基于权限控制和脚本检测的Webview漏洞防护方案研究  被引量:11

An Webview Vulnerability Protection Based on Access Control and Script Detection

在线阅读下载全文

作  者:叶嘉羲 张权[1] 王剑[1] 

机构地区:[1]国防科学技术大学电子科学与工程学院,湖南长沙410073

出  处:《信息网络安全》2015年第3期38-43,共6页Netinfo Security

摘  要:文章通过研究Webview漏洞的形成机理,获悉漏洞是由程序调用了不安全的系统API且未对Java反射机制进行防范而产生的。目前,Webview漏洞的检测方法主要是基于黑盒测试思想,准确率不高。文章提出了一种结合静态分析和动态分析的检测方法 :通过静态分析对不安全函数进行定位,通过动态分析对不安全函数进行测试,能有效、精确地检测出Webview漏洞。同时,文章研究了Google公司提出的Webview漏洞防护方案,指出该方案存在的三大防护缺陷,并提出了一种基于权限控制和脚本检测的漏洞防护方法,该方法通过权限控制严格限制了访问者的权限上限,并及时向用户反馈情况;通过脚本检测区别出安全脚本和恶意脚本,在未削弱Webview组件能力的前提下,提高了漏洞防护能力。最后,文章设计了一组实验,对比了未添加Webview防护的程序和添加了Webview防护的程序对恶意代码的执行结果,证实该防护方法的有效性。This paper studies the formation mechanism of the Webview vulnerability, and learns that the vulnerability arises from the unsafe function' invoking and did not defend java reflection on the program. At present, Webview vulnerability detection method is mainly based on black box testing, which is at low accuracy. This paper proposes a detection combined of static analysis and dynamic analysis: static analysis can carry out where is the unsafe function, and dynamic analysis can make a test on the unsafe function, in that way the Webview vulnerability can be detected effectively and accurately. At the same time, this paper studies the Webview vulnerability protection proposed by Google, and pointed out that there exits three defects in Google's defend. So this paper proposes a vulnerability defend based on access control and script detection, the defend is strict with the visitors' authority limit, timely responding to the user and makes use of script detection to distinguish the security scripts and malicious script, putting an end to the Webview vulnerability without any abilityweaken. Finally, this paper designs a set of experiment, comparing the undefended program and the defend programs, the result shows that the protection is valid.

关 键 词:ANDROID系统 Webview漏洞 检测 防护 

分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象