| With the continuous development of computer technology and computernetwork coverage, the Internet technology has step into every aspect of people’slife. Furthermore, in recent years the development of mobile communicationtechnology makes it possible to access the Internet anytime, anywhere throughintelligent mobile terminals, to socialize, games, e-mail, online transactions andother activities through the Internet has changed the way people use the Internetand greatly facilitate people’s life. Among the many mobile intelligent terminaloperating system, the Android system which developed based on the Linuxkernel takes the major manufacturers and developers’ attention and gets theirsupport since the beginning of it birth, and the rapid development andpopularization makes it to be the highest share of the operating systems whichemerged on smart mobile devices of today. With the continuous developmentand popularization of Android system, Android system and Android applicationshave begun to become malicious attacker and hacker’s target. Although theAndroid system provides, such as file access control, security measures sandbox,permission mechanism, application signature mechanism to secure systems andapplications, but security researchers’ study and malicious’ continued attacksdiscover systems loopholes, authority mechanism loopholes, loss of privacy,application vulnerabilities, and other serious security threats in Android system.Malicious attackers exploit security vulnerabilities to attack frequently. Now theexistence of the Android system and application security vulnerabilities, hasbeen a serious threat to the security and interests of the individual user and Android system ecological environment. For these, we design a Fuzzing-basedcomponent-exposed vulnerabilities mining methods based on the characteristicsof the Android system Android application framework and communicationmechanism between application components and implement it. The method isdivided into reverse analysis and Fuzzing test two phases. In reverse analysisphase we decompile the Android application and analyzes the source code to getthe component configuration information and the basic features of carrying themessage during components communication, and find the components whichmay has component vulnerability. And in Fuzzing test phase we use the Rubyprogramming language to automatically generate test data and test cases, and byuse Robotium Android application framework for application componentsFuzzing test to avoid the Fuzzing testing process takes considerable systemresources causing system crashes. Finally, based on the results of Fuzzing testwe analysis and mine the vulnerability. Experimental results show that thisFuzzing-based component-exposed vulnerabilities mining method in this papercan effectively mine the existing application component vulnerabilities. |
PDF Full Text Request