標題: 分析Android儲存裝置存取之資料流動追蹤技術
Tracking Information-flow of Storage Access on Android for Analysis
作者: 張佳惠
Chang, Chia-Huei
謝續平
Shieh, Shiuhpyng
資訊科學與工程研究所
關鍵字: Android;動態資料流動追蹤;儲存裝置;Android;Dynamic Information Flow Tracking;Storage
公開日期: 2012
摘要: 關於Android惡意程式分析的研究,包含了追蹤記憶體、儲存裝置、網路使用等行為。但是目前為止,Android上分析技術的範圍只侷限在記憶體,並沒有完整的追蹤儲存裝置的部分,像是內部空間的NAND flash以及外部空間的SD Card。本篇論文將提出一個以位元組為單位,更細緻地追蹤Android儲存裝置上的檔案。除此之外,我們還實作出YAFFS2的檔案系統解析器,將硬碟上offset與檔案物件做關聯性,可以方便我們在底層去追蹤檔案。我們的系統還會追蹤某特定程式所接收的封包,並且在寫檔及送封包時,指出資料的來源。在實驗的部份,本系統可初步的成功分析到記憶體與儲存裝置之間、記憶體與網路之間的動態資料流動追蹤,提供一個完整的程式行為分析紀錄。
Recent research towards Android malware analysis introduced information flow tracking to profile memory, storage, and network behaviors. However, on Android state-of-the-art information flow tracking techniques limit their scope within memory, lacking of byte-granularity support for storage space like SD card or NAND flash. In this thesis, a byte-level information flow tracking on Android storage is proposed. In addition, a YAFFS2 file system parser is implemented to map a given offset on the disk back to the abstract object, namely the owner file, for semantics reconstruction. Our system precisely track the incoming packets only sent to the subject program. Our system also figures out the source of the data written into files or sent to network. The evaluation shows that our prototype system successfully tracks information flows from storage to/from memory and memory to/from network, providing more complete behavior profile for malware analysis.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT070056006
http://hdl.handle.net/11536/72959
Appears in Collections:Thesis