基于语义的Android敏感行为静态分析方法
|
摘要
提出一种基于语义的Android敏感行为静态分析方法。该方法首先基于样本统计结果,利用精简Dalvik指令集作为本文分析的中间语言,实现对指令层的形式化语义描述;之后,基于中间语言发现检测样本中的敏感调用,并通过控制依赖关系追溯调用路径;最后,在控制流分析基础上,对存在敏感调用的路径约束求解路径条件。最终求解出具体后台行为及触发条件,揭示出样本后台行为的执行全过程。该方法缓解了符号执行中的路径爆炸问题,实验验证了该方法可以有效地对移动应用后台行为进行分析,并及时获取特征检测无法发现的未知移动恶意应用程序。
This paper proposes a semantic-based sensitive behavior analysis method for Android.With sample statistics results,the method firstly adopts a simple-Dalvik intermediate language(SDIL) as the intermediate language for text analysis,thus giving a symbolic semantics description for instructions.Then the method uses SDIL to detect sensitive calls from the samples and traces the call paths according to the control dependence.Then based on control-flow analysis,the method adopts constraint solving to obtain path conditions.At last,the method finds the background behaviors with trigger conditions,thus the whole process of background behavior execution will be showed as well.This method can release the path explosion problem in the process of symbolic execution.With experiment under our platform,it proves that the method can analyze the background behaviors of mobile application efficiently,and find the unknown mobile malicious applications which can not be found by traditional feature detection methods in time.
This paper proposes a semantic-based sensitive behavior analysis method for Android.With sample statistics results,the method firstly adopts a simple-Dalvik intermediate language(SDIL) as the intermediate language for text analysis,thus giving a symbolic semantics description for instructions.Then the method uses SDIL to detect sensitive calls from the samples and traces the call paths according to the control dependence.Then based on control-flow analysis,the method adopts constraint solving to obtain path conditions.At last,the method finds the background behaviors with trigger conditions,thus the whole process of background behavior execution will be showed as well.This method can release the path explosion problem in the process of symbolic execution.With experiment under our platform,it proves that the method can analyze the background behaviors of mobile application efficiently,and find the unknown mobile malicious applications which can not be found by traditional feature detection methods in time.
引文
[1]工信部国家互联网应急中心.2013年我国互联网网络安全态势综述[EB/OL].[2014-03-20].http://www.199it.com/archives/206597.html.CNCERT.Overview of 2013 China's Internet network security situation[EB/OL].[2014-03-20].http://www.199it.com/archives/206597.html.
[2]DAGON D,MARTIN T,STARNER T.Mobile phones as computing devices:the viruses are coming![J].Pervasive Computing,2004,3(4):11-15.
[3]CHEUNG J,WONG S,YANG H,et al.Smartsiren:Virus detection and alert for smartphones[C]//Proc of the 5th Int Conf on Mobile Systems,Applications and Services.New York:ACM,2007:258-271.
[4]SHABTAI A,FLEDEL Y,KANONOV U,et al.Google Android:a state-of-the-art review of security mechanisms[EB/OL].[2014-03-20].http://www.docin.com/p-189587298.html.
[5]SCHMIDT A D,BYE R,SCHMIDT H G,et al.Static analysis of executables for collaborative malware detection on Android[C]//ICC'09 IEEE Int Conf on Communications.[S.l.]:IEEE,2009:1-5.
[6]DESNOS A.Android:Static analysis using similarity distance[C]//2012 45th Hawaii Int Conf on System Science(HICSS).Los Alamitos:IEEE Computer Society,2012:5394-5403.
[7]李挺,董航,袁春阳,等.基于Dalvik指令的Android恶意代码特征描述及验证[J].计算机研究与发展,2014,51(7):1458-1466.LI Ting,DONG Hang,YUAN Chun-yang,et al.Description of android malware feature based on dalvik instructions[J].Journal of Computer Research and Development,2014,51(7):1458-1466.
[8]王蕊,冯登国,杨轶,等.基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012(2):378-393.WANG Rui,FENG Deng-guo,YANG-Yi,et al.Semanticsbased malware behavior signature extraction and detection method[J].Journal of Software,2012(2):378-393.
[9]SIVERONI I A.Operational semantics of the java card virtual machine[J].The Journal of Logic and Algebraic Programming,2004,58(1):3-25.
[10]MIRZAEI N,MALEK S,PASAREANU C S,et al.Testing Android apps through symbolic execution[J].Sigsoft Softw Eng Notes,2012,37(6):1-5.
[11]KARLSEN HS,WOGENSEN ER,OLESEN MC,et al.Study,formalisation,and analysis of Dalvik bytecode[C]//Proc of the Seventh Workshop on Bytecode Semantics,Verification,Analysis and Transformation(BYTECODE2012).Tallinn:ETAPS,2012.
[2]DAGON D,MARTIN T,STARNER T.Mobile phones as computing devices:the viruses are coming![J].Pervasive Computing,2004,3(4):11-15.
[3]CHEUNG J,WONG S,YANG H,et al.Smartsiren:Virus detection and alert for smartphones[C]//Proc of the 5th Int Conf on Mobile Systems,Applications and Services.New York:ACM,2007:258-271.
[4]SHABTAI A,FLEDEL Y,KANONOV U,et al.Google Android:a state-of-the-art review of security mechanisms[EB/OL].[2014-03-20].http://www.docin.com/p-189587298.html.
[5]SCHMIDT A D,BYE R,SCHMIDT H G,et al.Static analysis of executables for collaborative malware detection on Android[C]//ICC'09 IEEE Int Conf on Communications.[S.l.]:IEEE,2009:1-5.
[6]DESNOS A.Android:Static analysis using similarity distance[C]//2012 45th Hawaii Int Conf on System Science(HICSS).Los Alamitos:IEEE Computer Society,2012:5394-5403.
[7]李挺,董航,袁春阳,等.基于Dalvik指令的Android恶意代码特征描述及验证[J].计算机研究与发展,2014,51(7):1458-1466.LI Ting,DONG Hang,YUAN Chun-yang,et al.Description of android malware feature based on dalvik instructions[J].Journal of Computer Research and Development,2014,51(7):1458-1466.
[8]王蕊,冯登国,杨轶,等.基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012(2):378-393.WANG Rui,FENG Deng-guo,YANG-Yi,et al.Semanticsbased malware behavior signature extraction and detection method[J].Journal of Software,2012(2):378-393.
[9]SIVERONI I A.Operational semantics of the java card virtual machine[J].The Journal of Logic and Algebraic Programming,2004,58(1):3-25.
[10]MIRZAEI N,MALEK S,PASAREANU C S,et al.Testing Android apps through symbolic execution[J].Sigsoft Softw Eng Notes,2012,37(6):1-5.
[11]KARLSEN HS,WOGENSEN ER,OLESEN MC,et al.Study,formalisation,and analysis of Dalvik bytecode[C]//Proc of the Seventh Workshop on Bytecode Semantics,Verification,Analysis and Transformation(BYTECODE2012).Tallinn:ETAPS,2012.