信息网络安全
信息網絡安全
신식망락안전
NETINFO SECURITY
2015年
3期
38-43
,共6页
Android系统%Webview漏洞%检测%防护
Android繫統%Webview漏洞%檢測%防護
Android계통%Webview루동%검측%방호
Android system%Webview vulnerability%detection%defend
文章通过研究Webview漏洞的形成机理,获悉漏洞是由程序调用了不安全的系统API且未对Java反射机制进行防范而产生的。目前,Webview漏洞的检测方法主要是基于黑盒测试思想,准确率不高。文章提出了一种结合静态分析和动态分析的检测方法:通过静态分析对不安全函数进行定位,通过动态分析对不安全函数进行测试,能有效、精确地检测出Webview漏洞。同时,文章研究了Google公司提出的Webview漏洞防护方案,指出该方案存在的三大防护缺陷,并提出了一种基于权限控制和脚本检测的漏洞防护方法,该方法通过权限控制严格限制了访问者的权限上限,并及时向用户反馈情况;通过脚本检测区别出安全脚本和恶意脚本,在未削弱Webview组件能力的前提下,提高了漏洞防护能力。最后,文章设计了一组实验,对比了未添加Webview防护的程序和添加了Webview防护的程序对恶意代码的执行结果,证实该防护方法的有效性。
文章通過研究Webview漏洞的形成機理,穫悉漏洞是由程序調用瞭不安全的繫統API且未對Java反射機製進行防範而產生的。目前,Webview漏洞的檢測方法主要是基于黑盒測試思想,準確率不高。文章提齣瞭一種結閤靜態分析和動態分析的檢測方法:通過靜態分析對不安全函數進行定位,通過動態分析對不安全函數進行測試,能有效、精確地檢測齣Webview漏洞。同時,文章研究瞭Google公司提齣的Webview漏洞防護方案,指齣該方案存在的三大防護缺陷,併提齣瞭一種基于權限控製和腳本檢測的漏洞防護方法,該方法通過權限控製嚴格限製瞭訪問者的權限上限,併及時嚮用戶反饋情況;通過腳本檢測區彆齣安全腳本和噁意腳本,在未削弱Webview組件能力的前提下,提高瞭漏洞防護能力。最後,文章設計瞭一組實驗,對比瞭未添加Webview防護的程序和添加瞭Webview防護的程序對噁意代碼的執行結果,證實該防護方法的有效性。
문장통과연구Webview루동적형성궤리,획실루동시유정서조용료불안전적계통API차미대Java반사궤제진행방범이산생적。목전,Webview루동적검측방법주요시기우흑합측시사상,준학솔불고。문장제출료일충결합정태분석화동태분석적검측방법:통과정태분석대불안전함수진행정위,통과동태분석대불안전함수진행측시,능유효、정학지검측출Webview루동。동시,문장연구료Google공사제출적Webview루동방호방안,지출해방안존재적삼대방호결함,병제출료일충기우권한공제화각본검측적루동방호방법,해방법통과권한공제엄격한제료방문자적권한상한,병급시향용호반궤정황;통과각본검측구별출안전각본화악의각본,재미삭약Webview조건능력적전제하,제고료루동방호능력。최후,문장설계료일조실험,대비료미첨가Webview방호적정서화첨가료Webview방호적정서대악의대마적집행결과,증실해방호방법적유효성。
This paper studies the formation mechanism of the Webview vulnerability, and learns that the vulnerability arises from the unsafe function’ invoking and did not defend java relfection on the program. At present, Webview vulnerability detection method is mainly based on black box testing, which is at low accuracy. This paper proposes a detection combined of static analysis and dynamic analysis: static analysis can carry out where is the unsafe function, and dynamic analysis can make a test on the unsafe function, in that way the Webview vulnerability can be detected effectively and accurately. At the same time, this paper studies the Webview vulnerability protection proposed by Google, and pointed out that there exits three defects in Google’s defend. So this paper proposes a vulnerability defend based on access control and script detection, the defend is strict with the visitors’ authority limit, timely responding to the user and makes use of script detection to distinguish the security scripts and malicious script, putting an end to the Webview vulnerability without any ability weaken. Finally, this paper designs a set of experiment, comparing the undefended program and the defend programs, the result shows that the protection is valid.
