信息网络安全 ›› 2015, Vol. 15 ›› Issue (3): 38-43.doi: 10.3969/j.issn.1671-1122.2015.03.008

• 技术研究 • 上一篇    下一篇

基于权限控制和脚本检测的Webview漏洞防护方案研究

叶嘉羲, 张权(), 王剑   

  1. 国防科学技术大学电子科学与工程学院,湖南长沙 410073
  • 收稿日期:2015-01-15 出版日期:2015-03-10 发布日期:2015-05-08
  • 作者简介:

    作者简介: 叶嘉羲(1991-),男,浙江,硕士研究生,主要研究方向:现代通信技术;张权(1974-),男,上海,副教授,主要研究方法:现代通信技术;王剑(1975-),男,湖南,副教授,主要研究方向:通信网络安全与对抗。

An Webview Vulnerability Protection Based On Access Control And Script Detection

YE Jia-xi, ZHANG Quan(), WANG Jian   

  1. College of Electronic and Engineer, National University of Defense Technology, Changsha Hunan 410073, China
  • Received:2015-01-15 Online:2015-03-10 Published:2015-05-08

摘要:

文章通过研究Webview漏洞的形成机理,获悉漏洞是由程序调用了不安全的系统API且未对Java反射机制进行防范而产生的。目前,Webview漏洞的检测方法主要是基于黑盒测试思想,准确率不高。文章提出了一种结合静态分析和动态分析的检测方法:通过静态分析对不安全函数进行定位,通过动态分析对不安全函数进行测试,能有效、精确地检测出Webview漏洞。同时,文章研究了Google公司提出的Webview漏洞防护方案,指出该方案存在的三大防护缺陷,并提出了一种基于权限控制和脚本检测的漏洞防护方法,该方法通过权限控制严格限制了访问者的权限上限,并及时向用户反馈情况;通过脚本检测区别出安全脚本和恶意脚本,在未削弱Webview组件能力的前提下,提高了漏洞防护能力。最后,文章设计了一组实验,对比了未添加Webview防护的程序和添加了Webview防护的程序对恶意代码的执行结果,证实该防护方法的有效性。

关键词: Android系统, Webview漏洞, 检测, 防护

Abstract:

This paper studies the formation mechanism of the Webview vulnerability, and learns that the vulnerability arises from the unsafe function’ invoking and did not defend java reflection on the program. At present, Webview vulnerability detection method is mainly based on black box testing, which is at low accuracy. This paper proposes a detection combined of static analysis and dynamic analysis: static analysis can carry out where is the unsafe function, and dynamic analysis can make a test on the unsafe function, in that way the Webview vulnerability can be detected effectively and accurately. At the same time, this paper studies the Webview vulnerability protection proposed by Google, and pointed out that there exits three defects in Google’s defend. So this paper proposes a vulnerability defend based on access control and script detection, the defend is strict with the visitors’ authority limit, timely responding to the user and makes use of script detection to distinguish the security scripts and malicious script, putting an end to the Webview vulnerability without any ability weaken. Finally, this paper designs a set of experiment, comparing the undefended program and the defend programs, the result shows that the protection is valid.

Key words: android system, Webview vulnerability, detection, defend

中图分类号: