针对Android系统的Java/C++多语言接口建模与分析

项目名称： 针对Android系统的Java/C++多语言接口建模与分析

项目编号： No.61272086

项目类型： 面上项目

立项/批准年度： 2013

项目学科： 自动化技术、计算机技术

项目作者： 董渊

作者单位： 清华大学

项目金额： 84万元

中文摘要： JNI(Java Native Interface)支持Java和C/C++之间互相调用，在Android系统中得到广泛应用，JNI调用直接使用C/C++内存操作，很容易突破Android的保护机制造成重大安全问题。目前缺乏有效分析Java/C++接口安全缺陷的手段，本申请针对这一问题开展研究，工作具有重要的理论价值和现实意义。项目关注存储安全缺陷，以内存泄漏为突破口，将Java/C++编译到特定的中间语言，在中间语言上建立跨语言分析架构，给出上述问题的可行方案：1）建立Java/C++ JNI接口模型，扩展Bytecode以支持C++语义；2）给出C++到Bytecode扩展的简洁翻译方案及其证明；3）建立Bytecode层面的安全缺陷模式，实现分析工具原型；4）形成可扩展的缺陷分析平台。将有助于深入理解多语言接口编程，并为日益泛滥的Android恶意软件防范提供有力的方法和工具支持。

中文关键词： JNI多语言编程接口；Android系统；安全缺陷；形式化模型；分析工具

英文摘要： JNI (Java Native Interface) that supports function calls between Java and C/C++ and is widely used in Android. By directly manipulating memory through C/C++ function, JNI is capable of escaping the protection mechanism of Android and leading to serious security problems. Currently there lacks effective methods to analyze security bugs of the Java/C++ JNI interface. We therefore propose research on this topic, which will have significance in both theory and practice. Focusing on storage security bugs and taking memory leak as a breakthrough, this proposal translates Java/C++ to a specific intermediate language, upon which a cross-language analysis framework can be established, and provides a feasible resolution to address the interesting and challenging problem. Our solutions to this problem include: 1) Model the Java/C++ interface, and extend Java bytecode to support C++ semantics; 2) Provide and prove a concise translation pattern from C++ to bytecode; 3) Establish a security bug model on bytecode level, and implement a prototype analyzing tool; 4) Form a extensible platform for bug analysis. This work not only provides a solid theoretical foundation for understanding and reasoning about of multilingual programming interface, but also gains insight into building valuable tools for countermeasures against growin

英文关键词： JNI multilingual programming interface；Android system；Security bug；Formal Model；Analyzing tool