In order to reduce the privacy data leak problems of the Android system users,we put forward a vulnerability mining method aiming at the source code of the Android applications.On the basis of Android vulnerability database and permission-method set,the method adopts static analysis to obtain the algebraic expression of special permission vulnerability matrix of Android and the test case of vulnerability points,mutates the test cases based on vulnerability knowledge to obtain semi-efficient data,and uses stain injection and data flow analysis to mine Fuzzing.Through example analyses on 400 Android applications source code,the results show that the method can mine the conventional vulnerability and has distinct effect in mining the special permission information vulnerability of Android.The number of the test cases derived from using constraint analysis is less,and the pertinency of semi-efficient data derived from vulnerability knowledge is high.This method has high code coverage and precision as well.%为了减少Android系统用户的隐私数据泄露问题,提出一种针对Android应用程序源码的漏洞挖掘方法。该方法在An-droid漏洞库和权限方法集合的基础上,采用静态分析得到Android特有的权限漏洞矩阵代数式和漏洞点处测试用例,基于漏洞知识对测试用例变异得到半有效数据,利用污点注入和数据流分析进行Fuzzing挖掘。经过对400个Android应用程序源码进行实例分析,结果表明该方法不仅能挖掘常规漏洞,而且在Android特有的权限信息漏洞挖掘方面效果明显。利用约束分析得到的测试用例数量少,而通过漏洞知识得到的半有效数据的针对性强,并且代码覆盖率和精确度较高。
展开▼
