权限泄露是安卓应用中较为普遍存在的一类漏洞,可导致较为严重的安全问题,例如"串谋提权"等.通过Intent模糊测试技术发现暴露的组件,是挖掘权限泄露漏洞的有效方法.但是现有Intent模糊测试技术仅限于单机运行,效率低下.提出一种基于动态任务分配的并行模糊测试方法ParaIntentFuzz.该方法通过静态分析提取出安卓应用的extra信息并构造Intent命令,通过Drozer工具给目标应用发送命令,实现了独立的模糊测试,并部署到4台机器上.使用它分析了10064个Android应用,最后发现有7367个应用存在权限泄露的问题.%Permission leakage is a common kind of vulnerability among Android applications.This kind of vulnerability can lead to serious security problem. Fuzzing the Intent to discover the expose of components and find the permission leakage from the exposed components is an efficient method to mine permission leakage.However,existing works based on Intent Fuzz to test this kind of vulnerability are only running on single machine,which leads to low availability.A par-allel fuzzing system based on dynamic task distribution,named ParaIntentFuzz,is implemented.It first extracts extra infor-mation from application by static analysis and then constructs Intent commands.After sending commands to target applica-tion via Drozer,ParaIntentFuzz can effectively fuzz the target application.The system is deployed on four computers.With ParaIntentFuzz,it analyzes 10 064 Android applications and finds 7 367 of them having permission leakage problem.
展开▼
