Network and System Security Laboratory,
School of Computer Science and Technology,
University of Science and Technology of China
Main papers since 2015
Abstract—The capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks’ exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website https://youtu.be/dXFMNZWxEc0.
Full Paper: 2019-04-ICSTW2019.pdf
Abstract—XSS is one of the common vulnerabilities in web applications. Many black-box testing tools may collect a large number of payloads and traverse them to find a payload that can be successfully injected, but they are not very efficient. Previous research has paid less attention to how to improve the efficiency of black-box testing to detect XSS vulnerability. To improve the efficiency of testing, we develop an XSS testing tool. It collects 6128 payloads and uses a headless browser to detect XSS vulnerability. The tool can discover XSS vulnerability quickly with adaptive random testing method. We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual websites to evaluate the adaptive random testing method. The experimental results indicate that the adaptive random testing method can effectively improve the fuzzing method by more than 27.1% in reducing the number of attempts before accomplishing a successful injection.
Abstract—The capability leakage of Android applications is one kind of serious vulnerabilities. It can cause other applications to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically detect and confirm capability leakages of Android applications with dynamic-feedback testing. The tool utilizes context-sensitive, flow-sensitive inter-procedural data flow analysis to find key variables and instrumentation points, then it tests the application continuously by test cases generated from test log. We have made experiments on 607 most popular applications of Wandoujia in 2017, and found a total of 6,070 in 16 kinds of capability leakages. Compared with the famous IntentFuzzer, our tool is 19.38% better on the average ability to detect permission capability leakage.
Full Paper: 2019-12-CapabilityLeakageDetection.pdf
Abstract—IoT devices used in smart home have become a fundamental part of modern society. Such devices enable our living space to be more convenient. This enables human interaction with physical environment, also happens between two applications or others third-party rules in addition, and causes some unexpected automation, even causes safety concerns. What’s worse is that attackers can leverage stealthy physical interactions to launch attacks against IoT systems or steal user privacy. In this paper, we propose a tool called IoTIE that discovers any possible physical interactions and extract all potential interactions across applications and rules in the IoT environment. And we present a comprehensive system evaluation on the Samsung SmartThings and IFTTT platform. We study 187 official SmartThings applications and 98 IFTTT rules, and find they can form 231 hidden inter-app interactions through physical environments. In particular, our experiment reveals that 74 interactions are highly risky and could be potentially exploited to impact the security and safety of the IoT environment. Index Terms—IoT, multi-platform, application analysis and interaction extraction
Abstract—Most current literature on Android malware pays particular attention to the features of applications. Much of them focus on permissions or APIs, neglecting the behavioral semantics of applications, and the literature considering behavioral semantics is often expensive and weak in extendibility. In this paper, we introduce RepassDroid – a relatively coarse-grained but faster tool for automatic Android malware detection. We define Generalized-sensitive API and emphasize on considering if the trigger points of generalized sensitive APIs are UI-related or not. It analyzes the application by abstracting the generalized sensitive API with its trigger point as the semantic feature, with the addition of Really essential Permission as the syntax feature. Then it utilizes machine learning to automatically determine whether an application is benign or malicious. We evaluate RepassDroid on 24288 samples in total, 20000 for training and 4288 for test. With the comparative experiments, we find that Random Forest is the optimal classification technique for our feature set, achieving 97.7% accuracy and 0.99 AUC, along with a malware classification precision as high as 99.3%. Our evaluation results confirm that our approach and the feature set are logical and effective for Android malware detection.
Full Paper: 2018-08-RepassDroid-TASE2018.pdf
Abstract—As the most popular mobile operating system, there are
large amount of applications developed for Android. Considering
security issues, developers are forced to declare relative permissions
in manifest file when they need to use sensitive APIs. With the ability
of inter-component communication (ICC) provided by Android, malicious
applications can indirectly call sensitive APIs through components
exposed by other applications, leading to privilege escalation. To
address this problem, we propose a method to detect this kind of
privilege escalation between two applications. First, we compare the
permission sets of both applications. Then, if necessary we identify
call links between two applications and perform inter-application
control flow analysis. Finally, according to the result of control flow
analysis, we can judge whether the privilege escalation exists. As the
experiment result shows, our
Abstract—Although reflection methods in Android can facilitate developing applications, they will block control flow and data flow in static analysis, making its precision decreased. To solve this problem, we trigger applications to execute reflection methods and record its reflection targets at runtime. Reflection targets may be a method invocation, field setting or instantiating of some classes. Considering many static analysis’ input is apk file, we further transform reflection methods in apk into explicit method invocation, field setting and class initiating according to the recorded reflection targets. Our experiment result shows that, based on our method, some static analysis can perform better on these transformed apk and produce more precise results.
摘要—为了方便用户查询感兴趣的资源，许多 WEB 应用程序会提供搜索功能。如果搜索功能存在故障，将会导致 WEB 应用程序的功能异常，甚至会引发安全问题，因而需要对其进行充分地测试。可以使用组合测试的方法生成测试用例测试 WEB 应用程序的搜索功能，其中每一个测试用例是由特殊字符组成的字符串。对于引起系统错误的测试用例，使用组合测试错误定位的方法找到系统错误是由哪些字符组合引起的。使用该方法对学校、政府和事业单位的 96 个网站进行了测试，发现其中 23 个网站在搜索某些特殊字符组合时，会引起服务器错误响应。错误定位结果表明，56%的服务器错误响应是由”%”、”<”、”’”、”\”和其他字符的组合引起的。
Full Paper: 2019-05-JournalofCyberSecurity.pdf
[Abstract] Implicit permissions are often used in Android application development. Concerning the feature of implicit permissions associated with the target resources, this paper proposes a novel implicit permission detecting method based on static analysis and procedural data flow analysis technique. Firstly, the function calls are classified to explicit or implicit according to whether the permission approval process is related to the system resource. Then, the resource parameter’s value of implicit function calls is obtained by procedural data flow analysis, and a complete function calls are built. Finally, the permissions are found by comparing the function calls with a pre-requisite permission specification. The experimental results show that our method can effectively detect implicit permissions with relatively few false positive and false negative, much better than similar analysis tools. What’s more, the implicit permission specification that we have collected is more complete than other related works did. Combined with an open source explicit permission specification, we have developed the automated permission extraction tool UpsetEx.