Abstract:Preface

Abstract:Through providing an emulated environment modeled from embedded devices, firmware rehosting enables dynamic analysis on embedded device firmware. Existing full-emulation firmware rehosting solutions can only preventatively fix known hardware and software dependencies but cannot address previously-unknown dependencies during the rehosting process. In this paper we propose FirmDep, an embedded application rehosting solution assisted with dynamic analysis. During the rehosting process, FirmDep records the execution trace and system state of the embedded application to be analyzed. If FirmDep fails to rehost the application, FirmDep extracts information and recovers system states from the execution trace, and then uses several strategies to identify and arbitrate the unresolved dependency problems. We implemented the prototype system of FirmDep based on PANDA and angr, and tested it with embedded Web applications from 217 real-world firmware images. The results show that FirmDep can effectively identify unresolved dependencies of embedded applications and improve the success rate of rehosting.

Abstract:Deep learning-based code vulnerability detection models have gradually become a crucial method for identifying software vulnerabilities due to their high detection efficiency and accuracy. However, Deep Neural Networks (DNNs) have been proven to be susceptible to adversarial attacks, which poses a risk to the detection accuracy of these models. Constructing adversarial attacks against vulnerability detection models not only helps to uncover security flaws in such models but also aids in assessing their robustness and improving their performance through corresponding methods. Existing adversarial attack methods for vulnerability detection models rely on general code transformation tools and do not propose targeted code perturbation operations and decision algorithms, making it difficult to generate effective adversarial samples, and the validity of these samples often depends on manual verification. To address these issues, we propose a reinforcement learning-based adversarial attack method for vulnerability detection models. Our method first designs a series of semantic-preserving and vulnerability-preserving code perturbation operations as a set of perturbations. Then, using code samples with vulnerabilities as input, a reinforcement learning model selects specific sequences of perturbation operations. Finally, potential locations for perturbation are identified based on the node types of the syntax tree of the code samples, and code transformations are performed to generate adversarial samples. We construct two experimental datasets with a total of 14,278 code samples based on SARD and NVD and train four vulnerability detection models with different characteristics as attack targets. For each target model, a reinforcement learning network is trained to conduct adversarial attacks. The results show that our attack method reduces the recall rate of the models by 74.34% and achieves an attack success rate of 96.71%. Compared to baseline methods, the attack success rate is improved by an average of 68.76%. The experiments demonstrate that current vulnerability detection models are at risk of being attacked and require further research to enhance their robustness.

Abstract:The privacy policy of a mobile application serves as a crucial document that must be disclosed to users before collecting their information. Multiple national policies and regulations have been issued in recent years, mandating that mobile applications include clear and standardized privacy policies. However, current privacy policies still face various issues, such as missing key terms to be disclosed, omitted information collection purposes, and vague descriptions. As the number of legal provisions increases, their requirements on privacy policies vary, making compliance detection increasingly burdensome. In this paper, we propose a multi-label classification method for privacy policies of mobile applications. By comparing the requirements of four core laws and regulations on privacy policy statements, we summarize 31 categories of core labels and their respective features. In addition to this label system, we further design and implement a classification model for privacy policy sentences, achieving 94% precision in term classification. Compliance detection of Android applications and mini-programs is conducted with the proposed model by combining syntactic structure analysis and entity identification. The results reveal that 79%, 63%, and 94% of privacy policies have the issues of missing terms, omitted purposes, and vague descriptions, respectively.

Abstract:Graph data is a kind of data composed of nodes and edges, which models the entities as the nodes. Nodes may be connected by edges, and an edge indicates a relationship between entities. By analyzing and mining these data, people can get a lot of valuable information. Meanwhile, it also brings risks of privacy information disclosure for every node in the graph. To address this issue, we propose a graph data publishing method based on the Negative DataBase (NDB). This method transforms the structural characteristics of the graph data into the encoding format of an NDB. Based on this, a generation method for perturbed graphs (NDB-Graph) is designed. Since NDB is a privacy-preserving technique that does not explicitly store the original data and is difficult to reverse, the published graph data ensures the security of the original graph data. Besides, due to the high efficiency of Graph Neural Network (GNN) in relation feature processing in graph data, it is widely used in various task processing modeling on graph data, such as recommendation systems. We also propose a GNN recommendation system based on NDB technology to protect the privacy of graph data for each user. Compared with the publishing method PBCN, the proposed method outperforms it in most cases in experiments on the Karate and Facebook datasets. For example, on Facebook datasets, the smallest L1-error of degree distribution is only 6, which is about 2.6% lower than the PBCN method under the same privacy level, and the worst case is about 1,400, which is about 46.5% lower than the PBCN method under the same privacy level. The experiment of collaborative filtering based on LightGCN also shows that the proposed privacy protection method has high precision.

Abstract:In recent years, with the rise of the mobile Internet, underground mobile applications primarily involved in scams, gambling, and pornography have become more rampant, requiring effective control measures. Currently, there is a lack of research on underground applications by researchers. Due to the continuous crackdown by law enforcement agencies on traditional distribution channels for these applications, the existing collection methods based on search engines and App stores have proven to be ineffective. The lack of large-scale and representative datasets of real-world underground applications has become a major constraint for in-depth research. Therefore, we aim to address the challenge of collection of large-scale real-world underground applications, providing data support for a comprehensive in-depth analysis of these applications and their ecosystem. A method is proposed to capture underground applications based on traffic analysis. By focusing on the key distribution channels of underground applications and leveraging their characteristics of mutation and accompanying traffic, underground applications can be discovered in the propagation stage. In the test, the proposed method successfully obtained 3,439 application download links and 3,303 distinct applications. Among these Apps, 91.61% of the samples were labeled as malware by antivirus engines, while 98.14% of the samples were zero-days. The results demonstrate the effectiveness of the proposed method in the collection of underground applications.