摘要
Activity的循环启动构成了activity启动环(ALC),它是一种Android应用开发工程师为了完成特定功能而广泛使用的结构.由于缺乏对ALC特性的系统研究,致使当前activity跳转分析方法对启动方式不敏感,使其无法正确模拟使用特殊启动方式的Android应用的返回栈状态变化,从而产生非法路径.本文形式化的表示了以7种不同方式启动activity带来的返回栈状态变化,并提出表示activity间启动关系的activity启动图(ALG),以及启动方式敏感的activity跳转静态分析方法用于自动构建ALG.该方法首先为Android应用构造辅助主函数:为每个activity类构造一个对象的堆内存分配点,对于每个activity对象,依据控制流组织被重写的回调函数调用顺序.然后通过面向对象的字段敏感指向分析提取activity启动关系中的目标activity类和启动方式相关配置,从而构建activity对象的启动图.另外,本文设计并实现了ALC静态分析框架ALCAnalyzer,该框架能为Android应用自动生成ALG,基于ALG生成ALC集合,并能准确模拟重复执行ALC时的返回栈状态变化,预测应用在运行过程中是否会产生同类型activity实例.对1179个Android开源应用进行自动分析及人工验证的实验结果证明了启动方式敏感的activity跳转分析的准确性和分析工具的实用性,同时展现了ALC分布的广泛性和特殊启动方式被使用的广泛性.对Google Play的20个应用进行实验,结果证明相比于启动方式不敏感的activity跳转分析,ALCAnalyzer能够更准确模拟返回栈状态变化,从而防止非法路径产生,并能够为返回栈管理提供有效信息.
Activity launching cycle(ALC)allows an activity class to be launched repeatedly,which is widely used in Android applications(apps)to support specific functions.Special launch types can be used in ALC to prevent multiple instances of each activity class in the back stack.However,existing activity transition analyses are launch-typ-insensitive,which cannot capture special launch types,thus simulating the transitions among different back stack states incorrectly and producing infeasible activity transition paths for the apps using special launch types.To address above mentioned problems,we formalize the changes of back stack states triggered by activity launchings configured with 7 different launch types respectively,and propose activity launching graph(ALG).The ALG represents activity launchings in an app and can be constructed by launch-typ-sensitive activity transition analysis.Launch-typ-sensitive activity transition analysis first constructs a harness main(),which consists of one allocation site per activity class and all overridden callback calls organized according to control flows.Then the object-oriented field-sensitive point-to analysis is conducted to extract the target activity classes for activity launchings and launch type related configurations.Finally,for each activity launching,an edge from source object to target object is constructed with determined launch type.Moreover,we propose and implement a framework named ALCAnalyzer to conduct the static ALC analysis.ALCAnalyzer can generate ALGs for Android applications automatically and generate the set of ALCs based on an ALG.Based on the maximum number(infinity,two,and one)of activity instances produced for an activity class in the back stack by repeated executions of ALCs,the ALCs can be divided into three types(TYPE1,TYPE2,and TYPE3).This paper summarizes the characteristics of different type of ALCs.ALCAnalyzer can simulate the changes of back stack states accurately during the repeated executions of ALCs and predict whether there are multiple insta
作者
刘奥
过辰楷
王伟静
侯晓磊
朱静雯
张森
许静
LIU Ao;GUO Chen-Kai;WANG Wei-Jing;HOU Xiao-Lei;ZHU Jing-Wen;ZHANG Sen;XU Jing(College of Computer Science,Nankai University,Tianjin 300350;College of Software,Nankai University,Tianjin 300350;College of Artificial Intelligence,Nankai University,Tianjin 300350)
出处
《计算机学报》
EI
CSCD
北大核心
2020年第3期537-554,共18页
Chinese Journal of Computers
基金
国家自然科学基金项目(61402264)
天津市自然科学基金重点项目(17JCZDJC30700,19JCQNJC00300)
天津市科技支撑项目(17YFZCGX00610,18ZXZNGX00310)资助.