研究生: |
陳彥伶 Yen-Ling Chen |
---|---|
論文名稱: |
DroidCIA: 基於 HTML5 語法行動應用程式的惡意程式碼注入攻擊偵測 DroidCIA: A Novel Detection Method of Injection Attacks on HTML5-based Mobile Apps |
指導教授: |
李漢銘
Hahn-Ming Lee |
口試委員: |
鄧惟中
Wei-Chung Teng 鄭博仁 Albert B. Jeng 鄭欣明 Shin-Ming Cheng 廖弘源 None |
學位類別: |
碩士 Master |
系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
論文出版年: | 2015 |
畢業學年度: | 103 |
語文別: | 英文 |
論文頁數: | 52 |
中文關鍵詞: | Android 、檢測 、漏洞 、資安 、phonegap 、html5 |
外文關鍵詞: | phonegap, html5 |
相關次數: | 點閱:169 下載:8 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
智慧型手機在近幾年越來越盛行,在這些手機中有各式各樣不同的作業系統,例如:Android, iOS...等。基於HTML5,現在開發商可以使用HTML5語法來較簡易的的開發出跨平台的app。但不幸的是HTML5開發出的app同時繼承了跨網站指令碼(cross-site scripting)的攻擊,像在一般網站中的攻擊一樣。攻擊者可以從各種不同的通道來注入惡意的指令碼,例如:QR Code, Wi-Fi儲存點...等。在此篇論文中,我們提出一個新的方法來檢測跨網站指令碼攻擊,這個新的方法不只可以檢測出過去已發現的注入口,並且也可以檢測到text box ”document.getElementById(”TagID”).value”此新的注入管道。這個新的text box注入管道在過去的研究當中並沒有被發現過,因為過去的研究當中只有分析JavaScript APIs,但卻忽略了包含text box管道資訊的HTML檔案的資訊。我們從Google Play當中下載了8303隻apps來驗證我們的方法。最後,檢測出352隻有漏洞的apps並且正確率為99%,其中包含了347隻其他研究人員也有檢測出來並且有5隻新的漏洞app被檢測出來,這5隻app都是透過text box管道注入攻擊。我們同時開發出跨網站指令攻擊檢測工具命名為DroidCIA,可自動畫出API call graph並結合HTML中包含text box的資訊。
Smartphones have become more and more popular recently. There are many differ-
ent smartphone systems, such as Android, iOS, etc. Based on HTML5, now develop-
ers can have a convenient framework to develop cross-platform HTML5-based mobile
apps. Unfortunately, HTML5-based apps are also susceptible to cross-site scripting
attacks like most web applications. Attackers can inject malicious scripts from many
different injection channels such as QR Code and Wi-Fi access points. In this paper,
we propose a new way to detect a known malicious script injected by using HTML5
text box input type along with “document.getElementById(”TagID”).value”. This
new text box injection channel was not detected by other researchers so far because
they only analyzed JavaScript APIs, but overlooked HTML files which captured text
box input type information. We apply this new method to a vulnerable app set with
8303 cases obtained from Google Play and detect a total of 352 vulnerable apps with
accuracy 99%. The 352 vulnerable apps include 347 detected also by other researchers
as well as 5 extra vulnerable apps that belonged to the text box injection channel. We
also implement a Code Injection Attack detection tool named DroidCIA that automate
the drawing of JavaScript API call graph and the combination of API with HTML
information.
1] X. Jin, X. Hu, K. Ying,W. Du, H. Yin, and G. N. Peri, “Code injection attacks on
html5-based mobile apps: Characterization, detection and mitigation,” in ACM
Conference on Computer and Communications Security (CSS), 2014, pp. 66–77.
[2] Worldwide Smartphone Shipments Increase 25.2Heightened Competition and
Growth Beyond Samsung and Apple, Says IDC. [Online]. Available: http:
//www.idc.com/getdoc.jsp?containerId=prUS25224914
[3] The HTML DOM Attribute Object. [Online]. Available: http://www.w3schools.
com/jsref/dom obj attributes.asp
[4] J. H. Reif, “Depth-first search is inherently sequential,” in Information Processing
Letters, 1985.
[5] Smartphone OS Market Share, Q1 2015. [Online]. Available: http://www.idc.
com/prodserv/smartphone-os-market-share.jsp
[6] 75 % of Developers Using HTML5: Survey. [On-
line]. Available: http://www.eweek.com/c/a/Application-Development/
75-of-Developers-Using-HTML5-Survey-508096/
[7] 7 Best HTML5 Based Frameworks For Developing Cross-Platform Apps. [Online]. Available: http://codecondo.com/
7-best-html5-based-frameworks-for-developing-cross-platform-apps/
[8] PhoneGap. [Online]. Available: phonegap.com
[9] AppMobi. [Online]. Available: http://appmobi.com
[10] AppCan. [Online]. Available: http://www.appcan.cn/
[11] Sencha. [Online]. Available: http://www.sencha.com/
[12] Native, HTML5, or Hybrid: Understanding your Mo-
bile Application Development Options. [Online]. Avail-
able: https://developer.salesforce.com/page/Native, HTML5, or Hybrid:
Understanding Your Mobile Application Development Options
[13] China Mobile Internet: Fragmentation and Shorter Life Cycle. [Online].
Available: http://tip.umeng.com/uploads/data report/2013firsthalf eng.pdf
[14] WebView. [Online]. Available: http://developer.android.com/reference/android/
webkit/WebView.html
[15] T. Luo, H. Hao,W. Du, Y.Wang, and H. Yin, “Attacks on webview in the android
system,” in Proceedings of the 27th Annual Computer Security Applications Con-
ference, 2011, pp. 343–352.
[16] Cordova. [Online]. Available: https://cordova.apache.org
[17] Plugin Development Guide. [Online]. Available: http://docs.phonegap.com/en/4.
0.0/guide hybrid plugins index.md.html
[18] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A study of android ap-
plication security,” in Proceedings of the 20th USENIX conference on Security,
2011, pp. 21–21.
[19] X. Jin, T. Luo, D. G. Tsui, and W. Du, “Code injection attacks on html5-based
mobile apps,” in Mobile Security Technologies (MoST), 2014.
[20] M. Georgiev, S. Jana, and V. Shmatikov, “Breaking and fixing origin-based ac-
cess control in hybrid web/mobile application frameworks,” in Proceeding of the
Network and Distributed System Security Symposium (NDSS), 2014.
[21] D. Shin, H. Yao, and U. Rosi, “Supporting visual security cues for webview-
based android apps,” in Proceedings of the 28th Annual ACM Symposium on
Applied Computing, 2013, pp. 1867–1876.
[22] R. Wang, L. Xing, X. Wang, and S. Chen, “Unauthorized origin crossing on mo-
bile platforms: threats and mitigation,” in Proceedings of the 2013 ACM SIGSAC
conference on Computer & communications security, 2013, pp. 635–646.
[23] T. Luo, X. Jin, A. Ananthanarayanan, and W. Du, “Touchjacking attacks on web
in android, ios, and windows phone,” in Foundations and Practice of Security.
Springer Berlin Heidelberg, 2013, pp. 227–243.
[24] E. Chin and D.Wagner, “Bifocals: Analyzing webview vulnerabilities in android
applications,” in Proceedings of the 14th International Workshop on Information
Security Applications, 2013, pp. 138–159.
[25] J. Yu and T. Yamauchi, “Access control to prevent attacks exploiting vulnerabili-ies of webviewiew in android os,” in Processing of the 2013 IEEE International
Conference on High Performance Computing and Communications, 2013.
[26] X. Jin, L.Wang, T. Luo, andW. Du, “Fine-grained access control for html5-based
mobile applications in android,” in Proceedings of the 16th Information Security
Conference (ISC), 2013.
[27] A. Bhavani, “Cross-site scripting attacks on android webview,” in international
Journal of Computer Science and Network, 2013.
[28] M. I. Gordon, D. Kim, J. Perkins, L. Gilhamy, N. Nguyenz, and M. Rinard,
“Information-flow analysis of android applications in droidsafe,” in Proc. of the
Network and Distributed System Security Symposium (NDSS), 2015.
[29] HTML id attribute. [Online]. Available: http://www.w3schools.com/tags/
att global id.asp
[30] HTML input type attribute. [Online]. Available: http://www.w3schools.com/
tags/att input type.asp
[31] HTML Script Tag. [Online]. Available: http://www.w3schools.com/tags/
tag script.asp
[32] BeautifulSoup Package. [Online]. Available: https://pypi.python.org/pypi/
beautifulsoup4/4.3.2
[33] JavaScript in HTML. [Online]. Available: http://www.simplehtmlguide.com/
javascript.php
34] S. H. Jensen, A. Moller1, and P. Thiemann, “Type analysis for javascript.” in
Static Analysis Symposium (SAS), 2009, pp. 238–255.
[35] UglifyJS. [Online]. Available: https://github.com/mishoo/UglifyJS
[36] JavaScrip Function Graph. [Online]. Available: http://jfg.atwebpages.com/
[37] JavaScript and HTML DOM Reference. [Online]. Available: http://www.
w3schools.com/jsref/
[38] jQuery API. [Online]. Available: http://api.jquery.com/
[39] PhoneGap API. [Online]. Available: http://docs.phonegap.com/en/4.0.0/index.
html
[40] Depth-First Search and Breadth-First Search in Python. [Online]. Available: http:
//eddmann.com/posts/depth-first-search-and-breadth-first-search-in-python/
[41] splinter. [Online]. Available: https://splinter.readthedocs.org/en/latest/
[42] Confusion Matrix. [Online]. Available: http://www2.cs.uregina.ca/∼dbd/cs831/
notes/confusion matrix/confusion matrix.html
[43] QR Code Generator. [Online]. Available: https://www.the-qrcode-generator.com
[44] QR code usage statistic. [Online]. Available: http://visual.ly/
qr-code-usage-statistics
[45] W. Enck, P. Gilbert, B. G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N.
Sheth, “Taintdroid: An information-flow tracking system for realtime privacy
monitoring on smartphones,” in Proceedings of the 9th USENIX Symposium on
Operating Systems Design and Implementation, 2010.
46] D. J. Wu, C. H. Mao, T. E. Wei, H. M. Lee, and K. P. Wu, “Droidmat: Android
malware detection through manifest and api calls tracing,” in Proc. of Asia Joint
Conference on Information Security (Asia JCIS), 2012, pp. 62–69.
[47] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evo-
lution,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy,
2012, pp. 95–109.