A static technique for detecting input validation vulnerabilities in Android apps
详细信息 查看全文
- 作者:Zhejun Fang ; Qixu Liu ; Yuqing Zhang ; Kai Wang…
- 关键词:input validation ; static analysis ; program slicing ; vulnerability detection ; Android security
- 刊名:SCIENCE CHINA Information Sciences
- 出版年:2017
- 出版时间:May 2017
- 年:2017
- 卷:60
- 期:5
- 全文大小:602 KB
- 刊物类别:Computer Science
- 刊物主题:Chinese Library of Science
Information Systems and Communication Service - 出版者:Science China Press, co-published with Springer
- ISSN:1869-1919
- 卷排序:60
文摘
Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.