CAJ | 학술논문

为了减少Android系统用户的隐私数据泄露问题，提出一种针对Android应用程序源码的漏洞挖掘方法。该方法在An-droid漏洞库和权限方法集合的基础上，采用静态分析得到Android特有的权限漏洞矩阵代数式和漏洞点处测试用例，基于漏洞知识对测试用例变异得到半有效数据，利用污点注入和数据流分析进行Fuzzing挖掘。经过对400个Android应用程序源码进行实例分析，结果表明该方法不仅能挖掘常规漏洞，而且在Android特有的权限信息漏洞挖掘方面效果明显。利用约束分析得到的测试用例数量少，而通过漏洞知识得到的半有效数据的针对性强，并且代码覆盖率和精确度较高。
위료감소Android계통용호적은사수거설로문제，제출일충침대Android응용정서원마적루동알굴방법。해방법재An-droid루동고화권한방법집합적기출상，채용정태분석득도Android특유적권한루동구진대수식화루동점처측시용례，기우루동지식대측시용례변이득도반유효수거，이용오점주입화수거류분석진행Fuzzing알굴。경과대400개Android응용정서원마진행실례분석，결과표명해방법불부능알굴상규루동，이차재Android특유적권한신식루동알굴방면효과명현。이용약속분석득도적측시용례수량소，이통과루동지식득도적반유효수거적침대성강，병차대마복개솔화정학도교고。
In order to reduce the privacy data leak problems of the Android system users,we put forward a vulnerability mining method aiming at the source code of the Android applications.On the basis of Android vulnerability database and permission-method set,the method adopts static analysis to obtain the algebraic expression of special permission vulnerability matrix of Android and the test case of vulnerability points,mutates the test cases based on vulnerability knowledge to obtain semi-efficient data,and uses stain injection and data flow analysis to mine Fuzzing.Through example analyses on 400 Android applications source code,the results show that the method can mine the conventional vulnerability and has distinct effect in mining the special permission information vulnerability of Android.The number of the test cases derived from using constraint analysis is less,and the pertinency of semi-efficient data derived from vulnerability knowledge is high.This method has high code coverage and precision as well.