作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2020, Vol. 46 ›› Issue (5): 157-166. doi: 10.19678/j.issn.1000-3428.0055290

• 网络空间安全 • 上一篇    下一篇

一种面向Trace与漏洞验证的污点分析方法

秦彪1, 郭帆1, 杨晨霞2   

  1. 1. 江西师范大学 计算机信息工程学院, 南昌 330022;
    2. 豫章师范学院 计算机系, 南昌 330105
  • 收稿日期:2019-06-24 修回日期:2019-08-22 发布日期:2019-08-20
  • 作者简介:秦彪(1993-),男,硕士研究生,主研方向为信息安全、程序验证;郭帆,副教授、博士;杨晨霞,讲师。
  • 基金资助:
    国家自然科学基金(61562040);江西省教育厅科学技术研究项目(GJJ161305,GJJ151330)。

A Taint Analysis Approach for Trace and Vulnerability Validation

QIN Biao1, GUO Fan1, YANG Chenxia2   

  1. 1. College of Computer Information Engineering, Jiangxi Normal University, Nanchang 330022, China;
    2. Department of Computer Science, Yuzhang Normal University, Nanchang 330105, China
  • Received:2019-06-24 Revised:2019-08-22 Published:2019-08-20

摘要: 静态分析方法被广泛用于Android应用的隐私泄露检测,其以(Source,Sink)对形式检测潜在漏洞,但同时会产生大量虚警。针对该问题,提出一种上下文敏感和域敏感的污点分析方法。对污点传播的操作语义和一致性约束进行形式化定义,保证污点传播的语义正确性,同时分析插桩运行Android应用后产生的Trace片段,验证漏洞是否存在虚警。基于Soot实现原型系统并对DroidBench数据集中的70个应用进行分析,实验结果表明,该方法可成功验证4个虚警并发现8个漏报,表明其能有效判断静态分析结果的正确性。

关键词: 污点分析, 上下文敏感, 域敏感, 污点传播, 形式化定义

Abstract: Static analysis methods are widely used to detect privacy leaks in the Android applications and potential bugs are detected by the form of (Source,Sink),but many false alarms are generated as well.To address the problem,this paper proposes a context-sensitive and field-sensitive taint analysis approach.The operational semantics of taint propagation and the consistent constraints are formally defined to ensure taint propagation to be semantically correct.Trace segments generated after instrumenting and running an Android applications is also analyzed to verify if a potential bug is really true.A prototype system is implemented based on Soot and tested on seventy applications from the DroidBench dataset. Experimental results show that the proposed method can successfully verified four false positives and found eight false negatives,demonstrating that the proposed method is capable of verifying the correctness of static analysis results.

Key words: taint analysis, context sensitivity, field sensitivity, taint propagation, formal definition

中图分类号: