Research On Inter-Language Security Analysis Framework For Android

The security issue of Android system has been highly concerned in the field of mobile security.In recent years,Android malware has expanded its attack behavior from the Java layer to the Native layer to avoid most static detection.The code in Java layer is written by Java language with Native layer written by C/C++,so the inter-language security analysis has become an important part of static detection of Android software.In the field of security analysis research,currently only a small part of the research results include inter-language security analysis functions,and they also have major limitations.Inter-language security analysis for Android is completed by process of Java analysis calling Native analysis.The Native analysis,serving as the core content,analyzes all the processes of inter-language calls in the software.The research in this paper found that the work of the Native layer static analysis framework in the existing results can only work by relying on the Java layer analysis,and cannot run independently by itself.In order to improve this situation,this article optimizes the existing framework.The following is the work content of this thesis.1.Research and implement a JNI-Entry parsing technology.This thesis studies the inter-language call process in the Android system,and proposes and implements an analytical method for the JNI registration process.For dynamic registration,this paper studies and uses symbolic execution technology to parse.so files,which completes the acquisition of dynamic registration information;for static registration,this paper takes its symbolic features in Native into consideration,and makes use of reverse technology and Java source code analysis technology,to get the information static registration.This work enables the framework to parse out all the JNI entry information involved in inter-language calls without Java analysis,and the entry information is necessary for other security analysis work at Native layer.2.Research and propose a feedback mechanism for missing key information.This paper studies the implementation principle of the existing Native taint summary analysis,and puts forward the key information missing problem of it considering the condition of independent operation.In response to this problem,this thesis uses the Annotation mechanism in the angr framework to locate the source of the missing information from the Java layer,and adds it to the analysis results of the taint summary analysis.This work enables the Native analysis framework to provide complete analysis results without data interaction with Java analysis,which achieves complete decoupling from the Java layer framework.3.Research and implement a JNI-Hook parsing technology and add it to the existing framework.This paper studies a commonly used JNI-Hook technology in the industry.According to the characteristics of modifying specific memory during its implementation,this paper designs and implements a symbolic execution-based JNI-Hook parsing technology,which uses functions such as memory forgery and memory monitoring.It can detect the JNI-Hook behavior that occurs in the Native layer.This improvement expands the functional coverage of the framework.