簡易檢索 / 詳目顯示

回結果列表
研究生: 陳彥伶
Yen-Ling Chen
論文名稱: DroidCIA: 基於 HTML5 語法行動應用程式的惡意程式碼注入攻擊偵測
DroidCIA: A Novel Detection Method of Injection Attacks on HTML5-based Mobile Apps
指導教授: 李漢銘
Hahn-Ming Lee
口試委員: 鄧惟中
Wei-Chung Teng
鄭博仁
Albert B. Jeng
鄭欣明
Shin-Ming Cheng
廖弘源
None
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2015
畢業學年度: 103
語文別: 英文
論文頁數: 52
中文關鍵詞: Android檢測漏洞資安phonegaphtml5
外文關鍵詞: phonegap, html5
相關次數: 點閱:169下載:8
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 智慧型手機在近幾年越來越盛行,在這些手機中有各式各樣不同的作業系統,例如:Android, iOS...等。基於HTML5,現在開發商可以使用HTML5語法來較簡易的的開發出跨平台的app。但不幸的是HTML5開發出的app同時繼承了跨網站指令碼(cross-site scripting)的攻擊,像在一般網站中的攻擊一樣。攻擊者可以從各種不同的通道來注入惡意的指令碼,例如:QR Code, Wi-Fi儲存點...等。在此篇論文中,我們提出一個新的方法來檢測跨網站指令碼攻擊,這個新的方法不只可以檢測出過去已發現的注入口,並且也可以檢測到text box ”document.getElementById(”TagID”).value”此新的注入管道。這個新的text box注入管道在過去的研究當中並沒有被發現過,因為過去的研究當中只有分析JavaScript APIs,但卻忽略了包含text box管道資訊的HTML檔案的資訊。我們從Google Play當中下載了8303隻apps來驗證我們的方法。最後,檢測出352隻有漏洞的apps並且正確率為99%,其中包含了347隻其他研究人員也有檢測出來並且有5隻新的漏洞app被檢測出來,這5隻app都是透過text box管道注入攻擊。我們同時開發出跨網站指令攻擊檢測工具命名為DroidCIA,可自動畫出API call graph並結合HTML中包含text box的資訊。

    Smartphones have become more and more popular recently. There are many differ-
    ent smartphone systems, such as Android, iOS, etc. Based on HTML5, now develop-
    ers can have a convenient framework to develop cross-platform HTML5-based mobile
    apps. Unfortunately, HTML5-based apps are also susceptible to cross-site scripting
    attacks like most web applications. Attackers can inject malicious scripts from many
    different injection channels such as QR Code and Wi-Fi access points. In this paper,
    we propose a new way to detect a known malicious script injected by using HTML5
    text box input type along with “document.getElementById(”TagID”).value”. This
    new text box injection channel was not detected by other researchers so far because
    they only analyzed JavaScript APIs, but overlooked HTML files which captured text
    box input type information. We apply this new method to a vulnerable app set with
    8303 cases obtained from Google Play and detect a total of 352 vulnerable apps with
    accuracy 99%. The 352 vulnerable apps include 347 detected also by other researchers
    as well as 5 extra vulnerable apps that belonged to the text box injection channel. We
    also implement a Code Injection Attack detection tool named DroidCIA that automate
    the drawing of JavaScript API call graph and the combination of API with HTML
    information.

    中文摘要i ABSTRACTii 致謝iii 1 Introduction1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Challenges And Goals . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4 The Outline Of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Background And RelatedWork8 2.1 HTML5-Based Mobile Framework . . . . . . . . . . . . . . . . . . . 8 2.1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.2 WebView component overview . . . . . . . . . . . . . . . . . 10 2.1.3 PhoneGap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 Code Injection Attacks On HTML5-based Apps . . . . . . . . . . . . 11 2.2.1 XSS attack on web application v.s code injection on HTML5- based apps . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.2 Case study . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3 Hybird Mobile Detection And Flow Analysis . . . . . . . . . . . . . 13 2.3.1 Code injection attacks detection . . . . . . . . . . . . . . . . 14 2.3.2 Fixing hybrid web/mobile application frameworks . . . . . . 15 2.3.3 WebView attacks and flow analysis . . . . . . . . . . . . . . 16 3 Description Of DroidCIA18 3.1 DroidCIA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 HTML5 Text Box ID Finder . . . . . . . . . . . . . . . . . . . . . . 19 3.3 A Complete Injection Channel List Creator . . . . . . . . . . . . . . 20 3.4 JavaScript Of HTML5 Collector . . . . . . . . . . . . . . . . . . . . 20 3.5 Source API-Based Vulnerable JavaScript Finder . . . . . . . . . . . . 22 3.6 Script Control-Flow Constructor . . . . . . . . . . . . . . . . . . . . 22 3.7 Function-Call Flow Relationship Constructor . . . . . . . . . . . . . 24 3.8 API Call Graph Generator . . . . . . . . . . . . . . . . . . . . . . . 28 3.9 Sensitive Source-Sink Finder . . . . . . . . . . . . . . . . . . . . . . 30 4 Experiments33 4.1 Environment And Implementation . . . . . . . . . . . . . . . . . . . 33 4.2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.4 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.4.1 Attack samples . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.4.2 Text box samples . . . . . . . . . . . . . . . . . . . . . . . . 38 4.4.3 Statistics vulnerable APIs usage . . . . . . . . . . . . . . . . 41 4.5 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 5 Conclusions and FurtherWork44 5.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.2 Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

    1] X. Jin, X. Hu, K. Ying,W. Du, H. Yin, and G. N. Peri, “Code injection attacks on
    html5-based mobile apps: Characterization, detection and mitigation,” in ACM
    Conference on Computer and Communications Security (CSS), 2014, pp. 66–77.
    [2] Worldwide Smartphone Shipments Increase 25.2Heightened Competition and
    Growth Beyond Samsung and Apple, Says IDC. [Online]. Available: http:
    //www.idc.com/getdoc.jsp?containerId=prUS25224914
    [3] The HTML DOM Attribute Object. [Online]. Available: http://www.w3schools.
    com/jsref/dom obj attributes.asp
    [4] J. H. Reif, “Depth-first search is inherently sequential,” in Information Processing
    Letters, 1985.
    [5] Smartphone OS Market Share, Q1 2015. [Online]. Available: http://www.idc.
    com/prodserv/smartphone-os-market-share.jsp
    [6] 75 % of Developers Using HTML5: Survey. [On-
    line]. Available: http://www.eweek.com/c/a/Application-Development/
    75-of-Developers-Using-HTML5-Survey-508096/
    [7] 7 Best HTML5 Based Frameworks For Developing Cross-Platform Apps. [Online]. Available: http://codecondo.com/
    7-best-html5-based-frameworks-for-developing-cross-platform-apps/
    [8] PhoneGap. [Online]. Available: phonegap.com
    [9] AppMobi. [Online]. Available: http://appmobi.com
    [10] AppCan. [Online]. Available: http://www.appcan.cn/
    [11] Sencha. [Online]. Available: http://www.sencha.com/
    [12] Native, HTML5, or Hybrid: Understanding your Mo-
    bile Application Development Options. [Online]. Avail-
    able: https://developer.salesforce.com/page/Native, HTML5, or Hybrid:
    Understanding Your Mobile Application Development Options
    [13] China Mobile Internet: Fragmentation and Shorter Life Cycle. [Online].
    Available: http://tip.umeng.com/uploads/data report/2013firsthalf eng.pdf
    [14] WebView. [Online]. Available: http://developer.android.com/reference/android/
    webkit/WebView.html
    [15] T. Luo, H. Hao,W. Du, Y.Wang, and H. Yin, “Attacks on webview in the android
    system,” in Proceedings of the 27th Annual Computer Security Applications Con-
    ference, 2011, pp. 343–352.
    [16] Cordova. [Online]. Available: https://cordova.apache.org
    [17] Plugin Development Guide. [Online]. Available: http://docs.phonegap.com/en/4.
    0.0/guide hybrid plugins index.md.html
    [18] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A study of android ap-
    plication security,” in Proceedings of the 20th USENIX conference on Security,
    2011, pp. 21–21.
    [19] X. Jin, T. Luo, D. G. Tsui, and W. Du, “Code injection attacks on html5-based
    mobile apps,” in Mobile Security Technologies (MoST), 2014.
    [20] M. Georgiev, S. Jana, and V. Shmatikov, “Breaking and fixing origin-based ac-
    cess control in hybrid web/mobile application frameworks,” in Proceeding of the
    Network and Distributed System Security Symposium (NDSS), 2014.
    [21] D. Shin, H. Yao, and U. Rosi, “Supporting visual security cues for webview-
    based android apps,” in Proceedings of the 28th Annual ACM Symposium on
    Applied Computing, 2013, pp. 1867–1876.
    [22] R. Wang, L. Xing, X. Wang, and S. Chen, “Unauthorized origin crossing on mo-
    bile platforms: threats and mitigation,” in Proceedings of the 2013 ACM SIGSAC
    conference on Computer & communications security, 2013, pp. 635–646.
    [23] T. Luo, X. Jin, A. Ananthanarayanan, and W. Du, “Touchjacking attacks on web
    in android, ios, and windows phone,” in Foundations and Practice of Security.
    Springer Berlin Heidelberg, 2013, pp. 227–243.
    [24] E. Chin and D.Wagner, “Bifocals: Analyzing webview vulnerabilities in android
    applications,” in Proceedings of the 14th International Workshop on Information
    Security Applications, 2013, pp. 138–159.
    [25] J. Yu and T. Yamauchi, “Access control to prevent attacks exploiting vulnerabili-ies of webviewiew in android os,” in Processing of the 2013 IEEE International
    Conference on High Performance Computing and Communications, 2013.
    [26] X. Jin, L.Wang, T. Luo, andW. Du, “Fine-grained access control for html5-based
    mobile applications in android,” in Proceedings of the 16th Information Security
    Conference (ISC), 2013.
    [27] A. Bhavani, “Cross-site scripting attacks on android webview,” in international
    Journal of Computer Science and Network, 2013.
    [28] M. I. Gordon, D. Kim, J. Perkins, L. Gilhamy, N. Nguyenz, and M. Rinard,
    “Information-flow analysis of android applications in droidsafe,” in Proc. of the
    Network and Distributed System Security Symposium (NDSS), 2015.
    [29] HTML id attribute. [Online]. Available: http://www.w3schools.com/tags/
    att global id.asp
    [30] HTML input type attribute. [Online]. Available: http://www.w3schools.com/
    tags/att input type.asp
    [31] HTML Script Tag. [Online]. Available: http://www.w3schools.com/tags/
    tag script.asp
    [32] BeautifulSoup Package. [Online]. Available: https://pypi.python.org/pypi/
    beautifulsoup4/4.3.2
    [33] JavaScript in HTML. [Online]. Available: http://www.simplehtmlguide.com/
    javascript.php
    34] S. H. Jensen, A. Moller1, and P. Thiemann, “Type analysis for javascript.” in
    Static Analysis Symposium (SAS), 2009, pp. 238–255.
    [35] UglifyJS. [Online]. Available: https://github.com/mishoo/UglifyJS
    [36] JavaScrip Function Graph. [Online]. Available: http://jfg.atwebpages.com/
    [37] JavaScript and HTML DOM Reference. [Online]. Available: http://www.
    w3schools.com/jsref/
    [38] jQuery API. [Online]. Available: http://api.jquery.com/
    [39] PhoneGap API. [Online]. Available: http://docs.phonegap.com/en/4.0.0/index.
    html
    [40] Depth-First Search and Breadth-First Search in Python. [Online]. Available: http:
    //eddmann.com/posts/depth-first-search-and-breadth-first-search-in-python/
    [41] splinter. [Online]. Available: https://splinter.readthedocs.org/en/latest/
    [42] Confusion Matrix. [Online]. Available: http://www2.cs.uregina.ca/∼dbd/cs831/
    notes/confusion matrix/confusion matrix.html
    [43] QR Code Generator. [Online]. Available: https://www.the-qrcode-generator.com
    [44] QR code usage statistic. [Online]. Available: http://visual.ly/
    qr-code-usage-statistics
    [45] W. Enck, P. Gilbert, B. G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N.
    Sheth, “Taintdroid: An information-flow tracking system for realtime privacy
    monitoring on smartphones,” in Proceedings of the 9th USENIX Symposium on
    Operating Systems Design and Implementation, 2010.
    46] D. J. Wu, C. H. Mao, T. E. Wei, H. M. Lee, and K. P. Wu, “Droidmat: Android
    malware detection through manifest and api calls tracing,” in Proc. of Asia Joint
    Conference on Information Security (Asia JCIS), 2012, pp. 62–69.
    [47] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evo-
    lution,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy,
    2012, pp. 95–109.

    QR CODE