引用本文: |
-
徐贯虹,傅建明,聂宇,解梦飞.基于模拟执行的Android应用Java方法与Native函数的映射识别[J].信息安全学报,已采用 [点击复制]
- Xu Guanhong,Fu Jianming,Nie Yu,Xie Mengfei.Identify the Mapping of Java Method and Native Function for Android Applications Based on Simulated Execution[J].Journal of Cyber Security,Accept [点击复制]
|
|
摘要: |
如今Native code被广泛应用,为移动应用提供丰富的功能和开发方面的便利性。然而,Native code天然的跨层执行行为给Android应用数据流分析带来了挑战。由于语言与程序运行机制的差异,过去针对Android应用的数据流分析往往仅关注Java层代码行为,这种跨层分析断点使得隐私泄露和恶意代码行为可以轻易地隐藏在Native层中。针对这一问题,现有工作尝试基于静态分析建立Java与Native之间的方法调用映射,从而补全跨层行为分析的断点。然而,这些方案既无法应对Native库中广泛存在的保护机制,也缺乏对Native方法动态绑定机制的理解。在本文中,我们提出了JNativeEmu,一种基于模拟执行的跨层方法调用映射分析工具。JNativeEmu以跨层调用注册作为解析入口,在模拟执行过程中补全基本的系统调用与JNI依赖。通过符号执行的引导,它能够准确建模Android应用中的跨层映射,为后续的跨层数据流分析提供可靠的支持。JNativeEmu的方法增强了对Native code跨层执行行为的理解,解决了现有数据流分析的跨层分析局限。我们对应用市场50个流行应用中1309个Native库的分析结果表明,JNativeEmu能够正确模拟执行其中83.2%的Native库并且没有发生崩溃。进一步地,在动态注册Native方法的解析成功数量上,JNativeEmu的识别结果较Jn-saf提高了2.23倍。此外,本文还通过案例研究对Native库中的函数注册实现和相应的程序保护机制进行了具体分析。 |
关键词: 本地代码 跨层程序分析 混淆 模拟执行 |
DOI: |
投稿时间:2023-10-20修订日期:2023-12-19 |
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
Identify the Mapping of Java Method and Native Function for Android Applications Based on Simulated Execution |
Xu Guanhong, Fu Jianming, Nie Yu, Xie Mengfei
|
(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University) |
Abstract: |
Native code plays a crucial role in enhancing the functionality and convenience of mobile applications. However, the inherent cross-layer execution behavior of native code poses challenges for effective data flow analysis in Android applications. Due to the difference in language and program execution mechanism, data flow analysis for Android applications in the past often focuses only on Java layer code behavior, and such cross-layer analysis breakpoints allow privacy leakage and malicious code behavior to be easily hidden in the Native layer. To address this problem, existing work tries to establish call mapping between Java method and Native function based on static analysis, attempting to complement the breakpoints of cross-layer behavior analysis. Nevertheless, these approaches fall short in handling the widespread protection mechanisms within Native libraries, and lack a comprehensive understanding of the dynamic binding mechanism of Native methods.In this paper, we present JNativeEmu, a cross-layer call mapping analysis tool based on simulated execution. JNativeEmu utilizes the cross-layer call registration as the parsing entry point, and complements essential system calls and JNI dependencies during the simulated execution process. Guided by symbolic execution, it is able to accurately model cross-layer mappings within Android ap-plications, so as to provide reliable support for the subsequent cross-layer data flow analysis. JNativeEmu’s approach enhances the understanding of cross-layer execution behavior hidden in Native code, addressing the cross-layer analysis limitations of existing data flow analysis. Through the analysis of simulating 1,309 Native libraries from 50 popular apps in the app market, JNativeEmu demonstrates an accurate execution simulation for 83.2% of these Native libraries without encountering crashes. Further, in terms of the number of successful parsing of dynamically registered Native methods, JNativeEmu recognizes 2.23 times better results than Jn-saf. In addition, to provide deeper insights, this paper includes detailed case studies analyzing the implementation of function registrations in Native libraries and the corresponding program protection mechanisms. |
Key words: Native code cross-layer(Java and Native) Program Analysis Obfuscation Simulated Execution |