检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:王嘉捷[1] 刘建鑫 马宇飞 邵帅[1] 张普含[1] WANG Jia-jie;LIU Jian-xin;MA Yu-fei;SHAO Shuai;ZHANG Pu-han(China Information Technology Security Evaluation Center,Beijing 100085,China;University of Science and Technology of China,Hefei,Anhui 230026,China)
机构地区:[1]中国信息安全测评中心,北京100085 [2]中国科学技术大学,安徽合肥230026
出 处:《北京理工大学学报》2020年第2期169-174,共6页Transactions of Beijing Institute of Technology
基 金:国家自然科学基金资助项目(61672534);NSFC-通用技术联合基金资助项目(U1636115)。
摘 要:Android系统WebView组件应用广泛,相关漏洞危害大、影响广,但现有依赖静态匹配敏感函数的检测方法存在漏洞误报率高等问题.为此,本文提出了基于静态分析与动态验证技术融合的WebView组件漏洞自动化检测与验证方法,通过对漏洞可疑点进行可达性分析,避免对不可达路径的无效动态遍历,提高了分析效率;将数据依赖分析与模拟真实攻击行为的动态验证相结合,及时判断漏洞触发的真实性,降低了误报率.已实现原型工具XWebViewDigger并测试了80个Android应用,检出并验证18个应用存在漏洞,与现有方法相比,误报率有效降低.With Android WebView component widely used,its vulnerabilities will cause significant risks,but current detection methods which rely on static pattern matching have high rate of false positives.Therefore this paper proposes an automatic detection and verification method for WebView component vulnerabilities,based on static analysis and dynamic verification combination.The reachability analysis of vulnerable suspicious points was used to avoid the futile dynamic verification of invalid paths,for improving analysis efficiency.The data dependency analysis was combined with the dynamic verification that can simulate real attack behaviors to trigger and confirm vulnerabilities timely,for reducing false positives.The prototype tool XWebViewDigger has been developed and tested on 80 real Android applications,with 18 vulnerable applications detected and verified.Compared with current methods,the false positive rate was effectively reduced.
分 类 号:TP319[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.222