| HarmonyOS is a new rising full-scene distributed operating system that enables collaboration among devices,providing users with a distributed experience across multiple devices.However,while HarmonyOS offers diverse ways of information exchange for applications,it also brings more complex privacy leaks for malicious apps.Through crossdevice data exchange,applications can pass privacy data between different devices,leading to cross-device privacy data leakage.The unique feature of cross-device privacy leakage in HarmonyOS is the transmission of privacy data between applications on different devices to achieve privacy leakage.Unlike cross-application privacy leakage,HarmonyOS provides many new cross-device interaction interfaces for data exchange between devices.If traditional static analysis methods are used to analyze cross-device privacy leaks,every interaction path between devices needs to be connected,resulting in path explosion due to the large number of connections between graphs.Additionally,the analysis results of a single device cannot be used for cross-device analysis,and repetitive analysis greatly reduces the efficiency of cross-device analysis.Therefore,there is a lack of effective methods for detecting crossdevice privacy leaks in the current privacy leakage analysis methods.In order to study cross-device privacy leaks in HarmonyOS,this thesis mainly focuses on the following work:This thesis takes cross-device applications on HarmonyOS as the research object and discovers new cross-device privacy leakage methods in four cross-device scenarios,including cross-device migration,cross-device invocation,cross-device connection,and cross-device database.They use distributed software bus to transmit privacy data,scattering the acquisition and leakage of privacy data across different devices.For cross-device migration,its unique migration mechanism causes the call graph to become a loop,leading to static analysis errors.Based on JN-SAF,this thesis designs and implements a cross-device privacy leakage detection method based on virtual nodes.When conducting static analysis of applications,the call graph of other applications is abstracted into a virtual node.Thus,the connection between graphs becomes the connection between a graph and a node.If there is interaction between privacy data and the virtual node,the path is recorded.Finally,by matching the leakage paths of different applications,it is determined whether privacy leakage occurs.To solve the problem of call graph loops in cross-device migration,this thesis designs a loop-breaking algorithm that breaks the loop from the end of the second analysis within the component to detect privacy leakage behavior during migration.Experimental results show that the detection method in this thesis can effectively detect cross-device privacy leakage behavior,and multiple applications with cross-device privacy leakage risks have been found in the Huawei app market. |
PDF Full Text Request