{"title":"Data-Oriented Instrumentation against Information Leakages of Android Applications","authors":"Cong Sun, Pengbin Feng, Teng Li, Jianfeng Ma","doi":"10.1109/COMPSAC.2017.97","DOIUrl":null,"url":null,"abstract":"As one of the most prominent threat, information leakages usually take sensitive data from some private sources and improperly release the data through malicious or misused method invocations and intercommunications. As a countermeasure against this threat, a number of detection approaches have been developed based on static analysis, esp. taint analysis. But we still have not reached a satisfactory solution to the patching and mitigation against this threat. In this paper, we propose an approach to automatically instrument malicious Android applications with cryptographic primitives and data randomization. With the help of an off-the-shelf taint analyzer, we detect the parts of code that might leak private information. In order to mitigate these information leakages, the standard cipher transformations and randomization are used to enforce different security policies according to the positions of related information sinks and intermediate system calls along malicious flow paths. The evaluation on different benchmark suites and real-world applications demonstrates that our approach can avoid false positives and mitigate around 91% information leakages in real applications, with acceptable cost on analysis and instrumentations affordable by desktops.","PeriodicalId":6556,"journal":{"name":"2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC)","volume":"23 1","pages":"485-490"},"PeriodicalIF":0.0000,"publicationDate":"2017-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/COMPSAC.2017.97","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
As one of the most prominent threat, information leakages usually take sensitive data from some private sources and improperly release the data through malicious or misused method invocations and intercommunications. As a countermeasure against this threat, a number of detection approaches have been developed based on static analysis, esp. taint analysis. But we still have not reached a satisfactory solution to the patching and mitigation against this threat. In this paper, we propose an approach to automatically instrument malicious Android applications with cryptographic primitives and data randomization. With the help of an off-the-shelf taint analyzer, we detect the parts of code that might leak private information. In order to mitigate these information leakages, the standard cipher transformations and randomization are used to enforce different security policies according to the positions of related information sinks and intermediate system calls along malicious flow paths. The evaluation on different benchmark suites and real-world applications demonstrates that our approach can avoid false positives and mitigate around 91% information leakages in real applications, with acceptable cost on analysis and instrumentations affordable by desktops.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
