| The Android operating system has a large user base due to open source and other features,but it also makes the Android application an ideal target for attack,and there are still a large number of applications with security issues in the Android application market.If an attacker sends malformed data to an application that has a security risk,making the application abnormal and causing a crash,it will cause the application to deny service.Android application denial of service vulnerabilities not only reduces the user experience and results in the loss of commercial interests,but also may cause the protection functions of security-type applications to be bypassed and invalidated,resulting in more serious security problems.If it is a system application,denial of service vulnerability could cause a cell phone reboot,which will allow malicious applications or viruses to steal advanced privileges.At present,the detection of Android applications denial of service vulnerabilities is generally adopted by the combination of static analysis and fuzz testing.However,there are still some problems in the existing schemes.In response to these deficiencies,this paper proposes corresponding solutions.The main problems to be solved are as follows:Firstly,the existing detection methods can not accurately obtain the information of the vulnerable component.In this paper,through the control flow and data flow analysis technology based on Smali code,the Intent communication reachable path between components is analyzed to obtain the detailed information of component related to the Android application denial of service vulnerabilities.Secondly,in order to solve the problem of relatively simple strategy and low code coverage rate for generating Intent test cases in existing detection methods,this paper propose a multi-dimensional Intent test case construction strategy based on generation.By using the static analysis result information,the data of all fields of Intent can be generated to carry out targeted fuzz testing,the code coverage rate of test cases can be improved,and it can cover more types of Android application denial of service vulnerability.Thirdly,after the application of the denial of service crashes,the existing solution requires manual intervention to continue testing.This article proposes a solution for automated testing.By modifying the exception handling method of Android system,the system automatically sends notifications to the agent application and marks the application crash information when the crash occurs,thereby automating the test process.Finally,based on the above techniques,an automatic detection system AnDosFuzzer was designed and implemented.The function tests and application tests showed that AnDosFuzzer can effectively detect various types of Android application denial of service vulnerabilities with strong practicality and effectiveness. |
PDF Full Text Request