[en] Static analysis has been applied to dissect Android apps for many years. The main advantage of using static analysis is its efficiency and entire code coverage characteristics. However, the community has not yet produced complete tools to perform in-depth static analysis, putting users at risk to malicious apps. Because of the diverse challenges caused by Android apps, it is hard for a single tool to efficiently address all of them. Thus, in this work, we propose to boost static analysis of Android apps through code instrumentation, in which the knotty code can be reduced or simplified into an equivalent but analyzable code. Consequently, existing static analyzers, without any modification, can be leveraged to perform extensive analysis, although originally they cannot.
Previously, we have successfully applied instrumentation for two challenges of static analysis of Android apps: Inter-Component Communication (ICC) and Reflection. However, these two case studies are implemented separately and the implementation is not reusable, letting some functionality, that could be reused from one to another, be reinvented and thus lots of resources are wasted. To this end, in this work, we aim at providing a generic and non-invasive approach for existing static analyzers, enabling them to perform more broad analysis.
Centre de recherche :
SnT
Disciplines :
Sciences informatiques
Auteur, co-auteur :
LI, Li ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
Boosting Static Analysis of Android Apps through Code Instrumentation
Date de publication/diffusion :
mai 2016
Nom de la manifestation :
The Doctoral Symposium of 38th International Conference on Software Engineering (ICSE-DS 2016)
Date de la manifestation :
from 14-05-2016 to 22-05-2016
Manifestation à portée :
International
Titre de l'ouvrage principal :
The Doctoral Symposium of 38th International Conference on Software Engineering (ICSE-DS 2016)
T. j. watson libraries for analysis, Aug. 2014. http://wala. sourceforge. net
Chris Allan, Pavel Avgustinov, Aske Simon Christensen, Bruno Dufour, Christopher Goard, Laurie Hendren, Sascha Kuzins, Jennifer Lhoták, Ondrej Lhoták, Oege de Moor, et al. abc: the aspectbench compiler for aspectj. In OOPSLA. ACM, 2005
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. Flowdroid: Precise context, ow,field, object-sensitive and lifecycle-aware taint analysis for android apps. In PLDI, 2014
Paulo Barros, Rene Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo d'Armorim, and Michael D. Ernst. Static analysis of implicit control ow: Resolving java reection and android intents. In ASE, 2015
Alexandre Bartel, Jacques Klein, Martin Monperrus, and Yves Le Traon. Dexpler: Converting android dalvik bytecode to jimple for static analysis with soot. In SOAP, 2012
Eric Bodden, Andreas Sewe, Jan Sinschek, Hela Oueslati, and Mira Mezini. Taming reection: Aiding static analysis in the presence of reection and custom class loaders. In ICSE, pages 241-250. ACM, 2011
Mathias Braux and Jacques Noye. Towards partially evaluating reection in java. ACM SIGPLAN Notices, 34 (11): 2-11, 1999
William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. Android taint ow analysis for app sets. In SOAP, pages 1-6. ACM, 2014
Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. The soot framework for java program analysis: a retrospective. In CETUS, 2011
Ond-rej Lhoták and Laurie Hendren. Scaling java points-to analysis using spark. In CC, 2003
Li Li, Kevin Allix, Daoyuan Li, Alexandre Bartel, Tegawende F Bissyande, and Jacques Klein. Potential Component Leaks in Android Apps: An Investigation into a new Feature Set for Malware Detection. In QRS, 2015
Li Li, Alexandre Bartel, Tegawende F Bissyande, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In ICSE, 2015
Li Li, Alexandre Bartel, Jacques Klein, and Yves Le Traon. Automatically exploiting potential component leaks in android applications. In TrustCom, 2014
Li Li, Tegawende Bissyande, Damien Octeau, and Jacques Klein. Droidra: Taming reection to support whole-program analysis of android apps. 2015
Li Li, Daoyuan Li, Alexandre Bartel, Tegawende F Bissyande, Jacques Klein, and Yves Le Traon. Towards a generic framework for automating extensive analysis of android applications. In SAC, 2016
Benjamin Livshits, John Whaley, and Monica S Lam. Reection analysis for java. In APLAS. 2005
Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. Composite constant propagation: Application to android inter-component communication analysis. In ICSE, 2015
Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In USENIX Security, 2013
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. Amandroid: A precise and general inter-component data ow analysis framework for security vetting of android apps. In CCS, 2014
Mu Zhang and Heng Yin. AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications. In NDSS, 2014.
