CRAT: 行動程式碼審閱輔助工具

Abstract

近年來，由於行動裝置的功能和便利性的提升，使用者日趨增加，愈來愈多有價值的資料也儲存在行動裝置上。相對地，導致行動裝置被攻擊的風險也因此而提高許多。因此如何提升行動裝置的安全性已是不可避免的重要課題，其中主要的攻擊來源之一就是行動裝置的軟體（app）。攻擊者上傳異常app到app商店供使用者下載;一旦使用者啟動該app，行動裝置就可能會遭到洩漏個資或功能癱瘓等攻擊。因此，提升行動裝置安全性的直接作法，就是在每個app上線前都經過審慎的審閱。但是，我們曾提交一支異常app給審閱者，審閱後，卻獲得上架許可。這件事顯示惡意碼不易在審閱過程中被偵測出來。為了提升行動裝置的安全性，以及減輕app審閱者的負擔，我們提出CRAT想協助審閱者更安全、更有效率的審閱app。我們在CRAT中重新設計K-means classification（取名為K'-means classification）來偵測異常app。K'-means classification分為兩階段:Training和Testing。在Training階段，我們把已知的正常app分成數個類別，並建立分類模型。在Testing階段，利用分類模型審閱待審app（即app under review）。假如此app不屬於任何一個正常類別，則此app會被認定為異常app。最後，我們在FxOS的手機上實作CRAT，並評估CRAT的效能。我們的實驗數據顯示，CRAT可以準確地分辨出正常或異常的app（準確率高達9成以上），並且在極短時間內完成app的分類和審閱。60000支app的分類模型的建置時間僅需約0.2秒。實驗結果顯示CRAT可以有效地提升行動裝置的安全性和app審閱效率。

Recently, mobile technologies grow rapidly, more and more valuable personal information is stored on the mobile devices. This leads to a raising risk of mobile devices. One of the major attacks is from the anomalous mobile apps. Attackers exploit the vulnerabilities of mobile apps and launch attacks to the mobile devices. These attacks may cause the system crash or leakage of personal information. To improve the security of a mobile device, mobile apps must be carefully reviewed before they can be pushed to a marketplace. However, when we submitted an anomalous app, which uses up extremely high cycles, to an app reviewer, the reviewer approved the app after couple days. This means it is not easy for an app reviewer to review every line of an app. In the thesis, we propose CRAT to help an app reviewer vetting mobile app. We revise the K-means classification (called K'-means classification) to better detect anomaly apps which can cause DoS attacks (CPU, memory, network I/O). We classify normal apps into groups using K'-means classification and test the app under review with these groups. Three experiments are designed for evaluating the accuracy and performance of CRAT. The results show CRAT can detect anomalies with an accuracy of 90\% or above. And the classification and detection process can be done in a short time; 60000 normal apps can be classified within 0.2 seconds.