ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2015, Vol. 52 ›› Issue (10): 2167-2177.doi: 10.7544/issn1000-1239.2015.20150572

所属专题: 2015网络安全与隐私保护研究进展

• 信息安全 • 上一篇    下一篇

Android安全漏洞挖掘技术综述

张玉清1,方喆君1,3,王凯1,王志强2,4,乐洪舟2,刘奇旭1,何远1,李晓琦1,杨刚1   

  1. 1(中国科学院大学国家计算机网络入侵防范中心 北京 101408); 2(综合业务网理论及关键技术国家重点实验室(西安电子科技大学) 西安 710071); 3(国家计算机网络应急技术处理协调中心 北京 100029); 4(北京电子科技学院 北京 100070) (zhangyq@ucas.ac.cn)
  • 出版日期: 2015-10-01
  • 基金资助: 
    基金项目:国家自然科学基金项目(61272481,61572460);国家发改委信息安全专项(发改办高技[2012]1424号)

Survey of Android Vulnerability Detection

Zhang Yuqing1, Fang Zhejun1,3, Wang Kai1, Wang Zhiqiang2,4, Yue Hongzhou2, Liu Qixu1, He Yuan1, Li Xiaoqi1, Yang Gang1   

  1. 1(National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408);2(State Key Laboratory of Integrated Services Networks (Xidian University), Xi’an 710071);3(National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029) ;4(Beijing Electronic Science and Technology Institute, Beijing 100070)
  • Online: 2015-10-01

摘要: 安全漏洞在Android系统的安全性中处于核心地位,因此如何有效挖掘Android系统安全漏洞,已成为增强移动终端安全性、保护用户安全和隐私的重要技术手段,具有重要的理论和现实意义.首先对Android领域2008—2015年间漏洞数量趋势和种类进行了汇总,然后分类分析了Android安全领域顶级会议上2012—2014年间的学术研究进展.在此基础上,给出了Android漏洞挖掘技术的总体概览,并针对漏洞挖掘领域中使用较多的污染流传播分析、可达路径分析、符号执行、Fuzzing测试等技术进行详细阐述,还对混合符号执行和定向Fuzzing等动静态结合的技术进行了介绍.最后对Android漏洞挖掘领域的开源工具进行了总结,并讨论了值得进一步深入研究的安全问题.

关键词: Android安全, 综述, 漏洞挖掘, 静态分析, 动态分析

Abstract: Vulnerability plays a critical role in Android security. Therefore it is very meaningful to do research on vulnerability detection techniques, which can enhance Android security and protect user’s privacy. In this paper, we firstly summary the number trends and categories of Android vulnerabilities from 2008 to 2015. Then we analyze the research progress of Android security from 2012 to 2014 and propose an overview of Android vulnerability detection techniques. After that, we detail the techniques frequently using in current researches, such as taint analysis, reachable path discovery, symbolic execution and fuzzing test. In addition, we also focus on the techniques combining static analysis and dynamic test such as concolic testing and directed fuzzing. At last, we conclude the status quo and open source tools in Android vulnerability detection, and propose valuable issues which are worth further studying.

Key words: Android security, survey, vulnerability detection, static analysis, dynamic analysis

中图分类号: