In Fall/Winter 2013 we will be offering a new lecture on automated code analyses for large software systems. We will be discussing the most important algorithms to solve static code analysis problems efficiently and precisely, and will be presenting novel extensions of these algorithms that we have recently developed to address important real-world analysis problems like automatically detecting vulnerabilities in the Java Runtime Library (e.g. CVE_2012_4681).

This is an integrated lecture with 2 SWS and 4 CP. The lecture will take place Thursdays on 9:50-11:30 in room 3.1.01 at CASED and will comprise about 1h of lecture and 30 minutes of discussion of the weekly “homework” exercises. Exercises will consist of practical programming exercises to be solved in small teams. Over the course of the lecture, students are expected to solve through these exercises practical program-analysis problems using different techniques, exploring their tradeoffs during this process.

Preliminary outline:

The good old monotone framework:

• Intra-procedural dataflow analyses*
• Off-the-shelve call-graph and pointer analyses
• Inter-procedural dataflow analyses

Efficient Tabulation-based solvers:

• IFDS and IDE
• Weighted pushdown systems
• More expressive frameworks

Dealing with pointers and aliasing:

• Problem of context reification
• Integration of demand-driven pointer analyses

Scalability through summaries:

• Summarizing analysis information for frameworks and libraries
• Modeling pointers through alloc sites vs. access paths

Current and “eternal” limitations:

• Practical limitations to current client analyses
• Reflection, dynamic loading, eval

*) by the term “dataflow analyses” we here refer to general static code analyses, not just analyses related to information-flow

Reading Material:

• Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. POPL ’95
• Shmuel Sagiv, Thomas W. Reps, and Susan Horwitz. 1995. Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation. TAPSOFT ’95
• Akash Lal, Thomas Reps, and Gogul Balakrishnan. 2005. Extended weighted pushdown systems. CAV 2005
• Nomair A. Naeem, Ondřej Lhoták, and Jonathan Rodriguez. 2010. Practical extensions to the IFDS algorithm. CC 2010
• Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well: understanding object-sensitivity. POPL 2011
• Eric Bodden. 2012. Inter-procedural data-flow analysis with IFDS/IDE and Soot. SOAP 2012
• Rohan Padhye, Uday P. Khedker. Interprocedural Data Flow Analysis in Soot using Value Contexts. SOAP 2013

Cross-posted from SEEBlog

Christian Fritz has just submitted his Master Thesis on FlowDroid. It gives many additional details not mentioned in our earlier Tech Report. You can check it out here:

FlowDroid: A Precise and Scalable Data Flow Analysis for Android (Christian Fritz), Master thesis, TU Darmstadt, July 2013.

Cross-posted from SEEBlog

Stephan Huber (Fraunhofer SIT Darmstadt) and Siegfried Rasthofer (TU Darmstadt) discovered a security vulnerability in versions 2.0.0 – 2.0.5 of the security tool AppGuard Pro. A few weeks ago, we informed the vendor Backes SRT who has now fixed the vulnerability in the latest release. The vulnerability gives malicious apps full control of all settings in the AppGuard Pro application. The vulnerability not only allows such apps to bypass any and all of the tool’s security measures, on top of that the malicious apps can even misuse AppGuard Pro to convince the user into perceiving the malicious app as harmless. Users should download the update as soon as possible. Read the rest of this entry »

DroidBench 1.1 is released with new challenges:

• HashMapAccess1
• Button3
• LocationLeak3
• MultiHandlers1
• Ordering1
• RegisterGlobal1
• Unregister1
• Exceptions1
• Exceptions2
• Exceptions3
• Exceptions4
• ApplicationLifecycle1
• ApplicationLifecycle2
• ApplicationLifecycle3
• PrivateDataLeak3
• Library1
• Library2
• Obfuscation1
• Reflection1
• Reflection2
• Reflection3
• Reflection4

The README contains additional information. Currently, there are 61 challenges in DroidBench and you  are most welcome to contribute additional test cases to DroidBench. To do so, please fork the project, commit an appropriate Eclipse source project and APK, update the README.md and then send us a pull request. Thanks!

Cross-posted from SEEBlog

This month, the Fraunhofer Gesellschaft has approved my grant proposal within the Fraunhofer Attract program. The grant »Fraunhofer Attract« offers outstanding external scientists the opportunity to develop their ideas towards an actual application within an optimally equipped Fraunhofer institute operating close to the market. Goal of our project is to develop innovative code analysis tools to aid the engineering of more secure software products in the large. The grant totals to about 2.5 Million Euro, which will allow us to finance a number of new PhD students and/or postdocs for initially five years. The positions will be announced soon.

Today Mira Mezini is presenting our new analysis approach SPLlift at PLDI, which allows the inter-procedural analysis of product lines in minutes instead of years.

Am heutigen Donnerstag veröffentlichen die vom BMBF geförderten drei Kompetenzzentren für IT-Sicherheit CISPA, Kastel und EC SPRIDE den Trend- und Strategiebericht Entwicklung sicherer Software durch Security by Design. Der Bericht vertritt die These, dass die Entwicklung und Integration sicherer Software nach dem Prinzip Security by Design ausgestaltet werden muss und benennt entsprechende Herausforderungen für eine praxisorientierte Forschungsagenda.

The Android logging mechanism is used by many Android applications. Even the Android framework uses this mechanism for outputting debug information. But does this logging mechanism also include private information? This article gives a short overview of the privacy-sensitive information that could be gathered from the Android logging mechanism. It also describes Google’s countermeasure of accessing the “log file” since Android 4.1 and what kind of possibilities an attacker still has. Read the rest of this entry »

The deadline for the International Conference on Runtime Verification has been postponed to May 28th. This is your chance to submit another paper to RV!