网络与系统安全实验室

中国科学技术大学 计算机科学与技术学院

(更新时间:2020-07-06)  Fanping Zeng's Homepage in English

曾凡平

曾凡平,男,博士,副教授,ACM会员,中国计算机学会(CCF)高级会员。本科毕业于哈尔滨工业大学,2009年获得中国科学技术大学博士学位。自2001年起,面向国家高科技方面的重大需求,主要从事软件分析、软件测试、网络与系统安全方面的研究工作,作为课题负责人或主要技术骨干,参加并完成了10余项包括国家自然科学基金、国家863计划和国家科技部重点专项在内的国家级科研项目。

近期主要研究智能物联网的云边端资源协同优化,网络(包括物联网)与系统安全分析、测试与评估

目前主持科技部重点专项的子课题1个,参与国家自然科学基金项目1个,参与科技部重点专项课题1个。

Fanping Zeng

Associate Professor,
CCF Senior Member,

ACM Member
 

E-Mail: billzeng@ustc.edu.cn

教学

主讲“网络与信息安全”,“计算机网络”和“信息安全导论”

2020春季,本科生课程:信息安全导论

2019秋季,研究生课程:网络安全

2018年春季,本科生课程:计算机网络

专著

曾凡平编著. 网络信息安全. 北京:机械工业出版社, 2016.
内容简介:本书从网络攻击与防护的角度讨论网络安全原理与技术。在网络防护方面,介绍了密码学、虚拟专用网、防火墙、入侵检测和操作系统的安全防护;在网络攻击方面,详细讨论了缓冲区溢出攻击、格式化字符串攻击、拒绝服务攻击和恶意代码攻击。本书的最大特点是理论与实践紧密结合,书中的例子代码只需经过少量修改即可用于工程实践。本书可以作为信息安全、信息对抗、计算机、信息工程或相近专业的本科生和研究生教材,也可作为网络安全从业人员的参考书。

网络信息安全(2016)

招收硕士生和中国科大本科生

本实验室适合毕业后即参加工作的硕士研究生,和希望参加大研、创新等计划的本科生,以及希望在本实验室做毕业设计的本科生(拟在本实验读研、或计划出国深造)。

(1) 硕士生:如果你已经或者即将本科毕业,通过推荐免试或考试的方式均可。
(2) 本科生:如果你是科大在读的本科生,大二或大三年级,或希望在本实验读研、以及出国深造的大四年级。

  2015年以来的主要论文

AbstractThe capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks’ exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website https://youtu.be/dXFMNZWxEc0.

Full Paper:  2019-04-ICSTW2019.pdf 

Abstract—XSS is one of the common vulnerabilities in web applications. Many black-box testing tools may collect a large number of payloads and traverse them to find a payload that can be successfully injected, but they are not very efficient. Previous research has paid less attention to how to improve the efficiency of black-box testing to detect XSS vulnerability. To improve the efficiency of testing, we develop an XSS testing tool. It collects 6128 payloads and uses a headless browser to detect XSS vulnerability. The tool can discover XSS vulnerability quickly with adaptive random testing method. We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual websites to evaluate the adaptive random testing method. The experimental results indicate that the adaptive random testing method can effectively improve the fuzzing method by more than 27.1% in reducing the number of attempts before accomplishing a successful injection.

Full Paper: 2019-12-Adaptive Random Testing for XSS Vulnerability.pdf  

Abstract—The capability leakage of Android applications is one kind of serious vulnerabilities. It can cause other applications to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically detect and confirm capability leakages of Android applications with dynamic-feedback testing. The tool utilizes context-sensitive, flow-sensitive inter-procedural data flow analysis to find key variables and instrumentation points, then it tests the application continuously by test cases generated from test log. We have made experiments on 607 most popular applications of Wandoujia in 2017, and found a total of 6,070 in 16 kinds of capability leakages. Compared with the famous IntentFuzzer, our tool is 19.38% better on the average ability to detect permission capability leakage.

Full Paper:  2019-12-CapabilityLeakageDetection.pdf

Abstract—IoT devices used in smart home have become a fundamental part of modern society. Such devices enable our living space to be more convenient. This enables human interaction with physical environment, also happens between two applications or others third-party rules in addition, and causes some unexpected automation, even causes safety concerns. What’s worse is that attackers can leverage stealthy physical interactions to launch attacks against IoT systems or steal user privacy. In this paper, we propose a tool called IoTIE that discovers any possible physical interactions and extract all potential interactions across applications and rules in the IoT environment. And we present a comprehensive system evaluation on the Samsung SmartThings and IFTTT platform. We study 187 official SmartThings applications and 98 IFTTT rules, and find they can form 231 hidden inter-app interactions through physical environments. In particular, our experiment reveals that 74 interactions are highly risky and could be potentially exploited to impact the security and safety of the IoT environment. Index Terms—IoT, multi-platform, application analysis and interaction extraction

Full Paper:  2019-12-Multi-platformApplicationInteractionExtractionforIoTDevices.pdf

Abstract—Most current literature on Android malware pays particular attention to the features of applications. Much of them focus on permissions or APIs, neglecting the behavioral semantics of applications, and the literature considering behavioral semantics is often expensive and weak in extendibility. In this paper, we introduce RepassDroid – a relatively coarse-grained but faster tool for automatic Android malware detection. We define Generalized-sensitive API and emphasize on considering if the trigger points of generalized sensitive APIs are UI-related or not. It analyzes the application by abstracting the generalized sensitive API with its trigger point as the semantic feature, with the addition of Really essential Permission as the syntax feature. Then it utilizes machine learning to automatically determine whether an application is benign or malicious. We evaluate RepassDroid on 24288 samples in total, 20000 for training and 4288 for test. With the comparative experiments, we find that Random Forest is the optimal classification technique for our feature set, achieving 97.7% accuracy and 0.99 AUC, along with a malware classification precision as high as 99.3%. Our evaluation results confirm that our approach and the feature set are logical and effective for Android malware detection.

Full Paper:  2018-08-RepassDroid-TASE2018.pdf 

Abstract—As the most popular mobile operating system, there are large amount of applications developed for  Android. Considering security issues, developers are forced to declare relative permissions in manifest file when they need to use sensitive APIs. With the ability of inter-component communication (ICC) provided by Android, malicious applications can indirectly call sensitive APIs through components exposed by other applications, leading to privilege escalation. To address this problem, we propose a method to detect this kind of privilege escalation between two applications. First, we compare the permission sets of both applications. Then, if necessary we identify call links between two applications and perform inter-application control flow analysis. Finally, according to the result of control flow analysis, we can judge whether the privilege escalation exists. As the experiment result shows, our
method can accurately detect privilege escalation between two applications.
 

Abstract—Although reflection methods in Android can facilitate developing applications, they will block control flow and data flow in static analysis, making its precision decreased. To solve this problem, we trigger applications to execute reflection methods and record its reflection targets at runtime. Reflection targets may be a method invocation, field setting or instantiating of some classes. Considering many static analysis’ input is apk file, we further transform reflection methods in apk into explicit method invocation, field setting and class initiating according to the recorded reflection targets. Our experiment result shows that, based on our method, some static analysis can perform better on these transformed apk and produce more precise results.

 


 

摘要为了方便用户查询感兴趣的资源,许多 WEB 应用程序会提供搜索功能。如果搜索功能存在故障,将会导致 WEB 应用程序的功能异常,甚至会引发安全问题,因而需要对其进行充分地测试。可以使用组合测试的方法生成测试用例测试 WEB 应用程序的搜索功能,其中每一个测试用例是由特殊字符组成的字符串。对于引起系统错误的测试用例,使用组合测试错误定位的方法找到系统错误是由哪些字符组合引起的。使用该方法对学校、政府和事业单位的 96 个网站进行了测试,发现其中 23 个网站在搜索某些特殊字符组合时,会引起服务器错误响应。错误定位结果表明,56%的服务器错误响应是由”%”、”<”、”’”、”\”和其他字符的组合引起的。

Full Paper: 2019-11-JournalOfFrontiersOfComputerScienceAndTechnology.pdf

摘要应用程序的行为语义在Android恶意应用检测中起着关键作用。为了区分应用的行为语义,文中提出适合用于Android恶意应用检测的特征和方法。首先定义广义敏感API,强调要考虑广义敏感API的触发点是否与UI事件相关,并且要结合应用实际使用的权限。该方法将广义敏感API及其触发点抽象为语义特征,将应用实际使用的权限作为语法特征,再利用机器学习分类方法自动检测应用是否具有恶意性。在13226个样本上进行了对比实验,实验结果表明,该方法的分析速度快且开销小,选取的特征集使Android恶意应用检测得到很好的结果;经机器学习分类技术的比较,我们选择随机森林作为检测方案中的分类技术,所提特征策略的分类准确率达到96.5%,AUC达到0.99,恶意应用的分类精度达到98.8%。

摘要近年来,物联网大规模应用于智能制造、智能家居、智慧医疗等产业,物联网的安全问题日益突出,给物联网的发展带来了前所未有的挑战。安全测评技术是保障物联网安全的重要手段,在物联网应用的整个开发生命周期都需要进行安全测评工作,以保证物联网服务的安全性和健壮性。物联网节点面临计算能力、体积和功耗受限等挑战,智慧城市等应用场景提出了大规模泛在异构连接和复杂跨域的需求。本文首先总结了目前物联网中常用的安全测评方法和风险管理技术;然后从绿色、智能和开放三个方面分析物联网安全技术的发展现状和存在的安全问题,并总结了物联网安全测评面临的挑战以及未来的研究方向。

Full Paper: 2019-05-JournalofCyberSecurity.pdf

[摘要] 隐式权限在Android应用开发中有大量的应用。针对隐式权限审核与资源关联的特性,本文提出一种基于程序静态分析与过程内数据流分析技术的隐式权限检测方法。该方法首先根据函数调用在引发权限审核的过程中是否与系统资源关联分类为显式和隐式;然后借助过程内数据流分析技术对隐式调用提取参数值,构建包含资源信息的完整函数调用;最后与事先收集的权限-函数映射关系比对后得到权限信息。实验结果表明,方法可以有效地检测程序中的隐式权限,漏误报数目少,在性能上相比同类型工具有极大的提升。此外,本文收集的隐式权限-资源映射关系相比其他相关工作更完整,将其与开源的显式权限映射表结合,本文实现了权限自动提取工具UpsetEx。

[Abstract] Implicit permissions are often used in Android application development. Concerning the feature of implicit permissions associated with the target resources, this paper proposes a novel implicit permission detecting method based on static analysis and procedural data flow analysis technique. Firstly, the function calls are classified to explicit or implicit according to whether the permission approval process is related to the system resource. Then, the resource parameter’s value of implicit function calls is obtained by procedural data flow analysis, and a complete function calls are built. Finally, the permissions are found by comparing the function calls with a pre-requisite permission specification. The experimental results show that our method can effectively detect implicit permissions with relatively few false positive and false negative, much better than similar analysis tools. What’s more, the implicit permission specification that we have collected is more complete than other related works did. Combined with an open source explicit permission specification, we have developed the automated permission extraction tool UpsetEx.

[摘要] 动态污点分析技术常用于跟踪二进制程序的信息流及检测安全漏洞,通过程序的动态执行来检测出程序中由测试用例触发的漏洞.它的误报率很低,但是漏报率较高,效率较低.针对动态污点分析的这一问题,动态符号化污点分析方法对污点分析进行了改进,通过将污点分析符号化来降低漏报率及提高效率.根据基于指令的污点传播来获得相关污点数据的信息,同时制定符号化的风险分析规则,通过检测污点信息是否违反风险规则来发现存在的风险.实验结果表明,该方法不仅具有污点分析低误报率的优点,而且克服了污点分析高漏报率的缺点.在污点分析过程中产生的漏洞、风险及相关污点信息还可用于指导测试用例的生成,提高测试效率以及降低测试用例的冗余.

[摘要] 依赖于正则表达式匹配的深度包检测技术因准确率高成为网络流分类广泛使用的技术.为了能在线性时间内对网络流进行快速分类,需采用时间高效的确定性有限自动机(DFA)匹配引擎,但DFA存在空间爆炸问题,无法满足实际需求.为了解决这个问题,本文从DFA中每个状态在不同的输入字符转换下到达的目的状态特性出发,提出了一种基于默认目的状态和位图技术的DFA压缩算法(对应的自动机模型称为DBDFA),该算法能够将有着相同目的状态的多条转移边压缩为只需一个默认目的状态或只需一个时空高效的位图.实验表明,DBDFA能达到平均99%的压缩效率,优于目前大多数的DFA压缩技术,且压缩后的总体匹配效率是原有DFA的3~5倍,这是目前大部分的压缩技术所不能达到的。