论文部分内容阅读
权限泄露是安卓应用中较为普遍存在的一类漏洞,可导致较为严重的安全问题,例如“串谋提权”等。通过Intent模糊测试技术发现暴露的组件,是挖掘权限泄露漏洞的有效方法。但是现有Intent模糊测试技术仅限于单机运行,效率低下。本文提出一种基于动态任务分配的并行模糊测试方法 para Intent Fuzz。该方法通过静态分析提取出安卓应用的extra信息并构造Intent命令,通过Drozer工具给目标应用发送命令,实现了独立的模糊测试,并部署到4台机器上。使用它分析了10064个Android个应用,最后发现有7367个应用存在权限泄露的问题。
Permissions disclosure is a more common type of vulnerability in Android applications that can lead to more serious security issues such as “conspiracy” and so on. Discovering exposed components through Intent fuzzing techniques is an effective way to exploit permissions leaks. However, the existing Intent fuzzing technology is limited to stand-alone operation and is inefficient. This paper presents a parallel fuzzy test method based on dynamic task assignment para Intent Fuzz. This method extracts the extra information of Android application through static analysis and constructs the Intent command. Through the Drozer tool, it sends commands to the target application to achieve independent fuzz testing and deploy to 4 machines. Use it to analyze 10064 Android applications, and finally found there are 7367 applications have the issue of permission leakage.