KR-102964004-B1 - METHOD FOR DETECTING BYPASS ACCESS IN MOBILE OPERATING SYSTEM AND DEVICE THEREOF

Abstract

A method for detecting a bypass path according to an embodiment of the present invention may include the steps of: extracting a bypass path for a file access control procedure of a mobile operating system; matching the processes of labeled subjects based on the bypass path to the processes of an app and a service actually in use; analyzing the communication interface of the app and the service actually in use using the interface definition language of the mobile operating system; and providing information regarding a vulnerable path based on a vulnerable interface based on the matching result and the analysis result.

Inventors

• 조영필
• 엄서정

Assignees

• 한양대학교 산학협력단

Dates

Publication Date

20260511

Application Date

20231215

Claims (9)

1. A step of extracting a bypass path for the file access control procedure of a mobile operating system; A step of matching the processes of labeled subjects based on the above bypass path to the processes of the actual app and the actual service in use; A step of analyzing the communication interface of the actual app and the actual service in use using the interface definition language of the mobile operating system; and The method includes the step of providing information regarding a vulnerable path based on a vulnerable interface based on the above matching result and the above analysis result; The above information provision step is, It is characterized by providing additional information regarding paths at the method level, and The above information provision step is, A step comprising setting a start node and a target node in a search engine based on a database of the above-mentioned vulnerable path, and a step of providing additional information regarding the path in the method unit when the above-mentioned start node and the target node are found, Method for detecting bypass paths.
2. delete
3. delete
4. In paragraph 1, The above matching step is, A bypass path detection method characterized by matching the destination of a starting subject with the starting point of a target subject.
5. A storage device that stores data regarding file access control procedures of a mobile operating system and an interface definition language of a mobile operating system; An input device that receives an input requesting information regarding a vulnerable path; and Extract a bypass path for the file access control procedure of the above mobile operating system, and Matching the processes of the labeled subjects based on the above bypass path to the processes of the actual apps and services in use, Using the interface definition language of the mobile operating system, analyze the communication interface of the actual app and the actual service in use, and A computing device that provides information regarding a vulnerable path based on a vulnerable interface based on the above matching result and the above analysis result; comprising The above computing device provides additional information regarding a path in the method unit, sets a start node and a target node in a search engine based on a database of the said vulnerable path, and provides additional information regarding the said path in the method unit when the said start node and the target node are found. Bypass path detection device.
6. delete
7. delete
8. In paragraph 5, The above computing device is, A bypass path detection device characterized by matching the destination of a starting subject with the starting point of a target subject.
9. As stated in Paragraph 1 A computer-readable recording medium that records a program for executing a method.

Description

Method for detecting bypass access in a mobile operating system and device thereof The technology described below relates to a method for extracting all possible bypass paths that circumvent access control mechanisms by analyzing policy files operated on mobile operating systems, and detecting actual vulnerable bypass paths by analyzing the interfaces of each app/service used for IPC (Inter-process communication) based on the extracted paths. Mobile operating systems (e.g., Android) control access to processes and/or files by enforcing access control mechanisms based on complex access control policies. For example, as a major platform in the mobile market, Android is customized by many manufacturers. Meanwhile, in Android, access control mechanisms such as Android DAC (Discretionary Access Control), MAC (Mandatory Access Control), and Capability are implemented based on complex security policies to prevent malicious apps and external attacks, and research on these complex security policies has been ongoing. However, there are cases where attacks bypass access control mechanisms occur by exploiting vulnerabilities inherent in security policies. Accordingly, research is being conducted on technologies that detect all paths capable of bypassing access control mechanisms by performing an integrated analysis of configured security policies. On the other hand, conventional techniques for detecting bypassable paths analyze simply based on static security policy files, so legitimate accessible paths are also detected. This results in a vast number of findings and false positives, making it difficult to identify paths that can actually be exploited. In addition, because the vulnerable interfaces of exploitable apps or processes cannot be known in detail, it is difficult to verify in detail how an attack will be launched or through which path, even if there is actually a vulnerable path. Furthermore, paths extracted in conventional technology are labeled based on rules specified in security policy files, making it difficult to determine exactly which app's process the corresponding component belongs to. FIG. 1 is a flowchart illustrating a method for detecting a bypass path in a mobile operating system according to an embodiment of the present invention. FIG. 2 is a flowchart illustrating the detailed process of a bypass path detection device detecting exploitable vulnerable paths based on vulnerable interfaces. FIG. 3 is an example of the configuration of a bypass path detection device (300). The bypass path detection device (300) may be a device that executes the bypass path detection method described in FIG. 1 and FIG. 2. The technology described below may be subject to various modifications and may have various embodiments. Specific embodiments of the technology described below may be described in the drawings of the specification. However, this is for the purpose of explaining the technology described below and is not intended to limit the technology described below to specific embodiments. Accordingly, it should be understood that all modifications, equivalents, and substitutions that fall within the spirit and scope of the technology described below are included in the technology described below. In the terms used below, singular expressions should be understood to include plural expressions unless the context clearly indicates otherwise, and terms such as "includes" should be understood to mean that the described features, number, steps, actions, components, parts, or combinations thereof exist, and not to exclude the existence or addition of one or more other features, numbers, steps, actions, components, parts, or combinations thereof. Before providing a detailed description of the drawings, it is to clarify that the classification of components in this specification is merely based on the primary function each component is responsible for. That is, two or more components described below may be combined into a single component, or a single component may be divided into two or more components based on more subdivided functions. Furthermore, each component described below may additionally perform some or all of the functions of other components in addition to its own primary function, and it is obvious that some of the primary functions of each component may be exclusively performed by other components. Furthermore, in performing the method or operation method, each process constituting the method may occur differently from the specified order unless a specific order is clearly indicated in the context. That is, each process may occur in the same order as specified, may be performed substantially simultaneously, or may be performed in the reverse order. A method and apparatus for detecting bypass paths in a mobile operating system according to an embodiment of the present invention will be described below. In the following, the Android operating system is used as an example of a mobile operating system, but i