安卓软件行为分析与构建的关键技术研究

The unprecedented growth in the popularity of Android OS, together with the openness of Android ecosystem has attracted a large number of malicious applications. An important part in the fight against these malicious applications is the analysis of malware samples, since it is the basis of techniques for malware detection. State-of-the-art software analysis techniques adopt system calls to capture critical behaviors. However, these techniques are not well-suited for analyzing Android applications, because they could not capture critical and intrinsic interactions between the application and Android system due to several unique features of Android such as resources managed by Android framework, Binder inter-process communications, and callbacks of applications triggered by events. In this proposal, we plan to introduce a new behavioral model as well as an analysis technique for Android applications with a novel perspective. Our observation is that since permission mechanism is used by Android as a unique means to isolate applications, we can analyze Android applications with their permission use behaviors, i.e., how applications use permissions to access system resources, how these permission-sensitive resources are utilized by the application, and especially how multiple permissions are interwinded towards an end. We need to consider how to identify all explicit permission use points which raise the permission check by Android framework or by Linux kernel. And then all implicit permission use points are to verify that wouldn't incur permission check but could reflect how an application uses the permission by tracking the tainted permission-sensitive resource. Moreover, considering the limitation of poor code coverage of dynamic analysis techniques, we tend to driven the execution of sample applications by utilizing symbolic execution. In this way, samples applications would thoroughly behave, especially those possibly malicious activities. However, symbolic execution faces unresolved challenges for Android GUI applications, though it can efficiently explore the search space of data inputs through a well-defined classification for those non-interactive programs which is well known as the path explosion problem. Since Android apps are driven not only by data inputs, but also commonly by event inputs (Users can interact with apps by triggering runtime events such as taping on the screen). Event inputs, which introduce highly variable program behaviors and hard to be classified into input scopes, greatly increase the search space. We plan to explore features of malware, according to which critical information will be statically profiled to help restrict the event search space and guild the symbolic execution. To facilitate security analysts, we plan to visually reconstruct permission use behaviors of sample applications, with the meaningful context information gathered during the analysis.

安卓系统的完全开放特性导致安卓自治生态系统面临严重的安全威胁，国内情况尤为严重。这不仅侵犯了用户的权益，更对国家信息安全战略构成严峻挑战。缺乏对安卓安全机制和恶意软件机理的深入理解，尤其是缺乏适用于安卓平台的软件行为分析技术，直接制约了检测防范技术的发展。恶意软件通过利用用户授予的权限获取系统资源并进行危害性操作，根据此特征，本课题拟围绕安卓平台特有的编程、运行模型和安全机制，聚焦于权限使用行为这一全新角度，研究适用于安卓平台的软件行为表述模型和分析方法，以准确刻画应用软件如何利用权限与系统交互，系统资源如何被软件内部程序逻辑操作，尤其是多种权限和系统资源如何被协同使用等行为。为提高动态分析的代码覆盖率，使软件内在行为充分表现，将研究如何用符号化执行驱动软件运行的技术。为便于分析人员理解行为分析结果，结合函数调用关系、程序依赖关系及程序上下文环境等语义信息，进行可视化的行为构建技术研究。

针对软件敏感行为分析理论和方法在移动平台的缺失,本项目聚焦于研究如何科学表征移动应用软件的行为,通过选择合适的观测角度，监测应用软件如何与系统交互、如何使用系统资源以及如何对系统施加影响，并在此基础上研究隐私泄露检测和操作系统对隐私数据的保护方法，取得了较大进展，累计发表CCF A类论文6篇。.本项目取得的代表性成果有：.（1）首次提出“基于权限使用”的应用软件行为表述模型，克服了基于传统“系统调用”技术构建软件行为方法的不足，通过进一步研究适用于移动平台的软件行为通用分析方法，实现对移动软件行为的精确、细致分析。论文发表于信息安全顶级会议ACM CCS 2013（CCF A类）和IEEE TIFS 2015（CCF A类期刊）。.（2）面向用户感知的隐私泄漏检测方法。我们在国际上首次提出了用户意图的具象化方法。为准确区分用户感知，提出了事件空间约束导向的符号化执行方法，并解决了国际上公认的路径爆炸问题，论文发表于信息安全顶级会议ACM CCS 2013（CCF A类）。.（3）用户输入隐私的识别技术。针对传统隐私保护方法仅能识别规整化隐私，而无法对用户输入隐私提供有效保护的问题，我们提出基于界面上下文的用户输入隐私识别和保护技术，将大量原本无法被保护的隐私输入纳入隐私保护的范畴内，相关成果发表于信息安全顶级会议USENIX SECURITY 2015（CCF A类）和IEEE TIFS 2016（CCF A类期刊）。.（4）细粒度的隐私保护机制。针对传统隐私数据管控系统粒度过粗的问题，我们提出应用程序上下文敏感的敏感行为管控框架，设计了操作系统级的上下文跟踪技术，在程序执行过程中跟踪上下文信息，包括单个应用程序内部的执行上下文，以及多个协作应用程序之间的交互上下文，实现了对程序使用权限行为的精确、细粒度管控，相关成果发表于IEEE TIFS 2016（CCF A类期刊）。.2015年我得到973计划“移动应用恶意行为检测控制的基础理论与关键技术”（青年专项）支持，担任首席科学家；2016年，我获得自科-通用技术基础研究联合基金重点项目的资助。