& ltp& gt自Android Runtime & #40ART)取代Dalvik成为Android系统唯一的运行时后，它所采用的新的提前编译机制导致很多基于Dalvik的分析工具都无法在ART上运行。而静态污点分析作为重要的软件分析方法，其固有的误报率高的问题需要利用动态方法进行验证来降低。本文设计了一个静态分析与动态分析相结合的污点分析系统，其中实现了一个基于ART的动态调用信息搜集及执行路径验证工具，在视图遍历工具ACFG的支持下，对静态污点分析工具FlowDroid的分析结果中的污点泄露可疑路径进行可达性验证。本工具分为两大模块，分别是动态调用信息搜集模块和执行路径验证模块。动态调用信息搜集模块将调用信息输出代码插入到ART解释器中，以实现应用程序对Android API的调用及应用程序内部调用关系的输出。执行路径验证模块分三类判断泄露路径，通过特征判断回调函数，并利用入口Activity的构造函数对调用信息上下文进行切分，最终输出泄露路径触发判断结果。在实验中，利用污点分析测试集DroidBench进行工具的准确性测试，发现动态验证工具的准确率高达100%，召回率为89.4%，整体系统的准确率为96.8%，召回率为87.4%，准确性优于FlowDroid，平均耗时为77秒；从应用市场中随机抽取36个APP对整体系统进行基本性能分析，发现75%的应用可以在8G内存环境下于20分钟内完成分析，平均耗时593秒，效率较高。总的来说，本工具能够在有限的计算资源下，为静态污点分析消除大量误报，是具有实践意义的一个动态验证工具。& lt/p& gt

& ltp& gtSince Android Runtime & #40ART), which uses ahead-of-time compilation, has completely taken over previous default runtime Dalvik's work, lots of analysis tools based on Dalvik are not able to work on ART. And dynamic verification is an effective way to reduce the inherent problem of static taint analysis that always has a high rate of false positive. In this paper, I present a taint analyzing system that combines both static and dynamic analysis and show how to implement an ART based dynamic invoke information collector and ution path verifier, which can verify the accessibility of the suspicious taint leaking paths that reported by the famous static taint analysis tool FlowDroid, with the support of the android view traversing tool ACFG. This tool can be divided into two parts, the dynamic invoke information collector and the ution path verifier. I ed the invoke information export code into ART's interpreter, so that the dynamic invoke information collector is capable of recording invoke information between APP's internal methods and Android API and information among APP's internal methods. The ution path verifier classifies leaking paths into 3 classes and detects them separately. Then, with the help of acteristics analyzing of callbacks and segmenting runtime context by finding out initialization of launchable activities, the verifier will report the verified taint leaking paths. In the evaluation part, I tested the tool's accuracy by the taint analysis test set DroidBench, and found that the precision is actually 100% and the recall is 89.4%, while the whole system's precision is 96.8% and the recall is 87.4% consuming 77 seconds on average. The outstanding precision is much higher than FlowDroid. Then I test the basic performance of the whole system with 36 APPs random ed from APP markets, and found that 75% of APPs can completely finished the analysis in 20 minutes, consuming 593 seconds on average, which displays high efficiency of this tool. In short, this tool can reduce the high rate of false positive of FlowDroid with limited computing resources. It actually is a practical dynamic verifying tool.& lt/p& gt

[1] Arzt S, Rasthofer S, Fritz C, et al. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps[A]. In EC SPRIDE. ACM SIGPLAN Notices[C]. ACM, 2014, 49& #406): 259-269.

[2] Google Inc. Google I/O 2014 – The ART runtime[EB/OL]. https://www.google.com/events/io/io14videos/b750c8da-aebe-e311-b297-00155d5066d7. 2016年1月29日访问

[3] IBM. IBM security appscan source[EB/OL]. http://www-03.ibm.com/software/products/en/appscan-source. 2016年5月3日访问

[4] Wei F, Roy S, Ou X. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps[A]. In Kansas State University. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security[C]. ACM, 2014: 1329-1341.

[5] Klieber W, Flynn L, Bhosale A, et al. Android taint flow analysis for app sets[A]. In Carnegie Mellon University. Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis[C]. ACM, 2014: 1-6.

[6] Li L, Bartel A, Bissyandé T F, et al. IccTA: Detecting inter-component privacy leaks in Android apps [A]. In University of Luxembourg. Proceedings of the 37th International Conference on Software Engineering-Volume 1[C]. IEEE Press, 2015: 280-291.

[7] Enck W, Gilbert P, Han S, et al. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones[J]. ACM Transactions on Computer Systems & #40TOCS), 2014, 32& #402): 5.

[8] Soot. Soot[EB/OL]. https://sable.github.io/soot/. 2016年5月3日访问

[9] AndroidXRef. AndroidXref – Android Source Code Cross Reference[EB/OL]. http://androidxref.com/6.0.0_r1/. 2016年5月3日访问