摘要
为了解决移动应用平台缺乏权限验证所导致的越权访问问题,研究了一种基于状态机的移动应用越权访问漏洞检测方法。该文为不同角色的用户分别建立各自的有限状态机,并合成出移动应用的完整状态机。在此基础上,通过对完整状态机中的每个请求进行动态重构和执行结果分析实现越权访问漏洞的高效完备测试。选择企业内部移动应用进行实验,结果表明该方法能发现了隐藏的越权访问漏洞。检测方法能被用于准确地识别出越权访问漏洞。
In order to solve the problem of unauthorized access vulnerability in mobile applications due to the lack of permission verification in the background, this paper proposes a method of mobile applications unauthorized access vulnerability detection based on finite state machines. By constructing the finite state machines of different users, the complete state machine of mobile application is synthesized. Each request in the complete state machine is dynamically reconstructed and the execution result is analyzed to realize the efficient and complete test of the unauthorized access vulnerabilities. Internal mobile applications are selected to do experiments. The experimental results show that the proposed method finds all hidden unauthorized access vulnerabilities.Unauthorized access vulnerabilities can be accurately detected through the proposed unauthorized access vulnerability detection method.
出处
《南京理工大学学报》
EI
CAS
CSCD
北大核心
2017年第4期434-441,共8页
Journal of Nanjing University of Science and Technology
基金
国网江苏省电力公司科技项目资助(J2016022)
关键词
移动应用
状态机
越权访问
漏洞检测
动态重构
mobile applications
finite state machines
unauthorized access
vulnerability detection
dynamic reconstruction
