Research of discovering vulnerabilities of NFC applications on Android platform

Zhi-qiang WANG; Qi-xu LIU; Yu-qing ZHANG

doi:10.3969/j.issn.1000-436x.2014.z2.016

您当前的位置：

首页 >

文章列表页 >

Research of discovering vulnerabilities of NFC applications on Android platform

Papers | 更新时间：2024-06-05

- Research of discovering vulnerabilities of NFC applications on Android platform
- Journal on Communications Vol. 35, Issue Z2, Pages: 117-123(2014)
- 作者机构：
  
  1. 西安电子科技大学综合业务网理论及关键技术国家重点实验室，陕西西安 710071
  2. 中国科学院大学国家计算机网络入侵防范中心，北京 101408
- 作者简介：
- 基金信息：
  
  The National Natural Science Foundation of China(61272481);The National Natural Science Foundation of China(61303239);The National Development and Reform Commission Special Notice of Information Security
- DOI：10.3969/j.issn.1000-436x.2014.z2.016
  CLC： TP309.2
- Online First：2014-11，
  
  Published：30 November 2014
- 稿件说明：
移动端阅览
Zhi-qiang WANG, Qi-xu LIU, Yu-qing ZHANG. Research of discovering vulnerabilities of NFC applications on Android platform[J]. Journal on Communications, 2014, 35(Z2): 117-123.
DOI：

Zhi-qiang WANG, Qi-xu LIU, Yu-qing ZHANG. Research of discovering vulnerabilities of NFC applications on Android platform[J]. Journal on Communications, 2014, 35(Z2): 117-123. DOI： 10.3969/j.issn.1000-436x.2014.z2.016.

摘要

为了提高NFC技术的安全性，针对Android平台NFC应用进行NDEF协议漏洞挖掘研究，提出了一种基于Fuzzing技术的测试方法。该方法采用手工、生成和变异3种策略构造测试用例，使用报文逆向分析和嗅探2种手段辅助分析并构造报文；然后，利用构造的测试用例对NFC应用目标进行漏洞挖掘并输出结果。根据该方法，开发了一个NFC应用安全漏洞挖掘系统ANDEFVulFinder，采用logcat和进程监控的手段在漏洞挖掘过程中对目标进行监测，并通过模拟标签和触碰操作实现漏洞挖掘过程自动化。最后，通过测试MIUI系统和6个应用，发现了8个漏洞，结果表明了漏洞挖掘方法的有效性。

Abstract

To improve the security of NFC technology

a research is done for discovering NDEF vulnerabilities of NFC applications on Android platform

and a method of bug hunting is proposed on based Fuzzing technology.The method adopts manual craft

the generation and the mutation strategies to construct test cases

and uses two assistant means of analyzing and constructing test cases

including reverse message anylysis and packet sniffing.Then

NFC applications’ vulnerabilities with constructed test cases and output results are discovered.According to the method

a system called ANDEFVulFinder is developed for discovering the security vulnerabilities of NFC applications.The tool logcat and process monitoring are used to monitor targets’ exceptions during the discovering process

and the test is automated

关键词

Keywords

references

MADLMAYR G , KANTNER C , GRECHENIG T . Secure Smart Embedded Devices,Platforms and Applications [M ] . New York : SpringerPress , 2014 : 351 - 367 .

COSKUN V , OZDENIZCI B , OK K . A survey on near field communication (NFC) technology [J ] . Wireless Personal Communications , 2013 , 71 ( 3 ): 2259 - 2294 .

MULLINER C . Vulnerability analysis and attacks on NFC-enabled mobile phones [A ] . Proceedings of the 2009 IEEE International Conference on Availability,Reliability and Security(ARES'09) [C ] . Fukuoka,Japan , 2009 . 695 - 700 .

MILLER C . Exploring the NFC attack surface [EB/OL ] . http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf,2012 http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf,2012 .

WIEDERMANN N . Fuzzing-to-go:A test framework for Android devices [D ] . Technische Universität München , 2012 .

GUMMESON J J , PRIYANTHA B , GANESAN D , et al . EnGarde:Protecting the mobile phone from malicious NFC interactions [A ] . Proceeding of the 11th ACM annual international conference on Mobile systems,applications,and services(MobiSys’13) [C ] . Taipei,China , 2013 . 445 - 458 .

NFC Forum . NFC Data Exchange Format (NDEF) Technical Specification [S ] . 2006 .

SUTTON M , GREENE A , AMINI P . Fuzzing:brute force vulnerability discovery [M ] . New Jersey : Pearson EducationPress , 2007 .

Views

1307

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Method to improve edge coverage in fuzzing

Related Author

Chunfu JIA

Shengbo YAN

Zhi WANG

Chenlu WU

Hang LI

Related Institution

College of Cyber Science, Nankai University

College of Artificial Intelligence,Nankai University

AI问答

⁰