CAJ | 학술논문

传统的漏洞挖掘技术一般适用于x86平台，且是面向PC的。随着Android手机的普及，需要有针对其上运行软件的漏洞挖掘技术。针对当前Android软件市场审核宽松以及该领域研究相对较少等方面存在的一些问题，设计并实现了一种基于gdb的Android软件漏洞挖掘系统。系统采用基于信息流追踪的污点分析技术，从污点标记、污点传播和污点检测三个方面进行设计，并通过指令模拟执行提高分析覆盖率。当系统发现可疑漏洞时，把结果通知给用户，并能对漏洞做出全面的分析。通过对Android软件的测试，发现了部分软件中的缓冲区溢出漏洞，证实了系统的有效性。
전통적루동알굴기술일반괄용우x86평태，차시면향PC적。수착Android수궤적보급，수요유침대기상운행연건적루동알굴기술。침대당전Android연건시장심핵관송이급해영역연구상대교소등방면존재적일사문제，설계병실현료일충기우gdb적Android연건루동알굴계통。계통채용기우신식류추종적오점분석기술，종오점표기、오점전파화오점검측삼개방면진행설계，병통과지령모의집행제고분석복개솔。당계통발현가의루동시，파결과통지급용호，병능대루동주출전면적분석。통과대Android연건적측시，발현료부분연건중적완충구일출루동，증실료계통적유효성。
The traditional vulnerability mining techniques are generally applicable to x86 platform,and intent to the PC. With the populari-ty of Android phones,the vulnerability mining technology running on it is needed. Because of the problems of the current accommodative Android software market audit and relatively small research in this area,a gdb-based Android software vulnerabilities mining system is designed and implemented. The system adopts taint analysis techniques based on tracking the flow of information,which is designed from taint marking,taint transmission and taint detection,and improves analysis coverage through instruction simulation. The result is notified to the user and the system can make a comprehensive analysis of vulnerability when the system finds the suspicious loopholes. By the test for Android software,some buffer overflow vulnerabilities in software is found,which proves the effectiveness of the system.