| 引用本文: |
-
于冬松,孟国柱,邹维,肖扬,章秀,龚晓锐.基于代码克隆检测的Android内核定制代码漏洞发现技术[J].信息安全学报,已采用 [点击复制]
- Yu Dongsong,Meng Guozhu,Zou Wei,Xiao Yang,Zhang Xiu,Gong Xiaorui.Code-Clone-based Detection of Android Kernel Vulnerabilities in Vendor Customized Code[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| Android系统被广泛使用于移动终端。三星、华为等原始设备制造商(OEM)通常会在开源Android系统的基础之上进行大量修改,其中包括对内核的定制。然而,这些内核定制代码可能会引入新的安全漏洞,给用户带来隐私和数据安全威胁。为了发现这些内核定制代码中的安全问题,本文提出了一种补丁敏感的程序切片技术,旨在从漏洞函数中筛选出与补丁直接相关的语句,并对这些语句进行归一化转译后,构建漏洞指纹以发现定制内核中的相似漏洞。首先,为了有效筛选厂商内核源码中静默修复的漏洞代码片段,本文对开源Linux内核中的223个已知漏洞补丁进行了人工分析和归纳,结合抽象语法树的代码表征总结了8类不同的内核补丁特征。随后,本文选择了5个不同厂商的内核源码项目以及这些项目的早期版本。利用上述得到的内核补丁特征,本文从78400个内核代码差异片段中提取出了22576个不同的内核漏洞补丁。基于这些补丁片段,本文从漏洞成因的角度出发,针对补丁上下文设计了一种新的程序切片技术,旨在从漏洞所在函数中筛选出与漏洞成因直接关联的语句,并对这些语句进行归一化转译处理后,构建了语句粒度的内核漏洞特征库。基于这些语句与原补丁语句之间的距离,本文进一步利用高斯函数对这些语句进行权重设置。利用这一漏洞特征库,我们对5个不同Android内核中的2000余万行代码进行了检测,实验结果表明,本文所提出的漏洞检测方法相较于业内已有工具,具有更高的准确率和更低的误报率。本文最终从中识别出了31个位于定制代码片段中的内核漏洞,其中8个已经获得了厂商的确认和感谢。 |
| 关键词: Android 漏洞 代码克隆检测 内核定制代码 |
| DOI: |
| 投稿时间:2021-08-18修订日期:2021-11-17 |
| 基金项目:中国科学院先导课题(XDC02040100),重点研发项目(2018YFB0805000) |
|
| Code-Clone-based Detection of Android Kernel Vulnerabilities in Vendor Customized Code |
|
Yu Dongsong1,2, Meng Guozhu1,2, Zou Wei1,2, Xiao Yang1,2, Zhang Xiu1,2, Gong Xiaorui1,2
|
| (1.School of Cyber Security, University of Chinese Academy of Sciences;2.Institute of Information Engineering, Chinese Academy of Sciences) |
| Abstract: |
| Android, a popular mobile operating system, is widely used in commercial-off-the-shelf mobile devices. Original Equipment Manufacturers (OEM) such as Samsung and Huawei usually perform heavy customization on the original system, including the kernel. However, the customization might introduce new vulnerabilities in the Android kernel, which can compromise the device. To expose the vulnerabilities in the customized kernels, in this paper, we propose a patch-sensitive program slicing method to catch the related clauses in the vulnerable functions and then generate the vulnerability signatures via normalization and semantic translations. Specifically, to collect the vulnerable code snippets from the Android OEM kernel source code, we perform a manual analysis on 223 known CVEs and their patches in Linux kernels and summarize 8 different kernel patch patterns in abstract syntax tree level. Then we collected 5 latest kernels projects from different popular vendors as well as their old versions for reference. After performing a diff-analysis between the latest kernels and their corresponding old kernels, we obtain 78400 code snippets that have been modified with the OEM kernel evolves. With the help of the abstract syntax tree patterns summarized in our manual analysis, we get 22576 security-related patches from these code snippets. Based on these patches, we propose a novel program slicing approach to obtain the related clauses in the vulnerable functions. After normalizing and translating the clauses, we construct a clause-level kernel vulnerability pattern dataset from these patches. Furthermore, we use the Gaussian function to calculate the weights for these clauses depending on their distance from the patch code. Based on the dataset, we perform a large-scale analysis on the latest Android kernel projects which contains more than 20 million lines of code. In total, 31 vulnerabilities are recognized and 8 of them have been confirmed and acknowledged by the vendors. |
| Key words: Android vulnerability code clone detection kernel customized code |
