INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

Slides:

Advertisements

Similar presentations

ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.

Advertisements

PScout: Analyzing the Android Permission Specification

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Improving the Static Resolution of Dynamic Java Features Jason Sawin Ohio State University.

Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.

1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

Intraprocedural Points-to Analysis Flow functions:

Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

Names and Bindings Introduction Names Variables The concept of binding Chapter 5-a.

Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.

Copyrighted material John Tullis 8/13/2015 page 1 Blaze Software John Tullis DePaul Instructor

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

TAJ: Effective Taint Analysis of Web Applications

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.

Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Effective Real-time Android Application Auditing

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.

Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Mark Marron 1, Deepak Kapur 2, Manuel Hermenegildo 1 1 Imdea-Software (Spain) 2 University of New Mexico 1.

Pointer Analysis as a System of Linear Equations. Rupesh Nasre (CSA). Advisor: Prof. R. Govindarajan. Jan 22, 2010.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan.

Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.

Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.

Introducing Intents Intents Bind application components and navigate between them Transform device into collection of interconnected systems Creating a.

Testing in Android. Methods Unit Testing Integration Testing System Testing Regression Testing Compatibility Testing Black Box (Functional) White Box.

Programming Languages and Design Lecture 6 Names, Scopes and Binding Instructor: Li Ma Department of Computer Science Texas Southern University, Houston.

How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.

Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.

Sept 12ICSM'041 Precise Identification of Side-Effect-Free Methods in Java Atanas (Nasko) Rountev Ohio State University.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Points-to Analysis as a System of Linear Equations Rupesh Nasre. Computer Science and Automation Indian Institute of Science Advisor: Prof. R. Govindarajan.

1PLDI 2000 Off-line Variable Substitution for Scaling Points-to Analysis Atanas (Nasko) Rountev PROLANGS Group Rutgers University Satish Chandra Bell Labs.

ECE 750 Topic 8 Meta-programming languages, systems, and applications Automatic Program Specialization for J ava – U. P. Schultz, J. L. Lawall, C. Consel.

AppAudit Effective Real-time Android Application Auditing Andrew Jeong

CopperDroid Logan Horton. Android - Background Android is complicated to analyse due to having 2 places to check for code execution Normally, code is.

Information Flow Analysis for Mobile Applications Banson Tong Mohammad Ghasembeigi Supervisor: Yulei Sui Assessor: Jingling Xue.

Authors: William Enck & Patrick McDaniel In collaboration with: Duke University and Intel Labs Presentation: Ed Novak 1.

Code improvement: Coverity static analysis Valgrind dynamic analysis GABRIELE COSMO CERN, EP/SFT.

Optimistic Hybrid Analysis

Tool Support for Testing

More Security and Programming Language Work on SmartPhones

Security and Programming Language Work on SmartPhones

TriggerScope: Towards Detecting Logic Bombs in Android Applications

Android System Security

Android Runtime – Dalvik VM

Static Detection of Cross-Site Scripting Vulnerabilities

AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM

Software Tools and Environments

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.

Presented by Xiaohui (Amy) Lin

Analyzing WebView Vulnerabilities in Android Applications

SUDS: An Infrastructure for Creating Bug Detection Tools

Presentation transcript:

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG

INTRODUCTION Leaking of sensitive information Permission granting Is the information used legitimately?

CURRENT ANALYSIS TECHNIQUES Dynamic analysis Missed information flows Malicious application behaviour Static Analysis Scaling while maintaining precision Android API and Runtime model

DROIDSAFE Static analysis Tracks information flows from source to sinks “Accurately and precisely analyzes sensitive explicit information flows in large, real-world Android applications”

ANDROID DEVICE IMPLEMENTATION (ADI) Android Open Source Project (AOSP) as a java basis for the model Missing parts of Android runtime lead to the development of Accurate Analysis Stubs Stubs incompletely models runtime behaviour Add stubs include native methods; event callback initiation and hidden state AOSP + Accurate Analysis Stubs = ADI

POINTS-TO ANALYSIS With 2 variables p and q, will p point to q at some point during runtime? Uses global object-sensitive points-to analysis (example next slide) Stores state Removes irrelevant classes to information flow

DROIDSAFE OPTIMISATIONS - POINTS-TO ANALYSIS Scaling is an issue when we need deeper depths Uses a pointer assignment graph Explicit representation of the program Exhausts main memory fast More main memory now so can now work Android specific optimisations 3 of the 24 APAC applications could not finish as 64GB limit With optimisations all finished using max of 34GB

FLOW-INSENSITIVE ANALYSIS Assumes that statements can be executed in any order Considers all asynchronous callbacks between Android applications and environment Improves scalability as they do not need to track flow-sensitive flows

INTER-COMPONENT COMMUNICATION (ICC) Communication between application components and or separate applications. Sent through dynamically constructed Strings packaged in an Intent object. Uses ADI model to increase precision by storing state via java objects. Uses Java String Analyser (JSA) to resolve strings. Replace all strings with regular expression. Can then perform points-to analysis using state and regular expressions.

IDENTIFYING SOURCES AND SINKS Initially used SuSi to identify sources and sinks Missed 53% of source calls as “sensitive sources” and 32% of sink calls as “sinks” for the malicious flows in the APAC applications Identified manually 4,051 sensitive sources 2,116 sensitive sinks

INFORMATION-FLOW ANALYSIS Approximation of all memory states Define memory state transformation for each statement of code Stores tuple of information and memory location in InfoVal

EVALUATION Tested against FlowDroid + IccTA (Inter-component communication Taint Analysis) Used DroidBench, a test suite developed by the creators of FlowDroid Suite of 94 Android information-flow benchmarks

ADDITIONAL TESTS Developed their own suite of 40 small applications Largest app is 255 lines of code 42 total leaks DroidSafe 100% accuracy and precision FlowDroid + IccTA 34.88% accuracy and 79.0% precision

APAC TESTS Automated Program Analysis for Cybersecurity (APAC) program Tested against APAC test suit which consists of 24 real-world applications that the developers have intentionally hid malicious flows. 200 to 80,000 lines of code Flows are hidden in places such as exceptions, application native methods and string manipulation Uses difficult to model Android API methods such as Object.Clone and System.arraycopy

ADVANTAGES Accurate Android model – ADI Information flow insensitivity ICC modelling

LIMITATIONS Assumes non-rooted device DroidSafe definition of sink and source are defined by the Android API Does not fully handle Java native methods, dynamic class loading and reflection

CRITICISM Manually identifying sources and sinks Uses Android version Their own test suite happens to have 100% accuracy and precision Test against other static analysis tools and more applications