LibPass:基于包结构和签名的第三方库检测方法

LibPass:Third-party Library Detection Method Based on Package Structure and Signature

第三方库检测是Android应用安全分析领域的上游任务,其检测精度对于恶意应用检测、重打包检测、隐私泄露等下游任务有显著影响.为了提升检测精度和效率,采用相似性比较的思想,提出一种基于包结构和签名的第三方库检测方法,命名为LibPass.LibPass以流水线式模式组合主模块识别、第三方库候选识别和细粒度检测等3个组件.主模块识别方法区分主程序二进制代码与引入的第三方库二进制代码,旨在提升方法检测效率.在此基础上,提出由第三方库候选识别和细粒度检测构成的两阶段检测方法.前者利用包结构特征的稳定性来应对应用程序的混淆行为以提升混淆情形下的检测精度,并利用包结构签名完成快速比对以识别候选第三方库,达到显著降低成对比较次数、提升检测效率的目的;后者在前者涮选出的候选中,通过更细粒度但代价更高的相似性分析精确地识别第三方库及其对应的版本.为了验证方法的性能和效率,构建3个评估不同检测能力的基准数据集,在这些基准数据集上开展实验验证,从检测性能、检测效率和抗混淆性等方面对实验结果进行深入分析,结果表明LibPass具备较高的检测精度,检测效率,以及应对多种常用混淆操作的能力.

Third-party library(TPL)detection is an upstream task in the domain of Android application security analysis,and its detection accuracy has a significant impact on its downstream tasks including malware detection,repackaged application detection,and privacy leakage detection.To improve detection accuracy and efficiency,this study proposes a package structure and signature-based TPL detection method,named LibPass,by leveraging the idea of pairwise comparison.LibPass combines primary module identification,TPL candidate identification,and fine-grained detection in a streamlined way.The primary module identification aims at improving detection efficiency by distinguishing the binary code of the main program from that of the introduced TPL.On this basis,a two-stage detection method consisting of TPL candidate identification and fine-grained detection is proposed.The TPL candidate identification leverages the stability of package structure features to deal with obfuscation of applications to improve detection accuracy and identifies candidate TPLs by rapidly comparing package structure signatures to reduce the number of pairwise comparisons,so as to improve the detection efficiency.The fine-grained detection accurately identifies the TPL of a specific version by a finer-grained but more costly pairwise comparison among candidate TPLs.In order to validate the performance and the efficiency of the detection method,three benchmark datasets are built to evaluate different detection capabilities,and experiments are conducted on these datasets.The experimental results are deeply analyzed in terms of detection performance,detection efficiency,and obfuscation resistance,and it is found that LibPass has high detection accuracy and efficiency and can deal with various common obfuscation operations.