security vetting of Android Apps[C]// Proceedings of the ACM Conference on Computer and Communications Security. 2014: 1329-1341. |
[20] | LI L , BARTEL A , BISSYANDé T F ,, et al . IccTA:detecting inter-component privacy leaks in android Apps[C]// Proceedings of 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. 2015: 280-291. |
[21] | BIANCHI A , CORBETTA J , INVERNIZZI L ,et al. What the App is that? Deception and countermeasures in the android user interface[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 931-948. |
[22] | ZHAO Q C , ZUO C S , DOLAN-GAVITT B ,et al. Automatic uncovering of hidden behaviors from input validation in mobile Apps[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). 2020: 1106-1120. |
[23] | SONG F , TOUILI T . Model-checking for android malware detection[M]// Programming Languages and Systems. Cham: Springer International Publishing, 2014: 216-235. |
[24] | BAI G D , YE Q Q , WU Y Z ,et al. Towards model checking Android applications[J]. IEEE Transactions on Software Engineering, 2018,44(6): 595-612. |
[25] | MERCALDO F , NARDONE V , SANTONE A ,et al. Ransomware steals your phone.formal methods rescue it[M]// Formal Techniques for Distributed Objects,Components,and Systems. Cham: Springer International Publishing, 2016: 212-221. |
[26] | MERCALDO F , NARDONE V , SANTONE A ,et al. Download malware? No,thanks:how formal methods can block update attacks[C]// Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering. 2016: 22-28. |
[27] | BATTISTA P , MERCALDO F , NARDONE V ,et al. Identification of android malware families with model checking[C]// Proceedings of the 2nd International Conference on Information Systems Security and Privacy. 2016: 542-547. |
[28] | CANFORA G , MARTINELLI F , MERCALDO F ,et al. LEILA:formal tool for identifying mobile malicious behaviour[J]. IEEE Transactions on Software Engineering, 2019,45(12): 1230-1252. |
[29] | MILNER R . Communication and concurrency[M]. Prentice Hall, 1989. |
[30] | BARBUTI R , DE FRANCESCO N , SANTONE A ,et al. Selective mu-calculus and formula-based equivalence of transition systems[J]. Journal of Computer and System Sciences, 1999,59(3): 537-556. |
[31] | SURHONE L M , TENNOE M T , HENSSONOW S F ,et al. Jimple[M]. Betascript Publishing, 2010. |
[32] | SHEN F , VECCHIO J D , MOHAISEN A ,et al. Android malware detection using complex-flows[C]// Proceedings of IEEE Transactions on Mobile Computing. 2017: 1231-1245. |
[1] | Jianlong XU, Jian LIN, Yusen LI, Zhi XIONG. Distributed user privacy preserving adjustable personalized QoS prediction model for cloud services [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 70-80. |
[2] | Zhe SUN, Hong NING, Lihua YIN, Binxing FANG. Preliminary study on the construction of a data privacy protection course based on a teaching-in-practice range [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 178-188. |
[3] | Xue BAI, Baodong QIN, Rui GUO, Dong ZHENG. Two-party cooperative blind signature based on SM2 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 39-51. |
[4] | Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83. |
[5] | Chenxin LU, Bing CHEN, Ning DING, Liquan CHEN, Ge WU. Identity-based anonymous cloud auditing scheme with compact tags [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 156-168. |
[6] | Shengzhi MING, Jianming ZHU, Zhiyuan SUI, Xian ZHANG. Online medical privacy protection strategy under information value-added mechanism [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 169-177. |
[7] | Xian ZHANG, Jianming ZHU, Zhiyuan SUI, Shengzhi MING. Analysis on anonymity and regulation of digital currency transactions based on game theory [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 150-157. |
[8] | Feng LIU, Jie YANG, Jiayin QI. Survey on blockchain privacy protection techniques in cryptography [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 29-44. |
[9] | Lin JIN, Youliang TIAN. Multi-authority attribute hidden for electronic medical record sharing scheme based on blockchain [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 66-76. |
[10] | Weicheng ZHANG, Hongquan WEI, Shuxin LIU, Liming PU. Fast handover authentication scheme in 5G mobile edge computing scenarios [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 154-168. |
[11] | Zhensheng GAO, Lifeng CAO, Xuehui DU. Research progress of access control based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 68-87. |
[12] | Chuanxin ZHOU, Yi SUN, Degang WANG, Huawei GE. Survey of federated learning research [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 77-92. |
[13] | Rongna XIE, Xiaonan FAN, Lin YUAN, Zichen GUO, Jiayu ZHU, Guozhen SHI. Research on extended access control mechanism in online social network [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 123-131. |
[14] | Fan CHAO, Zhi YANG, Xuehui DU, Bing HAN. Classified risk assessment method of Android application based on multi-factor clustering selection [J]. Chinese Journal of Network and Information Security, 2021, 7(2): 161-173. |
[15] | Kui REN, Quanrun MENG, Shoukun YAN, Zhan QIN. Survey of artificial intelligence data security and privacy protection [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 1-10. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|