Building Exploit Chains with Logic Bugs

Traditional Approach

•Search for commonly misused methods

•Class loading

•Unzip path traversals

•External storage operations

•SSL error handling

•Decompile APK

•Is it used? Is it accessible? Is it vulnerable?

•Repeat for each application on the device

Process Automation

Which parts of the process can we automate?

• Is it used?
• Is it accessible? • Is it vulnerable?

• Wouldn’t Joern solve this? • Code property graphs

• C/C++ only

• We need Joern for Android • Jandroid

Automation Overview

1.Find use of search term in the application

2.Find calls to this method

3.Find calls to these methods

4.Find any instances of methods exported in Manifest

在Java平台中, 清单文件（Manifest file）是JAR档案[1][2]中包含的特殊文件。Manifest文件被用来定义扩展或档案打包相关数据，是一个元数据文件，它包含了不同部分中的名/值对数据。如果一个JAR文件被用来作为可执行文件，那么其中的Manifest文件需要指出该程序的主类文件。通常Manifest文件的文件名为MANIFEST.MF。

通常Manifest文件都与Java档案相关，其他的情况比较少见。

Static Analysis at Scale

还在阅读中：