Using the CTS for vulnerability detection and principles of analysis-vulnerability warning-the black bar safety net


1\. CTS to run the process 1.1 download compile Android CTS source code, By git clone https://android.googlesource.com/platform/cts -b xxxxxxx can download the cts and compile,or you can download the complete Android source code is compiled, the compiled source code is then compiled CTS,the command is make cts; in/home/venscor/AndroidSource/least/out/host/linux-x86/cts generated on the CTS a few files, wherein the cts-tradefed can start the CTS test program. ! [](/Article/UploadPic/2017-7/20177232231233. png? www. myhack58. com) 1.2 CTS operating environment Android official site for the CTS operating environment stringent requirements, but our current concern is to test the security module, so long as the basic test environment. For example, open the adb, and allow the adb to install the apk, do not set the lock screen and the like. 1.3 CTS to run the process In the source code can be seen,the cts-tradefed is actually a script file. First do environment checks, to meet the operating environment, go to android-cts/tools/directory to load the corresponding jar file from android-cts/lib to load all the required library files. Finally, load the android-cts/testcase/directory all jar files, and then executed. CTS console functions are implemented in CompatibilityConsole class, it is the program load point ! [](/Article/UploadPic/2017-7/20177232231902. png? www. myhack58. com) ! [](/Article/UploadPic/2017-7/20177232231477. png? www. myhack58. com) ! [](/Article/UploadPic/2017-7/20177232231535. png? www. myhack58. com) 1.4 startup script into the CTS test procedures for the console ! [](/Article/UploadPic/2017-7/20177232231251. png? www. myhack58. com) CTS test Suite consists of many of the plans of the composition, plans and may be made of many of the subplan and modules are composed, we are only interested and CTS and security related stuff, i.e. the safety-related modules. And wherein the security-related test module 4: CtsAppSecurityHostTestCases CtsJdwpSecurityHostTestCases CtsSecurityHostTestCases CtsSecurityTestCases Wherein CtsAppSecurityHostTestCases, the CtsJdwpSecurityHostTestCases does not contain a CVE, in fact, is some of the App Layer[Security testing](<http://www.myhack58.com/Article/html/3/Article_003_1.htm>)and the security policy is detected, we can skip these two modules focus on the analysis CtsSecurityHostTestCases and CtsSecurityTestCases it. 2\. CTS security module 2.1 CtsSecurityHostTestCases module CtsSecurityHostTestCases module corresponding to the source path in:./ hostsidetests/security. That is in the cts console by enter run cts --module CtsSecurityHostTestCasess loaded up. CtsSecurityHostTestCases primarily to test the Linux kernel and various driver of vulnerability, are based on the C/C++implementation of the exploit PoC. ! [](/Article/UploadPic/2017-7/20177232231693. png? www. myhack58. com) 2.1.1 the testing process Can by run cts --module CtsSecurityHostTestCases to test the entire module, you can also run cts --module CtsSecurityHostTestCases –test to test a specific method. For example, to test CVE_2016_8451, by the--test android. security. cts. Poc16_12#testPocCVE_2016_8451. Below we through an example to see the specific testing process, in order to CVE_2016_8460 detection, for example, to specific analysis of the test process. In the CTS, run cts --module CtsSecurityHostTestCases --test android. security. cts. Poc16_12#testPocCVE_2016_8460 it. The program will run to the CtsSecurityHostTestCases module under testPocCVE_2016_8460()function. ! [](/Article/UploadPic/2017-7/20177232231485. png? www. myhack58. com) In fact, this testing process is the CtsSecurityHostTestCases module under the corresponding executable file CVE_2016_8460 push to your phone's sdcard, and then execute this executable file, that the implementation of poc testing procedures. ! [](/Article/UploadPic/2017-7/20177232231951. png? www. myhack58. com) 2.1.2 Results-Based Management CTS after the test is completed, it will generate a visualization of the results, the result of the presence of cts/android-cts/results directory, respectively, in xml format, and. the zip package format. So the security module of the result of the management is the same. Result page there are only two results, one is pass, indicating the test is passed, the description does not exist vulnerability. The second is to fail, the emergence of this result, the possible reason has two kinds, one is the test environment has problems, the second is the presence of a vulnerability, you can read the report on the edge of the detail display. ! [](/Article/UploadPic/2017-7/20177232231350. png? www. myhack58. com) 2.1.3 adding and peeling testcase According to CtsSecurityHostTestCases module of the test principle, add a new test case, can be completely stripped CTS test framework, directly using the C/C+to write test code, after compilation added to the/data/local/tmp directory and then modify the Execute permissions, the implementation can be. For CtsSecurityHostTestCases module existing on the vulnerability of the detection code, you can also directly to us. We can download CTS source code to view the exploit PoC code, you can compile it yourself you can also directly use the CTS compiled executable file to detect the corresponding vulnerability. 2.2 CtsSecurityTestCases module **[1] [[2]](<87539_2.htm>) [next](<87539_2.htm>)**