一种基于上下文的应用内容安全泄露检测方法研究

doi:10.3969/j.issn.1671-1122.2018.05.008

信息网络安全 ›› 2018, Vol. 18 ›› Issue (5): 66-74.doi: 10.3969/j.issn.1671-1122.2018.05.008

一种基于上下文的应用内容安全泄露检测方法研究

孙贝, 俞研(), 汪永文

南京理工大学计算机科学与工程学院,江苏南京210094

收稿日期:2018-01-05 出版日期:2018-05-15 发布日期:2020-05-11
作者简介:
作者简介：孙贝（1993—）,女,江苏,硕士研究生,主要研究方向为信息安全;俞研（1972—）,男,吉林,副教授,博士,主要研究方向为网络与信息安全;汪永文（1974—）,男,江苏,助理工程师,主要研究方向为网络安全。
基金资助:
国家自然科学基金[61572255]

Research on a Content Security Leakage Detection Method of the Application Based on Context

Bei SUN, Yan YU(), Yongwen WANG

School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing Jiangsu 210094, China

Received:2018-01-05 Online:2018-05-15 Published:2020-05-11

摘要/Abstract

摘要：

为更全面了解导致移动终端Content Provider组件内容泄露的原因,文章提出了一种基于上下文的Content Provider内容泄露检测方法（CLDC）。该方法通过将泄露原因、检测路径和判定依据形成安全规则库,来定位待检测程序中的可疑字符串或语句,并通过信息流分析和模拟执行方法判断可疑字符串或语句的合理性与可达性。实验结果表明,CLDC方法能够检测不同方向造成的Content Provider组件内容泄露,有效提高了检测的准确率。

关键词: 隐私安全, Content Provider组件, 上下文环境, 内容泄露检测

Abstract:

For a more comprehensive understanding of the reasons leading to the Content Provider leakage in mobile terminal, this paper proposes a content leakage detection method based on context of Content Provider (CLDC). This method locate the suspect string or statement in the test procedure, by forming the library of security rules based on the leakage cause, detection path and judgment basis, and determine the rationality and accessibility of suspect strings or statements, using information flow analysis and simulation execution method. The experimental results show: CLDC can detect Content Provider leakage in different directions, and improve the detection accuracy effectively.

Key words: privacy security, Content Provider, related context, content leakage detection

中图分类号:

TP309

孙贝, 俞研, 汪永文. 一种基于上下文的应用内容安全泄露检测方法研究[J]. 信息网络安全, 2018, 18(5): 66-74.

Bei SUN, Yan YU, Yongwen WANG. Research on a Content Security Leakage Detection Method of the Application Based on Context[J]. Netinfo Security, 2018, 18(5): 66-74.

图/表 10

图1

图2

图3

图4

图5

图6

表1

图7

图8

图9

参考文献 13

[1]	LI Wenyang.Research on Android Malware Detection Technology[J]. Netinfo Security, 2015(9):62-65.
	李汶洋. Android操作系统恶意软件检测技术研究[J]. 信息网络安全, 2015(9):62-65.
[2]	ZHOU Yajin, JIANG Xuxian. Detecting Passive Content Leaks and Pollution in Android Applications [EB/OL].,2017-11-20.
[3]	SHAHRIAR H, HADDAD H M, et al.Content Provider Leakage Vulnerability Detection in Android Applications[C]//ACM. Proceedings of the 7th International Conference on Security of Information and Networks, September 9-11, 2014,Glasgow, Scotland, UK. New York: ACM, 2014:359.
[4]	CHU W, DEHGHAN M, TOWSLEY D, et al.On Allocating Cache Resources to Content Providers[C]// ACM. Proceedings of the 3rd ACM Conference on Information-centric Networking, September 26-28, 2016, Kyoto, Japan. New York:ACM, 2016:154-159.
[5]	ZHANG Yuan, YANG Min, GU Guofei, et al.Rethinking Permission Enforcement Mechanism on Mobile Systems[J]. IEEE Transactions on Information Forensics & Security, 2017, 11(10):2227-2240.
[6]	SHAO Xudong, LIU Yang.A Framework Design for Preventing Android from Apps Privilege-escalation Attacks[J]. Netinfo Security, 2015(9): 89-92.
	邵旭东,刘洋. 一个应对Android应用抬权攻击的系统框架设计[J]. 信息网络安全, 2015(9):89-92.
[7]	ALNABULSI H, ISLAM M R, MAMUN Q.Detecting SQL Injection Attacks Using SNORT IDS[C]// IEEE. The 3rd Asia-Pacific World Congress on Computer Science and Engineering, November 4-5, 2014, Nadi, Fiji. Piscataway: IEEE, 2015:1-7.
[8]	CUI Zhanqi, WANG Linzhang, LI Xuandong.A Test Method of Target-Guided Hybrid Implementation[J]. Chinese Journal of Computers, 2011,34(6): 953-964.
	崔展齐,王林章,李宣东. 一种目标制导的混合执行测试方法[J]. 计算机学报, 2011,34(6):953-964.
[9]	BODDEN E. Inter-procedural Data-flow Analysis with IFDS/IDE and Soot[EB/OL].,2017-11-20.
[10]	LI Yuanling, CHEN Hua, LIU Li.Control Flow Analysis and Graphical Output in Java Program of Soot[J]. Computer Systems Applications, 2009, 18(10): 88-92.
	李远玲, 陈华, 刘丽. Soot的Java程序控制流分析及图形化输出[J]. 计算机系统应用, 2009, 18(10):88-92.
[11]	WANG Xu.Research on Static Detection Method of Java Program Based on Control Flow Analysis and Data Flow Analysis [D]. Xi'an:Xidian University, 2015.
	王旭. 基于控制流分析和数据流分析的Java程序静态检测方法的研究[D]. 西安:西安电子科技大学, 2015.
[12]	ZHANG Fan, ZHONG Zhangdui.Detection and Prevention of Mobile Malware Based on the Analysis of Permissions[J]. Netinfo Security, 2015(10): 66-73.
	张帆, 钟章队. 基于权限分析的手机恶意软件检测与防范[J]. 信息网络安全, 2015(10):66-73.
[13]	ZHAO Yunshan.Research on Static Defect Detection Technology Based on Symbol Analysis[D]. Beijing: Beijing University of Posts and Telecommunications, 2012.
	赵云山. 基于符号分析的静态缺陷检测技术研究[D]. 北京:北京邮电大学, 2012.

一种基于上下文的应用内容安全泄露检测方法研究

Research on a Content Security Leakage Detection Method of the Application Based on Context

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 13

相关文章 2

编辑推荐

Metrics

本文评价

[1]	王嵘冰, 李雅囡, 徐红艳, 冯勇. 适合云服务环境的实数全同态加密方案[J]. 信息网络安全, 2018, 18(11): 49-56.
[2]	胡启平;陈震. 试析社交网络环境中个人隐私保护[J]. , 2010, (8): 0-0.