Vulnerability Mining Techniques in Android Platform
暂无分享,去创建一个
Android is a mainstream smart phone platform. Vulnerability mining work in android platform has become one of the most careful subjects in information security field. This paper combined the vulnerability mining research results of traditional PC platform with the features of android platform to analyze the advantages and disadvantages of traditional vulnerability mining techniques applied in android platform. This paper proposed a four-layer architecture model of vulnerability mining techniques in android platform, and then put forward its possible research directions. Finally, some case studies are given to demonstrate the effectiveness and practical significance of the mining layer, the core layer of the four-layer architecture model. Keywords-Android Platform; Vulnerability Mining; Information Security I. RESEARCH BACKGROUND With the high-speed development of mobile network, our society has entered into the mobile age. Smart phones, tablets PCs and other mobile devices have been widely join into people's daily life. Following that is the increasingly rampant mobile virus [1], including virus, worm, trojan, malicious mobile code and so on. Like the PC virus, the mobile virus can destroy the normal function of the mobile devices and affect the users. Due to the features of the mobile platform, the mobile virus is more harmful to users than PC virus. Massive private information stored in mobile devices, such as text messages, phone call history, location information, mobile traffic, mobile accounts and so on, may be stole by attackers, which can cause extremely serious consequences to users. Most mobile virus are using mobile system vulnerabilities to attack and spread, such as Cabir, the world's first mobile virus, take use of the Bluetooth vulnerability of Symbian; Mobile hackers virus, namely Hack.mobile.smsdos, take use of the built-in MMS vulnerability; Gingermaster, a virus for android 2.3, take use of the privilege escalation vulnerability to attack android. So, in order to reduce the harm caused by mobile system vulnerabilities, passive detection and prevention against the virus is not enough. This paper takes the perspective of attackers to mine the existing vulnerabilities in mobile system which can be exploited by the mobile virus. At present, there are four main mobile system platforms: Google android, Apple ios, Windows phone and Symbian os. According to the ‘cloud security’ monitoring platform of NetQin statistics [2], In 2013Q1, the number of virus that have been worldwide detected and killed by NetQin is 25140, about 353.05% growth compared to 2012, and the number of infected smart phones is 10.4 million, about 99.23% growth compared to 2012. Among them, 82% of the mobile virus concentrated in android platform. This situation has made android platform the main battlefield of virus and anti-virus. Another report from iiMedia-Research [3] shows that the number of smart phone users in China reached 420 million by the end of 2013Q1, and android’s share is 71.0% with an increasing trend. According to the above statistics, this paper mainly introduces the research situation and research directions on vulnerability mining techniques in android platform. II. ANDROID PLATFORM OVERVIEW A. Status of the Android Platform Vulnerability Vulnerability refers to the defects and shortages in the design and implementation of computer system's hardware, software or protocol. Broadly speaking, vulnerability refers to all the factors that threats and breaks the system's reliability, availability, confidentiality, integrity, controllability and non-repudiation. The potential source of vulnerabilities in android platform can be classified into three types [4]: Embedded operating system, runtime environment and application program. Embedded operating system vulnerability refers to the vulnerability causes by android system itself, a typical case is buffer overflow vulnerability; Runtime environment includes java, flash, .net and other support libraries. These support libraries are vulnerable, they may be abused by users and cause runtime environment vulnerability. There are many android applications (apps) in the android market and some android apps may have vulnerabilities. A typical example of application program vulnerability is SSL vulnerability which can cause man-in-the-middle (MITM) attacks. Based on CVE, Security Focus and other well-known security vulnerability database, this paper counted 252 android platform vulnerabilities published from March 2008 to May 2013 (the total number may be different due to different security vulnerability databases). According to the android vulnerability classification methods mentioned above, we made a classification of these 252 vulnerabilities, as shown in table 1. As you can see, runtime environment and application program are the most vulnerable places, accounted for 49% and 41% respectively. Attackers can get user's sensitive information or execute DOS attack through International Workshop on Cloud Computing and Information Security (CCIS 2013) © 2013. The authors Published by Atlantis Press 535 these vulnerabilities. The highest risk vulnerabilities are mostly come from embedded operating system, accounted for 10%. Its amount is little, but the harm is great. Attackers can execute arbitrary code and do the privilege escalation operation through these vulnerabilities. The emergence of various android vulnerabilities has largely threatened user’s information security. An effective way to assure user’s information security is to mine and fix the threatening vulnerabilities before they are being misused by attackers. Therefore, our work is of great practical significance to study the android platform vulnerability mining techniques. TABLE I. ANDROID PLATFORM SECURITY VULNERABILITIES STATISTICS Vulnerability Point Causes Influence NO. Sum Embedded Operating System Libpng library's vulnerability App crashes. 6 25 GIF library, showLog's function overflow vulnerability, etc. Arbitrary code execution or DOS. 11 Samsung,HTC equipment's vulnerability Privilege escalation, etc. 5 Pusher,ACRA library's integer overflow vulnerability Buffer overflow. 2 Android ADB vulnerability Allows user to overwrite any files. 1 Runtime Environment Android browser's integer overflow, information leaks, etc. Arbitrary code execution, etc. 7 124 Adobe Flash Player's vulnerability Arbitrary code execution or DOS. 117 Application Program Cnectd, KKtalk and other apps have unknown vulnerability Unknown influence. 57 103 iLunascape, Cookpad and other apps haven’t implemented WebView class correctly Sensitive information access. 6 Twicca and other apps haven’t limit the use of network access Sensitive information access. 7 Tencent QQPhoto, Kaixin001 and other apps haven’t protected data properly Sensitive information access. 25 Mozilla Firefox's vulnerability Arbitrary code execution or DOS. 4 Zoners, Groupon and other app's server name is as same as their domain name Man-in-the-middle attack. 4 B. Android Platform Features Android is a Linux-based free and open source operating system, mainly used in mobile devices, such as smart phones and tablet PCs. It adopts software layer architecture. The underlying Linux kernel provides only basic function and the applications are developed independently by the third party companies. Android platform has the following features: 1) Android platform is open source: Analysis on its source code can theoretically mine all existing vulnerabilities. Anyone can use the android source code, so in recent months, a lot of secondary development versions and operator customized versions of android system emerged. On this occasion, the android virus must have a highly targeted purpose and can’t be used to all android versions. For this reason, it should be easy to capture the samples of android virus. 2) Android fragmentation: Android system version updates very frequent while the old versions eliminate very slowly. By March 2013, the share of android 2.3 version is 44.2%, still take the overwhelming majority, while the share of the latest android 4.1/4.2 is only 16.5%. This situation leads to some low android versions which have vulnerabilities still have a considerable number of users. It means that a considerable number of users can be very vulnerable to be attack by the old android version's vulnerabilities. 3) Openness of android apps: Android is completely open to the third party app company, any person or team can develops android apps and releases to the app markets for users to download and install. In addition, android app is easy to be reverse analysis, so repacking type virus appears a lot in android platform. III. TRADITIONAL VULNERABILITY MINING TECHNIQUES According to different research objects, the traditional vulnerability mining techniques can be classified into two categories: Vulnerability mining techniques that use program as object, namely active vulnerability-mining-techniques; Vulnerability mining techniques that use vulnerability itself as object, namely passive vulnerability-mining-techniques. Figure 1 shows the classification and overview of the traditional vulnerability mining techniques.
[1] William R. Bush,et al. A static analyzer for finding dynamic programming errors , 2000 .
[2] William R. Bush,et al. A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..
[3] Peter Sewell,et al. Passive-attack analysis for connection-based anonymity systems , 2004, International Journal of Information Security.
[4] Debin Gao,et al. BinHunt: Automatically Finding Semantic Differences in Binary Programs , 2008, ICICS.
[5] Halvar Flake,et al. Structural Comparison of Executable Objects , 2004, DIMVA.
[6] Liu Gongshen. Research on Prevention Model of Malicious Code in Smart Phone , 2010 .
[7] Dawson R. Engler,et al. EXE: automatically generating inputs of death , 2006, CCS '06.
[8] Yajin Zhou,et al. Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.