| With the popularity of mobile informatization,mobile terminal has become an indispensable element of daily life.Since iOS is one of the current mainstream mobile operating systems,iOS application is inevitably a concentrated place for user data.To protect users'personal information,security analysts need to identify the runtime behavior of the application and determine if the behavior matches the app's self-description and user expectations.However,as the complexity of apps increases and the difficulty of manual analysis increases,how to automatically identify the app's behavior to understand the application has become an urgent problem to be solved.The premise of automatic identification of application behavior is the existence of behavioral feature database.However,as a closed source system,iOS's related research and technology is not yet mature,and there is no suitable feature database at present.Considering that the program execution path as a direct expression of behavior can provide a large amount of behavior information,and identifying the functional scenario by analyzing paths is already a relatively mature program understanding method.This paper studies Mach-O binary analysis and functional scenario feature mining,and then proposes an iOS application scenario API sequence pattern mining method.The method uses symbolic execution technology to extract execution paths from the Mach-O binary,then extracts scenarios from the paths and performs pattern mining on it,and finally obtains the API sequence pattern of scenarios.The main results of this paper include:1.Propose an analysis framework MachOA targeted at Mach-O binary.The analysis framework is implemented based on the angr framework and compensates for the insufficiency of angr's support for Mach-O binary.It maintains the integrity of symbol execution by simulating the runtime environment of iOS applications.It is verified by experiments that the framework has a good support for Mach-O symbolic execution.2.Based on the MachOA framework,a Mach-O execution path generation method is proposed.This method use symbolic execution technique to effectively avoid the low coverage problem of paths generated by dynamic monitoring and the unreasonable problem of paths generated by the traditional static calculation.Besides,the code area executed by the execution engine is restricted to avoid meaningless analysis and alleviate the possibility of path explosion.3.Design and implement the iOS application scenario API sequence pattern mining system,and select the two scenarios of device identifier generation and device location service initialization to verify the feasibility and effectiveness of the system.The experimental results show that given a core API or ADT that implements a function as a scenario seed,the system can mine the API sequence pattern that the application implements in different system states.Subsequently,the scenario feature library can be constructed by using the mined API sequence patterns,and the pattern matching technology is combined to automatically recognize the scenario from the execution paths of the iOS application to help the program understanding. |
PDF Full Text Request