【作者】 王勇；

【导师】 王鹃；

【作者基本信息】 武汉大学 ， 信息安全， 2017， 硕士

【摘要】 移动互联网的高速发展使得移动设备的安全性日益重要,各种窃取用户隐私的恶意应用层出不穷。为了保证用户敏感信息的安全性,研究者开发了多种基于模拟器的平台来检测和分析应用市场中潜在的恶意软件。但是,由于模拟器与真实设备之间存在着根本差异,恶意软件可以利用这些差异对模拟器进行检测,若检测到运行环境是模拟器则不执行恶意代码,达到绕过检测和分析平台的目的。虽然有一些手段可以对模拟器进行修改,使其尽可能表现得与真机一样,但是有很多系统级和硬件级的差异是无法被消除的,如CPU架构的差异、GPU性能的差异、传感器差异等等。因此,为了对抗对恶意应用的模拟器检测行为,在真机上部署分析平台成为另一种选择。使用真实设备面临的首要问题就是,如何快速地将系统恢复至可信状态。这在分析平台中尤为重要,因为恶意程序在被分析的过程中可能对系统进行损坏,为了保证待测程序在被分析时其运行环境是可信的,必须在每一个待测程序运行结束后对系统进行恢复。由于模拟器本质上即虚拟机,得益于其快照功能,可以在几秒时间内恢复系统。真实设备的系统恢复操作一般是重启到恢复模式,通过adb工具将电脑上的系统镜像文件刷入到设备中,达到恢复系统的目的,但是这一过程极其耗时,最多需要140秒左右。目前国内外仅有的解决方案为Mutti等人提出的BareDroid,它将数据分区进行完全的冗余备份,通过重启到恢复模式下交换已使用的数据分区和未使用的数据分区,节省了重新刷入数据分区的时间开销,一定程度上加快了系统恢复速度,最快可在32秒左右恢复系统。但是BareDroid的完整备份方案极大地浪费了存储空间,且32秒的系统恢复过程仍然很耗时,降低了分析平台的效率。针对这一问题,我们通过将UnionFS文件系统移植到Android内核中,同时研究了 Android的系统分区、启动过程以及Framework层服务,创新性地提出了一种在不重启设备的情况下恢复系统的方法,并基于该方法实现了能在真实设备上快速恢复系统的CleanDroid。此外,我们使用TEE本地度量和SafetyNet远程认证两种方式实现了在运行时对Android系统进行度量,辅以SELinux进一步加强度量结果的可靠性。由于避免了系统的重启和重新刷入,CleanDroid大幅降低了恢复系统的时间。测试发现,CleanDroid最快能在5秒左右完成系统的恢复。更多还原

【Abstract】 The rapid development of mobile Internet makes the security of mobile devices become more and more important,a variety of malicious applications to steal user privacy after another.To protect the security of user-sensitive information,researchers use an emulator-based analytics platform to analyze potential malware in application market.However,there is much fundamental difference between the emulator and the real equipment,so the malware can use these differences to detect the emulator,if the detection environment is the emulator,the malware will not run malicious code,which bypasses the analysis of the platform.Although there are some ways to modify the emulator to make it as much as possible like the real device,but there are many hardware-level differences can not be eliminated,such as CPU architecture differences,GPU performance differences,sensor differences,etc.Therefore,in order to continue to analyze the malicious application,deploy the analysis platform with real devices become another option.The first problem with real equipment is how to quickly restore the system to a trusted state.This is especially important in the analysis platform,because the malicious program in the process of being analyzed may damage the system,in order to ensure that each program in the analysis has a trusted operating environment,we must restore the system after the end of the privious tested application.Because the emulator is essentially a virtual machine,it can benefit from its snapshot function and can recover the system in seconds.Real equipment system recovery operation is generally restart to recovery mode,through the adb tool to the computer system image file brush into the device to achieve the purpose of recovery system,but the process is extremely time-consuming,up to about 140 seconds.At present,the only solution at home and abroad is BareDroid proposed by Mutti et al,it complete the data partition redundant backup,through the resumption of recovery mode to restore the use of data partition and unused data partition,saving a re-brush into the data partition time overhead,to a certain extent,speed up the system recovery speed,the fastest recovery system in about 32 seconds.But BareDroid’s full backup solution wastes storage space and the 32-second system recovery process is still time-consuming and reduces the efficiency of the analytics platform.To solve this problem,this article through the UnionFS file system ported to the Android kernel,while the study of the Android system partition,boot process and Framework layer services,proposed a way to restore the system without reboot,and based on the Method to achieve in the real equipment on the rapid recovery of the Department of CleanDroid.In addition,this article uses TEE local metrics and SafetyNet remote authentication in two ways to achieve the run-time measurement of the Android system,supplemented by SELinux to further enhance the reliability of measurement results.Due to avoid the system restart and re-brush,significantly reducing the recovery system time.The test found that,CleanDroid can complete the system recovery in about 5 seconds.更多还原