標題: | 藉系統層的資訊流動追蹤以偵測Android平台上竊取敏感資料的行為 DroidTracking : Detecting Sensitive Data Stealing on Android with System-Wide Information Flow Tracking |
作者: | 蘇修醇 Su, Hsiu-Tsun 謝續平 Shieh, Shiuh-Pyng 資訊科學與工程研究所 |
關鍵字: | 虛擬機器;資訊流動追蹤;資訊竊取;行動裝置;Android;Android Emulator;ARM;Information Flow;Taint;Data Stealing |
公開日期: | 2011 |
摘要: | Lookout Mobile Security(手機防毒公司)指出,Google Android Market上已超過50個以上的應用程式被發現遭注入DroidDream惡意程式,DroidDream送出大量敏感資料到遠端伺服器上,而它是第一個被發現到具有攻擊並利用Android作業系統漏洞能力的惡意程式。為了要準確分析malware,我們藉修改虛擬的ARM CPU,提出具有系統層、精確性的資訊流動追蹤能力的DroidTracking分析工具,以虛擬機器為基礎的DroidTracking可分析整個Android作業系統以了解關於竊取敏感資料的行為,不同於以往的分析工具, DroidTracking藉分析系統層的資訊可避免欲分析的資訊已遭受惡意程式所影響,再對系統物件做byte-level的分析可達到更精確的資訊流動追蹤。我們的實作包含追蹤GPS, IMEI, IMSI和ICC-ID,未來也將追蹤更多手機上的敏感資料,而實驗中,我們蒐集大量已被DroidDream感染的已知應用程式,並用DroidTracking做分析,可成功的偵測並證實被感染的應用程式正在竊取敏感資料的事實。 A large number of Android applications injected with DroidDream malware have been found on the Google Android Market by Lookout Mobile Security. According to Lookout, DroidDream sends a variety of sensitive data to a remote server. It is the first malware that exploits vulnerabilities of the Android operating system (Android OS). To cope with the problem, we propose DroidTracking, a system-wide and fine-grained information flow tracking system with emulated ARM CPU. DroidTracking analyzes the entire Android OS to detect sensitive data stealing behaviors. Unlike the conventional operating system call tracking schemes, our VM-based, system-wide analysis can avoid malware interference, and its fine-grained information flow tracking supports accurate byte-level system objects analysis. DroidTracking has been implemented to track sensitive information leakage, such as GPS, IMEI, IMSI and ICC-ID. To evaluate the DroidTracking, we collected a number of popular Android applications infected with DroidDream. Our experiment showed that the infected applications’s behaviors of stealing sensitive data can be accurately identified and detected. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#GT079855568 http://hdl.handle.net/11536/48303 |
Appears in Collections: | Thesis |
Files in This Item:
If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.