Tuesday 20 October 2015

Vulhunter: Toward Discovering Vulnerabilities In Android Applications



ABSTRACT:
With the prosperity of the Android app economy, many apps have been published and sold in various markets. However, short development cycles and insufficient security development guidelines have led to many vulnerable apps. Although some systems have been developed for automatically discovering specific vulnerabilities in apps, their effectiveness and efficiency are usually restricted because of the exponential growth of paths to examine and simplified assumptions. In this article, the authors propose a new static-analysis framework for facilitating security analysts to detect vulnerable apps from three aspects. First, they propose an app property graph (APG), a new data structure containing detailed and precise information from apps. Second, by modeling app-related vulnerabilities as graph traversals, the authors conduct graph traversals over APGs to identify vulnerable apps for easing the identification process. Third, they reduce the workload of manual verification by removing infeasible paths and generating attack inputs whenever possible. They have implemented the framework in a system named VulHunter with 9,145 lines of Java code and modeled five types of vulnerabilities. Checking 557 popular apps that are randomly collected from Google Play and have at least 1 million installations, the authors found that 375 apps (67.3 percent) have at least one vulnerability.
AIM
The aim of this paper is a new static-analysis framework for facilitating security analysts to detect vulnerable apps from three aspects.
SCOPE
The scope of this tends to implemented the framework in a system named VulHunter with 9,145 lines of Java code and modeled five types of vulnerabilities.
EXISTING SYSTEM:
Existing research on automatic vulnerability discovery for applications (“apps”) usually focuses on several specific types of vulnerabilities because of the undecidability of the generic problem of spotting program vulnerabilities For example, ComDroid aims at Intent related issues (that is, unauthorized Intent receipt and Intent spoofing). SMV-Hunter detects SSL and Transport Layer Security (TLS) man-in-the-middle vulnerabilities., Content Scope examines the vulnerabilities of an unprotected content provider. Android Leaks uncovers potential private information leakages. Woodpecker targets capability leak vulnerabilities. CHEX discovers component hijacking vulnerabilities. However, these systems’ effectiveness and efficiency are usually restricted in practice due to the exponential growth of paths to examine, simplified assumptions, and the limited number of vulnerability patterns.1,8 Moreover, it is not easy to extend these systems to capture new vulnerabilities, although they share some common, components (such as constructing control-flow graphs and dataflow graphs).
DISADVANTAGES:

  1.  It is not easy to extend these systems to capture new vulnerabilities, although they share some common, components (such as constructing control-flow graphs and dataflow graphs).
  2. They did not discover vulnerable apps, and it is not clear how SCA processes those apps.

PROPOSED SYSTEM:
In this project, propose a new static-analysis framework to facilitate vulnerability discovery for apps by extracting detailed and precise information from apps and easing the identification process. Moreover, the framework can reduce the manual-verification workload by performing slicing and filtering out infeasible paths. To our knowledge, existing approaches cannot achieve these goals simultaneously. Moreover, defining app property graphs (APGs) and employing graph databases can scale up the vulnerability discovery process. Researchers are exploring an alternative vulnerability-discovery approach of facilitating security analysts by providing detailed and precise information and expert knowledge. The work closest to our approach is the code property graph (CPG),1 which combines an abstract syntax tree (AST), control-flow graph (CFG), and program dependency graph (PDG) to represent C source codes and model common vulnerabilities as graph traversals. Therefore, finding potential vulnerabilities is turned into performing graph traversals over CPGs with much better performance in terms of accuracy and flexibility. Although we also model vulnerabilities as graph traversals and conduct graph traversals to find vulnerable apps, significant differences exist between the two approaches.
ADVANTAGES

  1. Capturing vulnerabilities is made easy and alsomodeling vulnerabilities become easy as per graph traversals.
  2. It reduces false positives and optimizes queries according to vulnerabilities pattern.

SYSTEM ARCHITECTURE:



SYSTEM CONFIGURATION

HARDWARE REQUIREMENTS:-

·                Processor          -   Pentium –III

·                Speed                -    1.1 Ghz
·                RAM                 -    256 MB(min)
·                Hard Disk         -   20 GB
·                Floppy Drive    -    1.44 MB
·                Key Board                 -    Standard Windows Keyboard
·                Mouse               -    Two or Three Button Mouse
·                Monitor             -    SVGA

SOFTWARE REQUIREMENTS:-

·                Operating System      :Android OS             
·                Front End                  : JAVA
·                Database                  : SqLite
·                Tool                           :Eclipse

REFERENCE:
Chenxiong Qian Xiapu Luo ; Yu Le ; Guofei Gu “VULHUNTER: TOWARD DISCOVERING VULNERABILITIES IN ANDROID APPLICATIONS”, IEEE Transactions on Micro, Volume 35 ,  Issue 1,Jan.-Feb. 2015

No comments:

Post a Comment