CN114547604A - Application detection method and device, storage medium and electronic equipment - Google Patents
Application detection method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN114547604A CN114547604A CN202111574727.7A CN202111574727A CN114547604A CN 114547604 A CN114547604 A CN 114547604A CN 202111574727 A CN202111574727 A CN 202111574727A CN 114547604 A CN114547604 A CN 114547604A
- Authority
- CN
- China
- Prior art keywords
- file
- taint
- target
- class
- target application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
- G06F8/658—Incremental updates; Differential updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the application discloses an application detection method, an application detection device, a storage medium and electronic equipment, wherein the method comprises the following steps: the method comprises the steps of obtaining a target application package and an application reference package aiming at application, performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package, and performing static stain detection on the target application package based on the difference class set to obtain a stain path set aiming at the target application package. By adopting the embodiment of the application, the application detection efficiency can be improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an application detection method and apparatus, a storage medium, and an electronic device.
Background
With the rapid development of network technology, users face more and more security threats when using applications, and the problem of private data disclosure of applications is also emphasized more and more. The application installation package of the application at least meets the requirements of safety compliance in the development stage; based on this, application detection of the application installation package of the application is usually involved to reduce security risks.
Disclosure of Invention
The embodiment of the application provides an application detection method, an application detection device, a storage medium and electronic equipment, and the technical scheme is as follows:
in a first aspect, an embodiment of the present application provides an application detection method, where the method includes:
acquiring a target application package and an application reference package aiming at an application;
performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package;
and performing static taint detection on the target application package based on the difference class set to obtain a taint path set aiming at the target application package.
In a second aspect, an embodiment of the present application provides an application detection apparatus, where the apparatus includes:
the acquisition module is used for acquiring a target application package and an application reference package of the application;
the processing module is used for performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package;
and the detection module is used for carrying out static taint detection on the target application packet based on the difference class set to obtain a taint path set aiming at the target application packet.
In a third aspect, embodiments of the present application provide a computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the above-mentioned method steps.
In a fourth aspect, an embodiment of the present application provides an electronic device, which may include: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the above-mentioned method steps.
The beneficial effects brought by the technical scheme provided by some embodiments of the application at least comprise:
in one or more embodiments of the present application, an electronic device obtains a target application package and an application reference package for an application, then performs decompiling comparison processing on the target application package and the application reference package to obtain a difference class set for the target application package, and then performs static stain detection on the target application package based on the difference class set to obtain a stain path set for the target application package.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an application detection method provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of an application detection method provided in an embodiment of the present application;
fig. 3 is a schematic view of a scene of file matching related to an application detection method provided in an embodiment of the present application;
fig. 4 is a schematic view of a scene of file matching related to an application detection method provided in an embodiment of the present application;
fig. 5 is a schematic flowchart of an application detection method according to an embodiment of the present application;
fig. 6 is a schematic view of a scene determined by a detection entry function set according to an application detection method provided in an embodiment of the present application;
fig. 7 is a schematic diagram illustrating an architecture of an application detection system according to an embodiment of the present application;
FIG. 8 is a schematic structural diagram of an application detection apparatus according to an embodiment of the present disclosure;
FIG. 9 is a schematic structural diagram of a processing module according to an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of an electronic device provided in an embodiment of the present application;
FIG. 11 is a schematic structural diagram of an operating system and a user space provided in an embodiment of the present application;
FIG. 12 is an architectural diagram of the android operating system of FIG. 11;
FIG. 13 is an architectural diagram of the IOS operating system of FIG. 11.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the description of the present application, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In the description of the present application, it is noted that, unless explicitly stated or limited otherwise, "including" and "having" and any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art. Further, in the description of the present application, "a plurality" means two or more unless otherwise specified. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The present application will be described in detail with reference to specific examples.
In one embodiment, as shown in fig. 1, an application detection method is proposed, which can be implemented in dependence on a computer program, which can be run on an application detection device based on the von neumann architecture. The computer program may be integrated into the application or may run as a separate tool-like application. The application detection device may be an electronic device, including but not limited to: personal computers, tablet computers, handheld devices, in-vehicle devices, servers, computing devices or other processing devices connected to a wireless modem, and the like. The terminal devices in different networks may be called different names, for example: user equipment, access terminal, subscriber unit, subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent or user equipment, cellular telephone, cordless telephone, equipment in a 5G network or future evolution network, and the like.
Specifically, the application detection method comprises the following steps:
s101: and acquiring a target application packet and an application reference packet for the application.
The application can be understood as an application carried by some terminal loaded operating systems, and can be a third-party application, wherein the third-party application refers to an application developed by a third party and not carried by the terminal operating systems, and comprises some applications, applets, plug-ins and the like developed by the third party. In some embodiments, application installation or application updates may be made based on an application installation package (apk) to which the application corresponds. In the present application, the target application package and the application reference package may be understood as application installation packages for different application versions of the same application.
The target application package is different from an application installation package (apk) version corresponding to the application reference package, and the apk version of the target application package is generally larger than the apk version of the application reference package.
In one or more embodiments, the target application package may be an application installation package for the application of the current to-be-updated version; the application reference package can be understood as a historical application installation package for historical publishing of applications. The application reference package can be specifically set based on an actual application scene, and the apk version of the target application package is greater than or earlier than the apk version of the application reference package.
It can be understood that in scenarios such as application update and application installation, as the security threats faced by applications are increasing, the problem of disclosure of private data of application design is also becoming more important, the development of a target application package of an application should at least meet the requirements of security compliance, in an actual application stage, application detection is usually performed on an application installation package of an application, static taint propagation detection is often performed in application detection, static taint propagation detection (static taint detection for short) refers to detecting whether data can be propagated from a taint source to a taint gathering point by analyzing a data dependency relationship among application program variables on the premise of not running and not modifying codes of the application installation package, and a taint path result of the target application package corresponding to the application can be obtained after the static taint detection.
In some embodiments, after the application development end completes development of the target application package of the application version of the application, the application development end may upload the target application package to the electronic device (e.g., a service platform), and at this time, the electronic device may obtain the target application package of the application; in addition, the electronic device may store a historical application installation package for a historical version of the application, from which the electronic device may obtain an application reference package that is the same application as the target application package.
S102: and performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package.
It can be understood that the decompiling comparison process may be understood as obtaining a corresponding decompiled file by decompiling an application installation package (e.g., a target application package, an application reference package), so as to determine a difference class set for the target application package relative to the application reference package by comparing the decompiled file of the target application package with the decompiled file corresponding to the application reference package.
It can be understood that the difference class set includes at least one class (which can also be understood as a method class and a function class) that characterizes the difference between the decompiled file of the target application package and the decompiled file corresponding to the application reference package; in some embodiments, the set of difference classes may be a pruned set of classes pruned by the target application package relative to a corresponding decompiled file of the application reference package; the difference class set can be an increment class set added by the target application package relative to the decompiled file corresponding to the application reference package
In some embodiments, a decompiled file obtained by decompiling an application installation package (e.g., a target application package, an application reference package) may be understood as: and (3) reversely compiling the data (namely the application installation package) of the detection object through reverse engineering so as to obtain a decompiled file. In some embodiments, the reverse compiling process of the detection object means that a compiled file corresponding to the detection object obtains a corresponding uncompiled file, taking the detection object as a common detection application as an example, that is, the application installation package to be detected of the application is reversely compiled through reverse engineering, so that a decompiled file can be obtained, and the decompiled file can be at least a smali code file, and in some embodiments, the decompiled file can also be each xml resource file, an android layout file, and the like.
It can be understood that, when a target application package (i.e., an object to be detected) of an application acquired by an electronic device is reversely compiled, the target application package can be unpacked in advance and then reversely compiled (can be interpreted as decompilation), an application installation package is an Android application package for example, and is usually a file in an "APK file format", and the "APK file format" can be interpreted as a compressed file in a ZIP format; the electronic device may unpack the application installation package, where the unpacking process may be to obtain classes.dex (compiled code file), resources.arsc (compiled resource file), and android manifest.xml (compiled layout file) from the application installation package file, and then perform decompilation on the compiled files (such as compiled code file, compiled resource file, and compiled layout file) based on a reverse compilation tool in reverse engineering, so as to obtain an "uncompiled file" before compiling of the "compiled file, that is, a smali code file, each xml resource file, and android manifest.xml layout file, and the like.
Optionally, the difference class set for the target application package relative to the application reference package is determined by obtaining decompilated files (a decompilated file corresponding to the target application package and a decompilated file corresponding to the application reference package) obtained by decompilating the target application package and the application reference package and comparing the decompilated files of the target application package and the decompilated files corresponding to the application reference package.
Optionally, the electronic device may perform decompilation only on the target application package by using reverse engineering to obtain a decompilated file of the target application package; the decompilated file of the application reference package may not need to be decompilated, and may be directly obtained, before the application reference package is released, the electronic device performs application detection on the application reference package, the application detection process may involve generating a decompilated file corresponding to the application reference package, for example, generating a smali file tree corresponding to the application reference package, and the electronic device may store the decompilated file corresponding to the application reference package. In a specific implementation, when the step of performing the decompiling comparison processing on the target application package and the application reference package is executed, the decompiled file corresponding to the application reference package can be directly acquired without performing reverse compilation on the application reference package again.
S103: and performing static taint detection on the target application package based on the difference class set to obtain a taint path set aiming at the target application package.
It can be understood that, the electronic device obtains a difference class set for the target application package by performing decompiling and comparing processing on the target application package and the application reference package, and the difference class set feeds back the code difference between the target application package and the application reference package to a certain extent, in order to improve the application detection efficiency, when performing static taint detection on the target application package, the application does not adopt a form of performing application detection on all codes corresponding to the target application package, but determines the difference class set of the target application package relative to the reference application package, because the reference application package electronic device has previously completed static taint detection to obtain a taint path set, the static taint detection can be performed on the target application package based on the difference class set, in some embodiments, the static taint detection can be performed on the difference codes indicated by the target application package based on the difference class set, therefore, the efficiency of application detection for the target application package can be greatly improved. The method and the device also realize the improvement of comprehensive scanning analysis of the apk based on the related taint analysis tool in the application detection under the related scene, realize the targeted static taint detection of the increment code of the new version corresponding to the target application package, simultaneously avoid the redundancy repetition of taint detection, realize the rapid release of the target application package and save the detection resources.
It can be understood that the electronic device determines whether an increment code exists in the target application package relative to the application reference package based on the difference class set, if the increment code exists, the electronic device can call a taint detection tool for static taint detection to perform static taint detection on the increment code indicated by the difference class set in the target application package, detect whether data can be transmitted from a taint to a taint aggregation point by detecting a data dependency relationship between application program variables indicated by the increment code, and further determine a first taint path set obtained by using the taint detection tool this time. The electronic equipment can acquire a second taint path set corresponding to the application reference package, and then perform data fitting on the first taint path set and the second taint path set according to the difference set to obtain a taint path set for the target application package.
It can be understood that, if there is no incremental code, the difference class set is usually a pruned class set, and the electronic device may determine the taint path set by combining the pruned class set based on the second taint path set corresponding to the application reference packet without invoking a taint detection tool to detect the target application packet, specifically, ignore the target taint path indicated by the pruned class set in the second taint path set, and thus obtain the second taint path set which is ignored of the target taint path and does not contain the target taint path after processing the target taint path as the taint path set for the target application packet.
In the embodiment of the application, the electronic device obtains a target application package and an application reference package for application, then performs decompiling comparison processing on the target application package and the application reference package to obtain a difference set for the target application package, and then performs static stain detection on the target application package based on the difference set to obtain a stain path set for the target application package.
Referring to fig. 2, fig. 2 is a schematic flow chart of another embodiment of an application detection method proposed in the present application. Specifically, the method comprises the following steps:
s201: and acquiring a target application package and an application reference package aiming at the application.
See S101 for details, which are not described herein.
S202: determining a first decompilated file corresponding to the application reference package, and determining a second decompilated file corresponding to the target application package;
the first decompiled file can be understood as a decompiled file obtained by reversely compiling an application reference package to be detected of an application by the electronic equipment through reverse engineering; the first decompiled file may be at least a smali code file corresponding to the application benchmark pack, and in some embodiments, the first decompiled file may be a smali file tree which refers to a set of smali files in a smali directory generated after decompiling the application benchmark pack apk, and the smali files are named as "pack name + class name" and end with ". smali".
The second decompiled file can be understood as a decompiled file obtained by reversely compiling a target application package to be detected of the application by the electronic equipment through reverse engineering; the second decompiled file may be at least a smali code file corresponding to the application reference package, and in some embodiments, the second decompiled file may be a smali file tree which may be understood as a set of files of smali files under a smali directory generated after decompiling the target application package apk, where the smali files are named as "package name + class name" and end with ". smali".
Optionally, the first decompilated file and the second decompilated file may be obtained by using an apk compilation tool in reverse engineering, such as the apk compilation tool: an apktool.
It can be appreciated that the installation package version of the application reference package precedes the installation package version of the target application package in the time dimension.
It can be understood that, after determining the first decompiled file and the second decompiled file, the electronic device performs comparison processing on the first decompiled file and the second decompiled file to obtain the difference class set for the target application package, which may be specifically referred to other method steps related in the embodiment of the present application.
S203: and determining a first file which does not match with each reference file in the second decompiled file by taking at least one reference file contained in the first decompiled file as a reference, and determining a delta class set aiming at the target application package based on the first file.
In one or more embodiments, the first decompiled file may be a smail file tree corresponding to the reference application package, and the smail file tree may be understood as a set of files of the smail files in a smail directory generated after decompiling the reference application package apk, where the reference file may be understood as the smail file in the first decompiled file (e.g., a decompiled file tree). Further, taking an operating system as an Android system as an example, Smali can understand the disassembling language of the Android virtual machine, and a Smali file tree is a tree-shaped directory structure composed of Smali files and generally regarded as a file set composed of the Smali files.
In a specific implementation scenario, the electronic device performs file traversal on a second decompiled file with reference to at least one reference file included in the first decompiled file, so as to determine, in the second decompiled file, first files that do not match each reference file, and determine, based on a class corresponding to the first files, an incremental class set for the target application package. It can be understood that if the number of the first files is n (n is a natural number), the number of classes of the first file in the delta class set is n. The first file may be understood as a delta file, such as a delta-smili file, corresponding to the first decompiled file.
In short, by traversing the smali file tree corresponding to the target application file to be analyzed, for each smali file in the smali file tree, the class corresponding to the first smali file does not exist in the reference apk, so that the class of the first smali file belongs to the newly added class, and the file name of the first smali file is added to the increment set.
In one possible implementation, the incremental class set inclementallist is set, and is defined by the first decompiled file as the smali file tree T1 and the second decompiled file as the smali file tree T2, as follows:
the second decompiled file is a target file containing N (N is a positive integer) files in the smali file tree T2, and the electronic device takes at least one reference file contained in the first decompiled file, that is, the "smali file tree T1", as a reference, as follows:
1. acquiring a 'target file 1', performing file traversal on a first decompiled file, namely a 'smali file tree T1', respectively matching the current 'target file 1' with each 'reference file' in a 'smali file tree T1', detecting whether the 'target file 1' is not matched with each reference file, and if not, determining that the 'target file 1' is a first file; adding a class corresponding to a target file 1 as a first file into an incremental class set IncremenalList;
2. acquiring a 'target file 2', performing file traversal on a first decompiled file, namely a 'smali file tree T1', respectively matching the current 'target file 2' with each 'reference file' in a 'smali file tree T1', detecting whether the 'target file 2' is not matched with each reference file, and if not, determining that the 'target file 2' is a first file; adding a class corresponding to the target file 2 as the first file into an incremental class set IncremenalList;
....
i. as shown in fig. 3, fig. 3 is a schematic view of a file matching scenario related in the present application, and as shown in fig. 3, an electronic device may acquire a "target file i" (i is an integer greater than 0), perform file traversal on a first decompiled file, that is, a "smali file tree T1", match a current "target file i" with each "reference file" in a "smali file tree T1", respectively, detect whether the "target file i" does not match with each "reference file", and if not, determine that the "target file i" is a first file; adding a class corresponding to a target file i serving as a first file into an incremental class set IncremenalList;
and repeating the steps until i is equal to N and the matching is finished, and obtaining the increment class set increment list.
It can be understood that the first smali file is named as "package name + class name" and ends with ". smali", so that the file name of the first smali file is obtained, the corresponding suffix name ". smali" in the file name is removed, and then the file name (i.e. as an incremental class) after the ". smali" is removed is added to the incremental class set to complete "adding the class corresponding to the first file to the incremental class set". Further, at least one increment class (e.g. an added function class) in the set of increment classes may be an added function class added to the "reference file included in the first decompiled file" (it is understood that the increment function class does not exist in the first decompiled file); in some embodiments, at least one of the delta classes (e.g., the delta function class) in the set of delta classes may be a modified delta function class (which may be understood as a modified function class generated after modification on the basis of a reference file in the first decompiled file) corresponding to a reference file included in the first decompiled file.
Optionally, the process of "determining the first file in the second decompiled file that does not match with each of the reference files" includes: the method may be implemented by detecting whether a reference file is consistent with at least one object file ' included in a ' second decompiled file ', that is, comparing data between the reference file and the object file, if a certain reference file is inconsistent with all object files, the ' certain reference file ' is usually a newly added smile file, the ' certain reference file ' is taken as a first file, and at this time, a class corresponding to the first file usually belongs to a newly added function class.
Optionally, the process of "determining the first file in the second decompiled file that does not match with each of the reference files" includes: it may be that, by comparing file names, that is, "determining a first file name in the second decompiled file that is not matched with the reference file name of each reference file, and determining the delta class set for the target application package based on the first file name", it may be understood that, if the name of a certain target file in the second decompiled file is not matched with all the reference file names, the "certain target file" is taken as the first file, and the first file name is also the name of the "certain target file".
In one or more embodiments, after each first file is determined, the first file may be subjected to an ignore flag from the second decompiled file, where the ignore flag is used to indicate that the first file with the ignore flag is skipped in the next round of file matching process (the step of matching the current "target file i" with each "reference file" in the "smali file tree T1", respectively), and the first file at this time may not be necessary to be matched, so that each round of re-judging the first file that has been determined is avoided to save matching computing resources, and the application detection efficiency is improved.
In some embodiments, the first file may be deleted from the second decompiled file after each first file is determined, so as to avoid that, when the next step of "matching the current" reference file i "with each" target file "in the" smali file tree T2 "is performed, the first file at this time may not be needed to be matched, and to avoid that each round judges the first file that has been determined again, so as to save matching calculation resources, and improve application detection efficiency.
In one possible implementation, the electronic device may further: determining a fourth file name matched with at least one reference file name in the second decompiled file by taking the reference file name of at least one reference file contained in the first decompiled file as a reference, wherein the fourth file name is understood to be matched with the reference file name, the fourth file and the reference file may be the same, and the fourth file may be obtained by code modification or code adjustment on the reference file; based on this, whether the file data of the fourth file is consistent with the file data of the reference file can be further compared, the abstract calculation can be respectively carried out on the fourth file and the reference file to obtain abstract values respectively corresponding to the fourth file and the reference file, and whether the file data of the fourth file is consistent with the file data of the reference file is determined by comparing whether the abstract values respectively corresponding to the fourth file and the reference file are consistent;
it is understood that a digest algorithm may be used to calculate a digest value of a file (e.g., a fourth file, a reference file), and the digest algorithm includes, but is not limited to, an MD (message digest) algorithm, an SHA (secure hash) algorithm, a MAC (message authentication code) algorithm, etc., and may be set based on practical applications, and is not limited herein.
For example, the MD5 algorithm in the MD (message digest) algorithm may be used to calculate digest values corresponding to the fourth file and the reference file, and when the digest values of the fourth file and the reference file are consistent, the fourth file and the reference file are the same; and when the two abstract values are different, the fourth file is obtained by code modification or code adjustment on the reference file, and in this case, the electronic equipment determines a modification class for the target application package based on the fourth file name and adds the modification class to the incremental class set. Specifically, the determination method of the increment class corresponding to the first file may be referred to, and the two methods are similar.
S204: and determining a second file which is not matched with each target file and a third file which is matched with at least one target file in the first decompiled file by taking at least one target file contained in the second decompiled file as a reference, and determining a pruned class set and an incremental class set aiming at the target application package based on the second file and the third file.
In one or more embodiments, the second decompiled file may be a smail file tree corresponding to the reference application package, and the smail file tree may be understood as a set of files of the smail file in the smail directory generated after decompiling the reference application package apk, wherein the target file may be understood as the smail file in the second decompiled file (e.g., the decompiled file tree). Further, taking an operating system as an Android system as an example, Smali can understand the disassembling language of the Android virtual machine, and a Smali file tree is a tree-shaped directory structure composed of Smali files and generally regarded as a file set composed of the Smali files.
In a specific implementation scenario, the electronic device performs file traversal on the first decompiled file with reference to at least one target file included in the second decompiled file, to determine, in the first decompiled file, a second file that does not match each target file and a third file that matches at least one target file, and determines, based on the second file and the third file, a pruned class set and an incremental class set for the target application package.
In short, the second file and the third file are determined by traversing a smali file tree corresponding to the reference application file, and since the second file does not match with each of the target files in the second decompiled file, the function class corresponding to the second file is usually deleted, and in a possible implementation, the electronic device may add the second file name of the second file to the deleted class set for the target application package;
optionally, the process of "determining a second file in the first decompiled file that does not match each of the target files" includes: the method may be implemented by detecting whether the target file is consistent with each reference file ' included in the ' first decompiled file ', that is, comparing data between each reference file and the target file, if a certain reference file is inconsistent with all target files, the ' certain reference file ' is usually a deleted smail file, the ' certain reference file ' is used as the second file, and at this time, the class corresponding to the second file usually belongs to a deleted delete function class.
Optionally, the process of determining, in the first decompiled file, a second file name that does not match the target file name of each target file includes: the determination of the pruned set of classes for the target application package based on the second file name may be performed by comparing file names, that is, "determining a second file name in the first decompiled file that does not match the target file name of each of the target files".
Furthermore, the electronic device determines a third file matched with at least one of the object files in the first decompiled file, which may be a third file by comparing file names, that is, there is a reference file with the same name as the object file, and the object file with the same name as the reference file (the object file with the same name as the reference file may be used as the third file, and the class corresponding to the two smail files is the same) may be regarded as the third file; the file names are matched, the target file with the same name and the reference file may be the same file data, and may also be a third file obtained by code modification or code adjustment on the reference file; based on this, whether the file data of the third file is consistent with the file data of the reference file can be further compared, for example, the digest values of the third file and the reference file can be calculated, and when the digest values of the third file and the reference file are consistent, the third file and the reference file are the same; and when the two abstract values are different, the abstract value is a third file obtained by code modification or code adjustment on the reference file, in this case, the electronic equipment determines a modification class aiming at the target application package based on the third file name, and adds the modification class into the increment class set.
It is understood that the second smali file is named as "package name + class name" and ends with ". smali", so that the file name of the second smali file is obtained, the corresponding suffix name ". smali" in the file name is removed, and then the file name (i.e. as an incremental class) after the ". smali" is removed is added to the pruned class set to complete "adding the class corresponding to the second file to the pruned class set".
It is understood that the third smali file is named as "package name + class name" and ends with ". smali", so that the file name of the third smali file is obtained, the corresponding suffix name ". smali" in the file name is removed, and then the file name (i.e. as an incremental class) after the ". smali" is removed is added to the pruned class set to complete "adding the class corresponding to the third file to the incremental class set".
In one possible implementation, an incremental class set incrementalllist is set, and a truncated class set redlist is set;
the explanation is carried out by taking the first decompiled file as a smali file tree T1 and taking the second decompiled file as a smali file tree T2 as follows:
the electronic device uses the second decompiled file, that is, N (N is a positive integer) target files contained in the "smali file tree T2" as a reference:
1. acquiring a 'reference file 1', performing file traversal on a second decompiled file, namely a 'smali file tree T2', and respectively matching the current 'reference file 1' with each 'target file' in the 'smali file tree T2', wherein on one hand: detecting whether the 'reference file 1' is not matched with each target file, and if not, determining that the 'reference file 1' is a second file; adding a class corresponding to a 'reference file 1' as a second file into a truncated class set reduce List, wherein file matching can be achieved by comparing file names of the files; on the other hand: detecting whether the 'reference file 1' is matched with at least one target file or not, and if so, determining that the 'reference file 1' is a third file; and then, performing file data matching on the third file and the reference target file with the same file name as the third file, and under the condition that the file data of the third file and the reference target file with the same file name as the third file are different, indicating that the reference target file with the same file name as the third file is the third file generated by code modification or code adjustment on the third file, and adding the class corresponding to the third file into the increment class set IncremenalList.
2. Acquiring a 'reference file 2', performing file traversal on a second decompiled file, namely a 'smali file tree T2', and respectively matching the current 'reference file 2' with each 'target file' in the 'smali file tree T2', wherein on one hand: detecting whether the 'reference file 2' is not matched with each target file, and if not, determining that the 'reference file 2' is a second file; adding a class corresponding to a "reference file 2" as a second file into a truncated class set reduce List, wherein file matching can be achieved by comparing file names of the files; on the other hand: detecting whether the reference file 2 is matched with at least one target file or not, and if so, determining that the reference file 2 is a third file; and then, performing file data matching on the third file and the reference target file with the same file name as the third file, and under the condition that the file data of the third file and the reference target file with the same file name as the third file are different, indicating that the reference target file with the same file name as the third file is the third file generated by code modification or code adjustment on the third file, and adding the class corresponding to the third file into the increment class set IncremenalList.
....
i. As shown in fig. 4, fig. 4 is a schematic view of another file matching scenario involved in the present application, and as shown in fig. 3, an electronic device may acquire a "reference file i", perform file traversal on a second decompiled file, that is, a "smali file tree T2", and match the current "reference file i" with each "target file" in the "smali file tree T2", on one hand: detecting whether the 'reference file i' is not matched with each target file, and if not, determining the 'reference file i' as a second file; adding a class corresponding to a 'reference file i' as a second file into a truncated class set reduce List, wherein file matching can be realized by comparing file names of the files; on the other hand: detecting whether the reference file i is matched with at least one target file or not, and if so, determining the reference file i as a third file; and then, performing file data matching on the third file and the reference target file with the same file name as the third file, and under the condition that the file data of the third file and the reference target file with the same file name as the third file are different, indicating that the reference target file with the same file name as the third file is the third file generated by code modification or code adjustment on the third file, and adding the class corresponding to the third file into the increment class set IncremenalList.
And repeating the steps until i is equal to N, and obtaining an increment class set increment list and a deletion class set reduce list.
It can be understood that: in the process, the file name N1 of each smali file is read by traversing a reference smali file tree T1, if a smali file which is the same as N1 does not exist in the smali file tree T2, a second file is determined at the moment, the file name of the second file is N1, and the suffix 'smali' of N1 is removed and added to a truncated class set ReducedList; if the file name N2 and the file name N1 in the smali file tree T2 are the same, calculating an MD5 value (marked as MD5_1) of the N1 file and an MD5 value (marked as MD5_2) of the N2 file, and if the MD5_1 and the MD5_2 are the same, deleting or ignoring N2 from T2 to save calculation processing resources during subsequent matching and improve detection efficiency; if the MD5_1 is not the same as the MD5_2, the suffix of the N1 is removed and added to the incremental class set increment list, and the N2 is deleted from the T2, so that the calculation processing resources during subsequent matching are saved, and the detection efficiency is improved;
in a possible implementation manner, by further comparing whether file data of a third file is consistent with file data of a reference file, the electronic device may perform the step of "obtaining a summary matching result of the third file and the reference file, and adding a third file name of the third file to the incremental class set based on the summary matching result".
The digest matching result may be understood as a matching result obtained by respectively calculating digest values of two files (such as a third file and a reference file) by using a digest algorithm (such as an MD5 algorithm) and matching the digest values of the two files, and the matching result is also referred to as a digest matching result. For example, the digest values of the two files may be compared (whether the digest values of the two files are consistent or not) to obtain a comparison result as a digest matching result, where the digest matching result includes a digest matching type and a digest mismatching type; the summary result of the summary matching type may be understood as that the summary values of two files (e.g. the third file and the reference file) are matched, for example, the summary values of the two files are consistent; the digest result of the digest mismatch type may be understood as that the digest values of two files (e.g., a third file and a reference file) do not match, for example, the digest values of the two files are not consistent;
it can be understood that: for example, the MD5 algorithm may be used to calculate digest values of the third file and the reference file, match the digest values of the third file and the reference file, and when the digest matching result indicates that the digest values are consistent, the digest matching result is usually of a digest matching type, it may be understood that the third file is the same as the reference file; when the digest matching result indicates that the digest values are different, and the digest matching result is a digest mismatch type, the method may be understood as a third file obtained by code modification or code adjustment on a reference file, in which case, the electronic device determines a modification class for the target application package based on the third file name, and adds the modification class to the delta class set.
Further, if the result type of the digest matching result is a digest mismatch type, adding a third file name of the third file (the third file name may represent a class corresponding to the third file) to the incremental class set.
In one or more embodiments, in the process of application development related to a target application file, if a file in an application installation package released by a historical version is modified, function classes corresponding to the file before and after the file is modified are not changed. However, due to the change of the data encapsulated by the substantive function class, the electronic device may add the class corresponding to the second file as an incremental function class to the incremental class set.
It is understood that the "obtaining the summary matching result of the third file and the reference file" may involve the following process: and calculating the third file and the reference file by a related abstract algorithm to obtain two abstract values, and then comparing the abstract values to obtain an abstract matching result. The related digest algorithm may be MD5 algorithm, "SHA algorithm", "MAC" algorithm, etc.
S205: and performing static taint detection on the target application package based on the difference class set to obtain a taint path set aiming at the target application package.
It will be appreciated that the difference class set can be an incremental class set and/or a truncated class set.
For details, reference may be made to method steps related to other embodiments related to the present application, which are not described herein again.
In the embodiment of the application, the electronic device acquires a target application packet and an application reference packet for application, then performs decompiling comparison processing on the target application packet and the application reference packet to obtain a difference set for the target application packet, and can perform static taint detection on the target application packet based on the difference set to obtain a taint path set for the target application packet, and the difference set determined based on the application reference packet can avoid full detection and analysis on the target application packet, and the electronic device can perform static taint detection on a difference code indicated by the target application packet only based on the difference set, so that the application detection throughput is reduced, redundant repetition is avoided, and the application detection efficiency is greatly improved; and determining an increment set and a deletion set based on the decompilated file, and screening out increment code components for static taint analysis based on the increment set and the deletion set, so that the intelligence of application detection is improved.
Referring to fig. 5, fig. 5 is a schematic flowchart of another embodiment of an application detection method provided in the present application. Specifically, the method comprises the following steps:
s301: acquiring a target application package and an application reference package aiming at an application;
reference may be made specifically to method steps of other embodiments related to the present application, which are not described herein again.
S302: performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package;
s303: and determining a set class corresponding to the difference class set.
In accordance with one or more embodiments, the collection class can be a pruned class, can be an incremental class, can be a pruned class, and an incremental class based on the actual application.
As can be appreciated, the electronic device can perform static taint detection on the target application package based on the set class, resulting in a taint path set for the target application package
S304: if the set class is an increment class, calling a taint detection tool to perform static taint detection on the target application package based on the increment class set to obtain a first taint path set, and taking the first taint path set as a taint path set aiming at the target application package;
it can be understood that, the electronic device obtains a difference class set for the target application package by performing decompiling and comparing processing on the target application package and the application reference package, the difference class set feeds back code differences between the target application package and the application reference package to a certain extent, in order to improve application detection efficiency, when performing static taint detection on the target application package, the application does not adopt a form of detecting all codes corresponding to the target application package, but determines the difference class set of the target application package relative to the reference application package, since the reference application package electronic device has previously completed static taint detection to obtain a taint path set, the target application package can be statically detected only based on the difference class set, in some embodiments, static taint detection can be performed on the difference codes indicated by the target application package based on the difference class set, therefore, the efficiency of application detection for the target application package can be greatly saved.
As can be understood, the increment class set is used for assisting the electronic device to determine that the target application package is equivalent to the increment code of the application reference package, and then performing taint detection on the increment code, so as to reduce the calculation processing amount when performing taint detection on the whole target application package and improve the detection efficiency.
In one possible embodiment of the method according to the invention,
1. the electronic device can determine a set of detection entry functions for the target application package based on the set of delta classes;
1.1, acquiring an inter-process call graph of the target application package, and determining an initial entry function set based on the inter-process call graph;
it can be understood that: the electronic device can invoke a taint detection tool, such as a method for generating a control flow graph in an open source code analysis framework (root) tool, which parses binary code of a target application package into intermediate code and generates a CFG. Calling an inter-process calling method generated in a taint detection tool, such as a method for generating a bidirectional ICFG in a FlowDroid framework, analyzing a function calling relation of a target application package, generating an inter-process calling graph ICFG, and recording a system component life cycle function and a callback function in the ICFG into a set E, wherein the set E is an initial entry function set.
In a specific implementation scenario, before generating the inter-process call graph (i.e. starting to analyze directly), the electronic device sets a pollution source function source and a sink function sink, and in the specific implementation: usually, a function exposed outside is set as a source function, a function for executing key logic inside a program is set as a sink function, if a reachable path from a pollution source function source to a sink function can be obtained through analysis, a potential security vulnerability exists, and a taint path can be obtained at the moment;
it can be understood that, when the target application package is analyzed, the position of the analyzed object is searched through the absolute path indicated by the target application package, and the reverse parsing of the bytecode program is realized through the java open source analysis framework socket, that is, the open source analysis framework socket is used to generate the expression form of the intermediate language with concise grammar, so that the bytecode variables of all the source programs of the target application package correspond to the new data structure expressed by the intermediate language, thereby completely expressing the control flow information and the data transfer information of the program.
Furthermore, the electronic equipment calls a taint detection tool to analyze the binary codes of the target application package into intermediate codes, so that a Control Flow Graph (CFG) in a function is obtained by converting the intermediate language representation form corresponding to the intermediate codes, the conversion process is to indicate each statement by the binary codes of the target application package to correspond to a control flow graph node Bi, and a precursor node Bp and a successor node Bs of the statement are stored in each statement according to the execution sequence; further generation of call graph CG: because the execution of most applications (applications corresponding to a target application package) involves function call, when there is a call relationship between functions, the electronic device can simulate the function call relationship, the electronic device can usually analyze a function call statement in a code, map the call function and the called function, and store the mapping relationship in a call statement node by using a 'data structure of HashMap', so as to generate a corresponding call graph CG;
further, the electronic device may compound the call graph CG and the intra-function control flow graph CFG to generate a new graph class, which is called an inter-process control flow graph ICFG and is used to describe the whole analyzed program; and then, recording a system component life cycle function and a callback function in the inter-process control flow graph ICFG, adding the system component life cycle function and the callback function into a reference set (for example, setting an empty set E and adding the empty set E into the set E), and after the above process is completed, obtaining the reference set, namely an initial entry function set.
In some application scenarios, the initial entry function set serves as a total entry point of the inter-process control flow graph ICFG, and the subsequent static taint detection is equivalent to performing static taint analysis on all codes corresponding to the target application package. The resulting set of detection entry functions is equivalent to instructing the electronic device to call only a taint detection tool to perform taint detection on the incremental code.
1.2, the electronic equipment conducts function node traversal processing on the inter-process call graph based on the increment class set and the initial entry function set to determine at least one target node function;
in the specific implementation: the electronic equipment performs node class matching processing on each next function node corresponding to each initial function node in the inter-process control flow graph based on the increment class set by taking at least one initial entry function indicated by the initial entry function set as a reference to obtain a target node function corresponding to at least one target function node;
and the initial function node is a head node corresponding to the initial entry function in the inter-process control flow graph, and the target function class to which the target entry function corresponding to the target function node belongs is a function class in the increment class set.
It can be understood that, assuming that the initial set of Entry functions is set E, it is equivalent to the electronic device traversing the "inter-process call graph ICFG" in turn starting from each initial Entry function Entry of the set E, for the next node function (e.g. NextMethod function) of the "initial Entry function Entry" read each time, determining whether the class of the next node function (e.g. NextMethod function) is in the bit increment class set, if yes, the "next node function" is added to the incremental function set as the target node function (for example, an incremental function set increentry is predefined, and when the class corresponding to the "next node function" belongs to the incremental class set, the "next node function" is added to the increentry as the target node function), after the traversal of the call graph ICFG in the whole process is completed, a detection entry function set comprising at least one target node function can be obtained.
As shown in fig. 6, fig. 6 is a schematic view of a scenario for detecting determination of an Entry function set according to the present application, assuming that an initial Entry function set is a set E, an electronic device sequentially traverses (initial) Entry functions Entry in the set E, before traversing the Entry functions Entry each time, determines whether each (initial) Entry function Entry in the set E is traversed (i.e. a step corresponding to "traversal has been completed" in fig. 6), if not, based on the current "(initial) Entry function Entry" traversing "inter-process call graph ICFG", and for each read next node function (e.g. NextMethod function) of the "initial Entry function Entry", determines whether a class of the next node function (class of NextMethod function) is located in an incremental class set (i.e. whether a class of NextMethod function exists in the incremental class set shown in fig. 6), and if so, adds the "next node function" as a target node function to the incremental function set, (for example, an incremental function set IncreEntrance is predefined, and when the class corresponding to the "next node function" belongs to the incremental class set, the "next node function" is added to the IncreEntrance as the target node function, as shown in fig. 6).
As can be appreciated, it is possible to,
1.3 the electronic device generates a set of detection entry functions including the at least one target node function.
In some embodiments, after obtaining the set of detection entry functions, the electronic device completes a control flow analysis process using a taint detection tool.
2. The electronic equipment calls a taint detection tool to perform static taint detection on the target application package based on the detection entry function set to obtain a first taint path set.
As can be appreciated, the electronic device can invoke a taint analysis method in a taint detection tool, such as a FlowDroid framework, to perform a dataflow analysis to perform a static taint detection process.
As can be understood, the electronic device may obtain the inter-process call graph ICFG corresponding to the target application package, and then perform static taint detection on the inter-process call graph based on the set of detection entry functions, to obtain a first taint path set for the target application package.
It is understood that the electronic device traverses all the detection entry functions in the detection entry function set (such as the set IncreEntrance), extracts the next node in the ICFG for each detection entry function NewEntry, and determines whether the node belongs to the pollution source function source. If yes, calling a taint analysis algorithm in the taint detection tool, marking sensitive data in the system, tracking a propagation path of the marked data in a program, detecting security problems such as confidentiality, integrity and the like of the system based on the taint detection tool, setting a function variable of the node as a taint variable, and performing taint analysis. If the node belongs to the taint function sink and the taint variable is used, the transfer path of the taint variable is a complete taint path. And adding the taint path into a taint path set, and by analogy, after traversing the inter-process control flow graph ICFG, finishing data flow analysis to complete static taint detection, and then obtaining a first taint path set.
As can be appreciated, the first taint path set is a first taint path set generated by the electronic device currently performing taint detection analysis by invoking a taint detection tool. The first taint path set feeds back related taint paths in the incremental code components, which are obtained by performing taint detection analysis on the incremental code components in the target application package based on the detection entry function generated by the incremental class set in a targeted mode. It is to be appreciated that in one or more embodiments, the detection objects that actually invoke the taint detection tool for taint detection are not the entire target application package, but incremental code components within the target application package, thereby generating the first set of taint paths.
S305: if the set class is a deletion class, acquiring a second taint path set corresponding to the application reference packet, and determining the taint path set aiming at the target application packet based on the second taint path set and the deletion class set;
it can be understood that, if the set classes of the difference class set all belong to the pruned class, the difference class set is the pruned class set, and at this time, the target application package does not contain the incremental code component in general relative to the application reference package. Considering that the application reference package of the installation package version has completed the taint detection before the target application package, it can be understood that the electronic device has completed the static taint detection on the application reference package before the application reference package is released to generate the second taint path set, and the second taint path set can be understood as the taint path set corresponding to the application reference package after the static taint detection processing. It can be appreciated that the electronic device can obtain the taint path set for the target application package based on the second taint path set corresponding to the application reference package in combination with the pruned class set without calling the taint detection tool again for the target application package for taint detection.
In a specific implementation scenario, the electronic device may determine, based on the second taint path set and the pruned class set, the taint path set for the target application package from the second taint path set;
it can be understood that the pruned class set includes at least one pruned class, each taint path in the second taint path set can be traversed after obtaining the second taint path set corresponding to the application reference package, the understandable taint path can be generally mapped with classes such as taint variables, taint functions corresponding to nodes, and taint functions corresponding to the taint paths, based on which the electronic device can determine the taint function class corresponding to each taint path, for example, determine the taint function class based on the taint functions or the names of the taint variables recorded in the taint paths, the electronic device only needs to match the pruned class with the taint function class corresponding to each taint path, when the two are matched, for example, the two are identical, the electronic device can determine the reference taint path indicated by the taint function class matched with the pruned class, and so on, match of all the pruned classes in the pruned class set is completed, to determine at least one reference taint path from the second set of taint paths; namely, the step of determining at least one reference taint path from the second taint path set based on the pruned set is carried out; after the electronic device determines at least one reference taint path, the reference taint paths do not exist in the target application package generally, and based on this, the electronic device only deletes the at least one reference taint path in the second taint path set, so that the taint path set for the target application package can be obtained.
S306: if the set class is an increment class and a deletion class, determining the taint path set for the target application package based on the first taint path set, the second taint path set and the deletion class set.
It can be understood that, if the set class is an increment class and a deletion class, that is, the difference class set includes an increment class set and a deletion class set, where the increment class set is used to assist the electronic device to determine that the target application package is equivalent to the increment code of the application reference package, and then perform taint detection on the increment code, so as to reduce the calculation processing amount when performing taint detection on the entire target application package and improve the detection efficiency. The electronic device may remove the relevant taint paths in the second taint path set from the pruned class set by performing taint path fitting on the first taint path set and the second taint path set, and may obtain a taint path set for the target application package. Thereby the effect of improving the detection efficiency and saving the stain detection workload is achieved.
In a specific implementation scenario, the electronic device may perform a step of "determining at least one reference taint path from the second taint path set based on the pruned class set" (refer to S305 specifically), then obtain at least one target taint path from the second taint path set, where the target taint path is a taint path in the second taint path set other than the reference taint path, and may understand that obtaining the target taint path from the second taint path set other than the reference taint path, and then add the at least one target taint path to the first taint path set, so as to obtain the taint path set for the target application package. The obtaining manner of the first taint path set may refer to other method steps, which are not described herein again.
In the embodiment of the application, the electronic device acquires a target application packet and an application reference packet for application, then performs decompiling comparison processing on the target application packet and the application reference packet to obtain a difference set for the target application packet, and can perform static taint detection on the target application packet based on the difference set to obtain a taint path set for the target application packet, and the difference set determined based on the application reference packet can avoid full detection and analysis on the target application packet, and the electronic device can perform static taint detection on a difference code indicated by the target application packet only based on the difference set, so that the application detection throughput is reduced, redundant repetition is avoided, and the application detection efficiency is greatly improved; the increment set and the deletion set can be determined based on the decompilated file, and increment code components for static taint analysis are screened out based on the increment set and the deletion set, so that the intelligence of application detection is improved; and the stain detection can be realized by adopting different modes based on the types of different difference class sets, so that the utilization efficiency of the stain analysis result corresponding to the historically generated application benchmark packet is improved, and the static stain detection process is optimized.
Fig. 7 is a schematic diagram of an architecture of an application detection system according to an embodiment of the present application. As shown in fig. 4, the application detection system 100 includes an electronic device 20 and a target device cluster, where the target device cluster may include a plurality of target devices, as shown in fig. 7, specifically including a target device 1, a target device 2, …, and a target device n, where n is an integer greater than 0; the present embodiment is described by taking the electronic device 20 and the target device 1 in fig. 7 as an example.
The electronic device 20 has an application detection function, and if the electronic device 20 is a server, the electronic device 20 may be a separate server device, for example: rack, blade, tower or cabinet type server equipment, or hardware equipment with stronger computing power such as a workstation and a large computer; the server cluster can also be a server cluster formed by a plurality of servers, each server in the service cluster can be formed in a symmetrical mode, wherein each server has equivalent functions and equivalent positions in a service link, each server can provide services for the outside independently, and the independent service can be understood as the assistance without other servers.
Each target device in the target device cluster may be a device having a communication function, and the target device may be a device for developing an application installation package such as a target application package, an application reference package, and the like, and the target device includes but is not limited to: handheld devices, personal computers, tablet computers, in-vehicle devices, smart phones, computing devices or other processing devices connected to a wireless modem, and the like.
The target device 1 communicates with the electronic device 20 through a network, which may be a wireless network including but not limited to a cellular network, a wireless local area network, an infrared network, or a bluetooth network, or a wired network including but not limited to an ethernet, a Universal Serial Bus (USB), or a controller area network.
The target device 1 may upload the target application package of the application to be detected based on at least a communication network with the electronic device. As can be understood, the electronic device 20 may obtain a target application package for the application, and the electronic device may obtain an application reference package for the application;
the electronic device 20 performs decompiling comparison processing on the target application package and the application reference package to obtain a difference class set for the target application package;
the electronic device 20 performs static taint detection on the target application package based on the difference class set to obtain a taint path set for the target application package.
In addition, the embodiment of the file extracting and measuring system provided in the foregoing embodiment and the file extracting and measuring method in some embodiments belong to the same concept, and details of the implementation process are shown in the method embodiment, and are not described herein again.
The application detection device provided in the embodiment of the present application will be described in detail below with reference to fig. 8. It should be noted that the application detection apparatus shown in fig. 8 is used for executing the method of the embodiment shown in fig. 1 to fig. 7 of the present application, and for convenience of description, only the portion related to the embodiment of the present application is shown, and details of the specific technology are not disclosed, please refer to the embodiment shown in fig. 1 to fig. 7 of the present application.
Please refer to fig. 8, which shows a schematic structural diagram of an application detection apparatus according to an embodiment of the present application. The application detection apparatus 1 may be implemented as all or part of a user terminal by software, hardware or a combination of both. According to some embodiments, the application detection apparatus 1 includes an obtaining module 11, a processing module 12, and a detection module 13, and is specifically configured to:
an obtaining module 11, configured to obtain a target application package and an application reference package of an application;
the processing module 12 is configured to perform decompiling comparison processing on the target application package and the application reference package to obtain a difference class set for the target application package;
a detection module 13, configured to perform static taint detection on the target application package based on the difference class set to obtain a taint path set for the target application package
Optionally, as shown in fig. 9, the processing module 12 includes:
a file determining unit 121, configured to determine a first decompiled file corresponding to the application reference package, and determine a second decompiled file corresponding to the target application package;
a set determining unit 122, configured to compare the first decompiled file and the second decompiled file to obtain a difference class set for the target application package.
Optionally, the set determining unit 122 is specifically configured to:
determining a first file which does not match with each reference file in the second decompiled file by taking at least one reference file contained in the first decompiled file as a reference, and determining a delta class set aiming at the target application package based on the first file; and/or
And determining a second file which is not matched with each target file and a third file which is matched with at least one target file in the first decompiled file by taking at least one target file contained in the second decompiled file as a reference, and determining a pruned class set and an incremental class set aiming at the target application package based on the second file and the third file.
Optionally, the set determining unit 122 is specifically configured to:
determining a first file name in the second decompiled file that does not match a reference file name of each of the reference files, determining a set of delta classes for the target application package based on the first file name;
optionally, the set determining unit 122 is specifically configured to:
determining, in the first decompiled file, a second file name that does not match a target file name of each of the target files and a third file name that matches at least one of the target file names, determining a pruned class set and a delta class set for the target application package based on the second file name and the third file name.
Optionally, the set determining unit 122 is specifically configured to:
adding a second file name of the second file to a pruned class set for the target application package; and the number of the first and second groups,
and acquiring a summary matching result of the third file and a reference target file, and adding a third file name of the third file to the increment class set based on the summary matching result, wherein the file name of the third file is the same as the file name of the reference target file.
Optionally, the set determining unit 122 is specifically configured to:
and if the result type of the abstract matching result is an abstract mismatch type, adding a third file name of the third file into the increment class set.
Optionally, the detection module 13 is specifically configured to:
and determining a set class corresponding to the difference class set, and performing static taint detection on the target application package based on the set class to obtain a taint path set aiming at the target application package.
Optionally, the detection module 13 is specifically configured to:
if the set class is an increment class, calling a taint detection tool to perform static taint detection on the target application package based on the increment class set to obtain a first taint path set, and taking the first taint path set as a taint path set aiming at the target application package;
if the set class is a deletion class, acquiring a second taint path set corresponding to the application reference packet, and determining the taint path set aiming at the target application packet based on the second taint path set and the deletion class set;
if the set class is an increment class and a deletion class, determining the taint path set for the target application package based on the first taint path set, the second taint path set and the deletion class set.
Optionally, the detection module 13 is specifically configured to:
determining at least one reference taint path from the second taint path set based on the pruned set of categories;
obtaining at least one target taint path in the second taint path set, wherein the target taint path is a taint path in the second taint path set except the reference taint path;
and adding the at least one target taint path into the first taint path set to obtain a taint path set aiming at the target application package.
Optionally, the detection module 13 is specifically configured to:
determining at least one reference taint path from the second taint path set based on the pruned set of categories;
and deleting the at least one reference taint path in the second taint path set to obtain a taint path set aiming at the target application package.
Optionally, the detection module 13 is specifically configured to:
determining a set of detection entry functions for the target application package based on the set of delta classes;
and calling a taint detection tool to perform static taint detection on the target application package based on the detection entry function set to obtain a first taint path set.
Optionally, the detection module 13 is specifically configured to:
acquiring an inter-process call graph of the target application package, and determining an initial entry function set based on the inter-process call graph;
performing function node traversal processing on the inter-process call graph based on the incremental class set and the initial entry function set to determine at least one target node function;
generating a set of detection entry functions comprising the at least one target node function.
Optionally, the detection module 13 is specifically configured to:
performing node class matching processing on each next function node corresponding to each initial function node in the inter-process control flow graph based on an increment class set by taking at least one initial entry function indicated by the initial entry function set as a reference to obtain a target node function corresponding to at least one target function node;
and the initial function node is a head node corresponding to the initial entry function in the inter-process control flow graph, and the target function class to which the target entry function corresponding to the target function node belongs is a function class in the increment class set.
Optionally, the detection module 13 is specifically configured to:
acquiring an inter-process call graph corresponding to the target application package;
and performing static taint detection on the inter-process call graph based on the detection entry function set to obtain a first taint path set aiming at the target application package.
It should be noted that, when the application detection apparatus provided in the foregoing embodiment executes the application detection method, only the division of the functional modules is illustrated, and in practical applications, the above functions may be distributed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. In addition, the application detection apparatus and the application detection method provided by the above embodiments belong to the same concept, and details of implementation processes thereof are referred to in the method embodiments and are not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
An embodiment of the present application further provides a computer storage medium, where the computer storage medium may store a plurality of instructions, where the instructions are suitable for being loaded by a processor and executing the application detection method according to the embodiment shown in fig. 1 to 6, and a specific execution process may refer to specific descriptions of the embodiment shown in fig. 1 to 6, which is not described herein again.
The present application further provides a computer program product, where at least one instruction is stored in the computer program product, and the at least one instruction is loaded by the processor and executes the application detection method according to the embodiment shown in fig. 1 to 6, where a specific execution process may refer to specific descriptions of the embodiment shown in fig. 1 to 6, and is not described herein again.
Referring to fig. 10, a block diagram of an electronic device according to an exemplary embodiment of the present application is shown. The electronic device in the present application may comprise one or more of the following components: a processor 110, a memory 120, an input device 130, an output device 140, and a bus 150. The processor 110, memory 120, input device 130, and output device 140 may be connected by a bus 150.
The Memory 120 may include a Random Access Memory (RAM) or a read-only Memory (ROM). Optionally, the memory 120 includes a non-transitory computer-readable medium. The memory 120 may be used to store instructions, programs, code sets, or instruction sets. The memory 120 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for implementing at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing various method embodiments described below, and the like, and the operating system may be an Android (Android) system, including a system based on Android system depth development, an IOS system developed by apple, including a system based on IOS system depth development, or other systems. The data storage area may also store data created by the electronic device during use, such as phone books, audio and video data, chat log data, and the like.
Referring to fig. 11, the memory 120 may be divided into an operating system space, in which an operating system runs, and a user space, in which native and third-party applications run. In order to ensure that different third-party application programs can achieve a better operation effect, the operating system allocates corresponding system resources for the different third-party application programs. However, the requirements of different application scenarios in the same third-party application program on system resources are different, for example, in a local resource loading scenario, the third-party application program has a higher requirement on the disk reading speed; in the animation rendering scene, the third-party application program has a high requirement on the performance of the GPU. The operating system and the third-party application program are independent from each other, and the operating system cannot sense the current application scene of the third-party application program in time, so that the operating system cannot perform targeted system resource adaptation according to the specific application scene of the third-party application program.
In order to enable the operating system to distinguish a specific application scenario of the third-party application program, data communication between the third-party application program and the operating system needs to be opened, so that the operating system can acquire current scenario information of the third-party application program at any time, and further perform targeted system resource adaptation based on the current scenario.
Taking an operating system as an Android system as an example, programs and data stored in the memory 120 are as shown in fig. 12, and a Linux kernel layer 320, a system runtime library layer 340, an application framework layer 360, and an application layer 380 may be stored in the memory 120, where the Linux kernel layer 320, the system runtime library layer 340, and the application framework layer 360 belong to an operating system space, and the application layer 380 belongs to a user space. The Linux kernel layer 320 provides underlying drivers for various hardware of the electronic device, such as a display driver, an audio driver, a camera driver, a bluetooth driver, a Wi-Fi driver, power management, and the like. The system runtime library layer 340 provides main feature support for the Android system through some C/C + + libraries. For example, the SQLite library provides support for a database, the OpenGL/ES library provides support for 3D drawing, the Webkit library provides support for a browser kernel, and the like. Also provided in the system runtime library layer 340 is an Android runtime library (Android runtime), which mainly provides some core libraries that can allow developers to write Android applications using the Java language. The application framework layer 360 provides various APIs that may be used when constructing an application, and developers may also use these APIs to construct their own applications, such as activity management, window management, view management, notification management, content provider, package management, call management, resource management, and location management. At least one application program runs in the application layer 380, and the application programs may be native application programs carried by the operating system, such as a contact program, a short message program, a clock program, a camera application, and the like; or a third-party application developed by a third-party developer, such as a game application, an instant messaging program, a photo beautification program, and the like.
Taking an operating system as an IOS system as an example, programs and data stored in the memory 120 are shown in fig. 13, and the IOS system includes: a Core operating system Layer 420(Core OS Layer), a Core Services Layer 440(Core Services Layer), a Media Layer 460(Media Layer), and a touchable Layer 480(Cocoa Touch Layer). The kernel operating system layer 420 includes an operating system kernel, drivers, and underlying program frameworks that provide functionality closer to hardware for use by program frameworks located in the core services layer 440. The core services layer 440 provides system services and/or program frameworks, such as a Foundation framework, an account framework, an advertisement framework, a data storage framework, a network connection framework, a geographic location framework, a motion framework, and so forth, as required by the application. The media layer 460 provides audiovisual related interfaces for applications, such as graphics image related interfaces, audio technology related interfaces, video technology related interfaces, audio video transmission technology wireless playback (AirPlay) interfaces, and the like. Touchable layer 480 provides various common interface-related frameworks for application development, and touchable layer 480 is responsible for user touch interaction operations on the electronic device. Such as a local notification service, a remote push service, an advertising framework, a game tool framework, a messaging User Interface (UI) framework, a User Interface UIKit framework, a map framework, and so forth.
In the framework illustrated in FIG. 13, the framework associated with most applications includes, but is not limited to: a base framework in the core services layer 440 and a UIKit framework in the touchable layer 480. The base framework provides many basic object classes and data types, provides the most basic system services for all applications, and is UI independent. While the class provided by the UIKit framework is a basic library of UI classes for creating touch-based user interfaces, iOS applications can provide UIs based on the UIKit framework, so it provides an infrastructure for applications for building user interfaces, drawing, processing and user interaction events, responding to gestures, and the like.
The Android system can be referred to as a mode and a principle for realizing data communication between the third-party application program and the operating system in the IOS system, and details are not repeated herein.
The input device 130 is used for receiving input instructions or data, and the input device 130 includes, but is not limited to, a keyboard, a mouse, a camera, a microphone, or a touch device. The output device 140 is used for outputting instructions or data, and the output device 140 includes, but is not limited to, a display device, a speaker, and the like. In one example, the input device 130 and the output device 140 may be combined, and the input device 130 and the output device 140 are touch display screens for receiving touch operations of a user on or near the touch display screens by using any suitable object such as a finger, a touch pen, and the like, and displaying user interfaces of various applications. Touch displays are typically provided on the front panel of an electronic device. The touch display screen may be designed as a full-face screen, a curved screen, or a profiled screen. The touch display screen can also be designed to be a combination of a full-face screen and a curved-face screen, and a combination of a special-shaped screen and a curved-face screen, which is not limited in the embodiment of the present application.
In addition, those skilled in the art will appreciate that the configurations of the electronic devices illustrated in the above-described figures are not meant to be limiting, and that the electronic devices may include more or fewer components than those shown, or some components may be combined, or different arrangements of components may be used. For example, the electronic device further includes a radio frequency circuit, an input unit, a sensor, an audio circuit, a wireless fidelity (WiFi) module, a power supply, a bluetooth module, and other components, which are not described herein again.
In the embodiment of the present application, the main body of execution of each step may be the electronic device described above. Optionally, the execution subject of each step is an operating system of the electronic device. The operating system may be an android system, an IOS system, or another operating system, which is not limited in this embodiment of the present application.
The electronic device of the embodiment of the present application may further have a display device installed thereon, and the display device may be various devices capable of implementing a display function, for example: a cathode ray tube display (CR), a light-emitting diode display (LED), an electronic ink panel, a Liquid Crystal Display (LCD), a Plasma Display Panel (PDP), and the like. A user may utilize a display device on the electronic device 101 to view information such as displayed text, images, video, and the like. The electronic device may be a smartphone, a tablet computer, a gaming device, an AR (Augmented Reality) device, an automobile, a data storage device, an audio playback device, a video playback device, a notebook, a desktop computing device, a wearable device such as an electronic watch, an electronic glasses, an electronic helmet, an electronic bracelet, an electronic necklace, an electronic garment, or the like.
In the electronic device shown in fig. 10, where the electronic device may be a terminal, the processor 110 may be configured to call an application program stored in the memory 120 and specifically perform the following operations:
acquiring a target application package and an application reference package aiming at an application;
performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package;
and performing static taint detection on the target application package based on the difference class set to obtain a taint path set aiming at the target application package.
In an embodiment, when the decompiling and comparing the target application package and the application reference package are performed to obtain the difference class set for the target application package, the processor 110 specifically performs the following operations:
determining a first decompilated file corresponding to the application reference package, and determining a second decompilated file corresponding to the target application package;
and comparing the first decompiled file with the second decompiled file to obtain a difference class set aiming at the target application package.
In an embodiment, when the processor 110 performs the comparison processing on the first decompiled file and the second decompiled file, the following operations are specifically performed:
determining a first file which does not match with each reference file in the second decompiled file by taking at least one reference file contained in the first decompiled file as a reference, and determining a delta class set aiming at the target application package based on the first file; and/or
And determining a second file which is not matched with each target file and a third file which is matched with at least one target file in the first decompiled file by taking at least one target file contained in the second decompiled file as a reference, and determining a pruned class set and an incremental class set aiming at the target application package based on the second file and the third file.
In one embodiment, when the processor 110 executes the first file determined in the second decompiled file not to match with each of the reference files, and determines the delta class set for the target application package based on the first file, specifically perform the following operations:
determining a first file name in the second decompiled file that does not match a reference file name of each of the reference files, determining a set of delta classes for the target application package based on the first file name;
the determining, in the first decompiled file, a second file that does not match each of the target files and a third file that matches at least one of the target files, determining a pruned set of classes for the target application package based on the second file and the third file, comprising:
determining, in the first decompiled file, a second file name that does not match a target file name of each of the target files and a third file name that matches at least one of the target file names, determining a pruned class set and a delta class set for the target application package based on the second file name and the third file name.
In one embodiment, when the processor 110 determines the pruned class set and the delta class set for the target application package based on the second file and the third file, specifically:
adding a second file name of the second file to a pruned class set for the target application package; and the number of the first and second groups,
and acquiring a summary matching result of the third file and a reference target file, and adding a third file name of the third file to the increment class set based on the summary matching result, wherein the file name of the third file is the same as the file name of the reference target file.
In an embodiment, when the processor 110 adds the third filename of the third file to the pruned class set based on the digest matching result, the following operations are specifically performed:
and if the result type of the abstract matching result is an abstract mismatch type, adding the third file name of the third file to the increment class set.
In an embodiment, when the processor 110 performs the static taint detection on the target application package based on the difference class set to obtain the taint path set for the target application package, specifically, the following operations are performed:
and determining a set class corresponding to the difference class set, and performing static taint detection on the target application package based on the set class to obtain a taint path set aiming at the target application package.
In an embodiment, when the processor 110 performs the static taint detection on the target application package based on the set class to obtain the taint path set for the target application package, specifically, the following operations are performed:
if the set class is an increment class, calling a taint detection tool to perform static taint detection on the target application package based on the increment class set to obtain a first taint path set, and taking the first taint path set as a taint path set aiming at the target application package;
if the set class is a deletion class, acquiring a second taint path set corresponding to the application reference packet, and determining the taint path set aiming at the target application packet based on the second taint path set and the deletion class set;
if the set class is an increment class and a deletion class, determining the taint path set for the target application package based on the first taint path set, the second taint path set and the deletion class set.
In one embodiment, the processor 110, when executing the determining the set of taint paths for the target application package based on the first set of taint paths, the second set of taint paths, and the pruned set, specifically performs the following:
determining at least one reference taint path from the second taint path set based on the pruned set of categories;
obtaining at least one target taint path in the second taint path set, wherein the target taint path is a taint path in the second taint path set except the reference taint path;
and adding the at least one target taint path into the first taint path set to obtain a taint path set aiming at the target application package.
In one embodiment, when the processor 110 determines the taint path set for the target application package based on the second taint path set and the pruned class set, specifically, the following operations are performed:
determining at least one reference taint path from the second taint path set based on the pruned set of categories;
and deleting the at least one reference taint path in the second taint path set to obtain a taint path set aiming at the target application package.
In an embodiment, when the processor 110 executes the invoked taint detection tool to perform static taint detection on the target application package based on the incremental class set to obtain the first taint path set, the following operations are specifically performed:
determining a set of detection entry functions for the target application package based on the set of delta classes;
and calling a taint detection tool to perform static taint detection on the target application package based on the detection entry function set to obtain a first taint path set.
In one embodiment, when the processor 1001 determines the set of detection entry functions for the target application package based on the incremental class set, specifically:
acquiring an inter-process call graph of the target application package, and determining an initial entry function set based on the inter-process call graph;
performing function node traversal processing on the inter-process call graph based on the incremental class set and the initial entry function set to determine at least one target node function;
generating a set of detection entry functions comprising the at least one target node function.
In an embodiment, when the processor 110 performs the function node traversal processing on the inter-process call graph based on the incremental class set and the initial entry function set to determine at least one target node function, specifically performs the following operations:
performing node class matching processing on each next function node corresponding to each initial function node in the inter-process control flow graph based on an increment class set by taking at least one initial entry function indicated by the initial entry function set as a reference to obtain a target node function corresponding to at least one target function node;
the initial function node is a head node corresponding to the initial entry function in the inter-process control flow graph, and the target function class to which the target entry function corresponding to the target function node belongs is a function class in the increment class set.
In an embodiment, when the processor 1001 executes the calling taint detection tool to perform static taint detection on the target application package based on the detection entry function set to obtain the first taint path set, the following operations are specifically executed:
acquiring an inter-process call graph corresponding to the target application package; and performing static taint detection on the inter-process call graph based on the detection entry function set to obtain a first taint path set aiming at the target application package.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present application and is not to be construed as limiting the scope of the present application, so that the present application is not limited thereto, and all equivalent variations and modifications can be made to the present application.
Claims (17)
1. An application detection method, characterized in that the method comprises:
acquiring a target application package and an application reference package aiming at an application;
performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package;
and performing static taint detection on the target application package based on the difference class set to obtain a taint path set aiming at the target application package.
2. The method according to claim 1, wherein the decompiling and comparing the target application package and the application reference package to obtain a difference class set for the target application package comprises:
determining a first decompilated file corresponding to the application reference package, and determining a second decompilated file corresponding to the target application package;
and comparing the first decompiled file with the second decompiled file to obtain a difference class set aiming at the target application package.
3. The method of claim 2, wherein comparing the first decompiled file and the second decompiled file to obtain a difference class set for the target application package comprises:
determining a first file which does not match with each reference file in the second decompiled file by taking at least one reference file contained in the first decompiled file as a reference, and determining a delta class set aiming at the target application package based on the first file; and/or
And determining a second file which is not matched with each target file and a third file which is matched with at least one target file in the first decompiled file by taking at least one target file contained in the second decompiled file as a reference, and determining a pruned class set and an incremental class set aiming at the target application package based on the second file and the third file.
4. The method of claim 3, wherein determining, in the second decompiled file, a first file that does not match each of the reference files, determining a set of delta classes for the target application package based on the first file comprises:
determining a first file name in the second decompiled file that does not match a reference file name of each of the reference files, determining a set of delta classes for the target application package based on the first file name;
the determining, in the first decompiled file, a second file that does not match each of the target files and a third file that matches at least one of the target files, determining a pruned set of classes for the target application package based on the second file and the third file, comprising:
determining, in the first decompiled file, a second file name that does not match a target file name of each of the target files and a third file name that matches at least one of the target file names, determining a pruned class set and a delta class set for the target application package based on the second file name and the third file name.
5. The method of claim 3, wherein determining the set of pruned classes and the set of delta classes for the target application package based on the second file and the third file comprises:
adding a second file name of the second file to a pruned class set for the target application package; and the number of the first and second groups,
and acquiring a summary matching result of the third file and a reference target file, and adding a third file name of the third file to the increment class set based on the summary matching result, wherein the file name of the third file is the same as the file name of the reference target file.
6. The method of claim 5, wherein adding the third filename of the third file to the pruned class set based on the digest matching result comprises:
and if the result type of the abstract matching result is an abstract mismatch type, adding the third file name of the third file to the increment class set.
7. The method of claim 1, wherein the performing static taint detection on the target application package based on the set of difference classes to obtain a set of taint paths for the target application package comprises:
and determining a set class corresponding to the difference class set, and performing static taint detection on the target application package based on the set class to obtain a taint path set aiming at the target application package.
8. The method of claim 7, wherein the performing static taint detection on the target application package based on the set class to obtain a taint path set for the target application package comprises:
if the set class is an increment class, calling a taint detection tool to perform static taint detection on the target application package based on the increment class set to obtain a first taint path set, and taking the first taint path set as a taint path set aiming at the target application package;
if the set class is a deletion class, acquiring a second taint path set corresponding to the application reference packet, and determining the taint path set aiming at the target application packet based on the second taint path set and the deletion class set;
if the set class is an increment class and a deletion class, determining the taint path set for the target application package based on the first taint path set, the second taint path set and the deletion class set.
9. The method of claim 8, wherein determining the set of taint paths for the target application package based on the first set of taint paths, the second set of taint paths, and the pruned set of classes comprises:
determining at least one reference taint path from the second taint path set based on the pruned set of categories;
obtaining at least one target taint path in the second taint path set, wherein the target taint path is a taint path in the second taint path set except the reference taint path;
and adding the at least one target taint path into the first taint path set to obtain a taint path set aiming at the target application package.
10. The method of claim 8, wherein determining the set of taint paths for the target application package based on the second set of taint paths and a set of pruned classes comprises:
determining at least one reference taint path from the second taint path set based on the pruned set of categories;
and deleting the at least one reference taint path in the second taint path set to obtain a taint path set aiming at the target application package.
11. The method of claim 8, wherein invoking the taint detection tool to perform static taint detection on the target application package based on an incremental class set to obtain a first taint path set comprises:
determining a set of detection entry functions for the target application package based on the set of delta classes;
and calling a taint detection tool to perform static taint detection on the target application package based on the detection entry function set to obtain a first taint path set.
12. The method of claim 11, wherein determining a set of detection entry functions for the target application package based on the set of delta classes comprises:
acquiring an inter-process call graph of the target application package, and determining an initial entry function set based on the inter-process call graph;
performing function node traversal processing on the inter-process call graph based on the incremental class set and the initial entry function set to determine at least one target node function;
generating a set of detection entry functions comprising the at least one target node function.
13. The method of claim 12, wherein the performing a function node traversal process on the inter-process call graph based on the set of delta classes and the initial set of entry functions to determine at least one target node function comprises:
performing node class matching processing on each next function node corresponding to each initial function node in the inter-process control flow graph based on an increment class set by taking at least one initial entry function indicated by the initial entry function set as a reference to obtain a target node function corresponding to at least one target function node;
and the initial function node is a head node corresponding to the initial entry function in the inter-process control flow graph, and the target function class to which the target entry function corresponding to the target function node belongs is a function class in the increment class set.
14. The method of claim 11, wherein invoking a taint detection tool to perform static taint detection on a target application package based on the set of detection entry functions to obtain a first taint path set, comprises:
acquiring an inter-process call graph corresponding to the target application package;
and performing static taint detection on the inter-process call graph based on the detection entry function set to obtain a first taint path set aiming at the target application package.
15. An application detection apparatus, characterized in that the apparatus comprises:
the acquisition module is used for acquiring a target application package and an application reference package of the application;
the processing module is used for performing decompiling comparison processing on the target application package and the application reference package to obtain a difference class set aiming at the target application package;
and the detection module is used for carrying out static taint detection on the target application packet based on the difference class set to obtain a taint path set aiming at the target application packet.
16. A computer storage medium, characterized in that it stores a plurality of instructions adapted to be loaded by a processor and to carry out the method steps according to any one of claims 1 to 14.
17. An electronic device, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the method steps of any of claims 1 to 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111574727.7A CN114547604A (en) | 2021-12-21 | 2021-12-21 | Application detection method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111574727.7A CN114547604A (en) | 2021-12-21 | 2021-12-21 | Application detection method and device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114547604A true CN114547604A (en) | 2022-05-27 |
Family
ID=81668931
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111574727.7A Pending CN114547604A (en) | 2021-12-21 | 2021-12-21 | Application detection method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114547604A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115632877A (en) * | 2022-12-01 | 2023-01-20 | 成都九洲电子信息***股份有限公司 | Large-scale PCAP data correctness verification method, system and storage medium |
-
2021
- 2021-12-21 CN CN202111574727.7A patent/CN114547604A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115632877A (en) * | 2022-12-01 | 2023-01-20 | 成都九洲电子信息***股份有限公司 | Large-scale PCAP data correctness verification method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107889070B (en) | Picture processing method, device, terminal and computer readable storage medium | |
| US9471553B2 (en) | Automatically rendering web or hybrid applications natively | |
| CN110502222B (en) | AAR method, apparatus, medium, and device for outbound dependency on internal base repository | |
| CN111158818A (en) | Page rendering method and device | |
| CN111740948B (en) | Data packet issuing method, dynamic updating method, device, equipment and medium | |
| CN112214653B (en) | Character string recognition method and device, storage medium and electronic equipment | |
| CN112653670A (en) | Service logic vulnerability detection method, device, storage medium and terminal | |
| CN109933381A (en) | A kind of loading method and device of kernel | |
| CN110609687A (en) | Compiling method, device, electronic equipment and storage medium | |
| CN112527386B (en) | Application program issuing method and device | |
| CN110928571A (en) | Business program development method and device | |
| CN112416303B (en) | Software development kit hot repair method and device and electronic equipment | |
| CN114547604A (en) | Application detection method and device, storage medium and electronic equipment | |
| CN114461223A (en) | Code generation method and device and terminal equipment | |
| CN113407165A (en) | SDK generation and self-upgrade method, device, readable medium and equipment | |
| CN111752644A (en) | Interface simulation method, device, equipment and storage medium | |
| CN115858556A (en) | Data processing method and device, storage medium and electronic equipment | |
| CN115760391A (en) | Intelligent contract changing method and device in block chain, electronic equipment and storage medium | |
| CN113972989B (en) | Data verification method, storage medium and electronic equipment | |
| CN111796865B (en) | Byte code file modification method, device, terminal equipment and medium | |
| CN113268221A (en) | File matching method and device, storage medium and computer equipment | |
| CN114911541A (en) | Configuration information processing method and device, electronic equipment and storage medium | |
| CN113098859A (en) | Webpage page backspacing method, device, terminal and storage medium | |
| CN105183491A (en) | Cross-platform desktop GIS and starting method thereof | |
| CN111274551A (en) | Compiler-based java code protection method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |