面向Android APP污点分析的测试用例生成方法研究.pdfVIP

摘 要 随着Android系统移动设备的广泛使用，安全问题也变的越来越突出，因此， 针对Android应用程序的漏洞分析研究非常重要。污点分析可以分为动态、静态 和混合三种。静态分析的优点是分析代码覆盖率高并且漏报率低，但是由于没有 实际运行程序，所以无法获得程序运行时的上下文信息，从而导致虚警率过高； 而动态分析的缺点是分析代码覆盖率较低，漏报率较高。 为了提高静态污点分析结果的正确率、降低虚警，需要验证静态分析结果的 正确性的方法。本文提出了一种基于反转条件约束求解的测试用例生成方法，用 于产生潜在污点传播路径的输入。首先根据插桩得到的覆盖Source到Sink 的程 序执行路径信息(种子Trace)，然后收集Trace 中的if条件判断语句，设计相关条 件表达式规范化规则，结合缩略提取和语义转换，通过调用Z3可满足性模理论 求解器得到相关测试用例。接着利用新测试用例执行AndroidAPP进而得到其他 Trace，最后分析所有Trace来判定是否虚警，从而有效降低虚警、提高正确率。 关键词：测试用例；污点分析；Z3；Jimple；约束求解 I Abstract With the widespread use of Android mobile devices. But then theres the problem of the hidden security vulnerabilities of Android apps, So the research of vulnerability analysis for Android applications is important.The taint analysis can be divided into three types: dynamic, static and mixed. The advantage of static analysis is that the code coverage is high and the rate of missing report is low, but because there isno actual runningprogram,the context information oftherunning time ofthe program cannot be obtained, which leads to the false alarm rate being too high.The disadvantages of dynamic analysis is that the coverage of analysis code is low, and therateofmissingreport ishigh. In order to improve the accuracy of static taint analysis results and reduce false alarms, a method to verify the correctness of the static analysis results are needed. This paper proposes a test case generation method based on inverse conditional constraint solving for generation inputs for potential taint propagation paths. First execute the path information (seed Trace) based on the program that the pile gets to cover Source to Sink.Then collecting the if conditionaljudgment statement in Trace, designing the related conditional expression normalization rule, combining the thumbnail extraction and semantic transformation, the relevant test