Research And Implementation Of Security Analysis Tool For Mini-programs

In recent years,with the expanding scope of services offered by mini-programs and the continuous growth of user numbers,the issue of security in mini-programs has gained significant attention.However,there is currently a lack of systematic research on the security aspects of mini-programs,and mature security analysis tools for evaluating the security of mini-programs are also lacking in the market.In order to address these issues,this paper conducts research on security analysis techniques for mini-programs,and the main contributions and innovations are as follows:(1)A static analysis technique for mini-programs based on abstract syntax trees is proposed,addressing the challenges posed by the asynchronous nature,weak typing,complex variable propagation rules of the JavaScript language,and the unique mechanisms of mini-programs that make static analysis difficult.The paper implements taint analysis and data flow analysis algorithms to identify and analyze tainted code in mini-programs and track the propagation paths of sensitive data.Experimental validation shows that the implemented taint analysis algorithm achieves an accuracy rate of 95.00%,while the data flow analysis algorithm achieves an accuracy rate of 91.57%.(2)A dynamic analysis technique based on UI state transition graphs is proposed,addressing the challenges posed by complex state transition relationships and the isolated runtime environment in mini-programs.By combining the taint analysis algorithm from static analysis techniques,a scheme is designed to generate UI state transition graphs for mini-programs.Furthermore,a testing strategy based on UI state transition graphs is proposed for dynamic analysis of mini-programs.Experimental validation shows that this technique accurately identifies the transition relationships,with an accuracy rate of 94.94%for the generated UI state transition graphs.Additionally,the technique successfully detects 1 mini-program with robustness issues from 15 popular open-source mini-program projects.(3)An integrated mini-program security analysis tool is designed and implemented by combining static analysis techniques and dynamic analysis techniques.The tool incorporates static analysis features such as taint analysis and data flow analysis,as well as dynamic analysis capabilities based on UI state transition graphs.After completing the implementation of the tool,it is used to detect the issue of App Secret leakage in mini-programs.As a result,7585 mini-programs with this issue are identified out of 20766 mini-programs.Additionally,experimental evaluations are conducted to assess the performance of the tool in both static and dynamic analysis aspects.