FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps

Eric | May 10, 2013

android-ss-1In our new technical report Highly Precise Taint Analysis for Android Applications we present our new tool FlowDroid which implements a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.

Furthermore, we also created an Android benchmark suite, DroidBench, as a testing ground for static and dynamic security tools.

This is joint work with Alexandre Bartel, Jacques Klein and Yves le Traon from the University of Luxembourg and with Damien Octeau and Patrick McDaniel from Penn State University.

Abstract:

Today’s smart phones are a ubiquitous source of private and confidential data. At the same time, smartphone users are plagued by malicious apps that exploit their given privileges to steal such sensitive data, or to track users without their consent or even the users noticing. Dynamic program analy- ses fail to discover such malicious activity because apps have learned to recognize the analyses as they execute.

In this work we present FlowDroid, a novel and highly precise taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to prop- erly handle callbacks, while context, flow, field and object- sensitivity allows the analysis to track taints with a degree of precision unheard of from previous Android analyses.

We also propose DroidBench, an open test suite for evaluating the effectiveness and accuracy of taint-analysis tools specifically for Android apps. As we show through a set of experiments using SecuriBench Micro, DroidBench and a set of well-known Android test applications, our approach finds a very high fraction of data leaks while keeping the rate of false positives low. On DroidBench, our approach achieves 93% recall and 86% precision, greatly outperforming the commercial tools AppScan Source and Fortify SCA. 

Where can I find more information?

More information is available here.

Go to Source

Comments
Comments Off on FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps
Categories
Research

These are the Android Sources and Sinks Nobody was Looking at

Eric | May 10, 2013

android-ss-1Code analysis tools for taint tracking – statically, dynamically or hybrid – are only as good as the definition of sources and sinks. The tools check if there is a potential flow between a source and a sink and inform the analyst about their findings. We checked different code analysis tools in the area of Android and found out that all tools do only contain a hand-picked amount of sources and sinks. This gave us the motivation to create a novel tool for the fully automated generation of Android sources and sinks.

We wrote a technical report SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks that describes the details of our approach.

Abstract:

Today’s smartphone users face a security dilemma: many apps they install operate on privacy-sensitive data, although they might originate from developers whose trustworthiness is hard to judge. Researchers have proposed more and more sophisticated static and dynamic analysis tools as an aid to assess the behavior of such applications. Those tools, however, are only as good as the privacy policies they are configured with. Policies typically refer to a list of sources of sensitive data as well as sinks which might leak data to untrusted observers. Sources and sinks are a moving target: new versions of the mobile operating system regularly introduce new methods, and security tools need to be re- configured to take them into account.

In this work we show that, at least for the case of Android, the API comprises hundreds of sources and sinks. We propose SuSi, a novel and fully automated machine-learning approach for identifying sources and sinks directly from the Android source code. On our training set, SuSi achieves a recall and precision of more than 92%. To provide more fine-grained information, SuSi further categorizes the sources (e.g., unique identifier, location information, etc.) and sinks (e.g., network, file, etc.), with an average precision and recall of about 89%. We also show that many current program analysis tools can be circumvented because they use hand-picked lists of source and sinks which are largely incomplete, hence allowing many potential data leaks to go unnoticed. 

Where can I find more information?

More information can be found here.

Is the tool available online?

Yes! The tool is open source tool and can be downloaded from GitHub and here.

Comments
Comments Off on These are the Android Sources and Sinks Nobody was Looking at
Categories
Research

Hello World!

Eric | April 11, 2013

We – the SSE-Group (Secure Software Engineering) at EC-SPRIDE Darmstadt – created a new blog that informs you about our current research.

Our research includes, but is not limited to, the following topics:

  • Android Security
  • Buffer Overflow Mitigation
  • Timing Channel Mitigation

If you are interested in using or extending our tools, or if you have any questions in general, do not hesitate to contact us!

Let the blogging begin!

Go to Source

Comments
Comments Off on Hello World!
Categories
Research

Two Google Research Awards for EC SPRIDE

Eric | March 19, 2013

Together with the group of Patrick McDaniel (Penn State) and Yves le Traon (University of Luxembourg), we have recently won a highly competitive Google Faculty Award to facilitate collaborative research on the Android infrastructure. The project “Plotting a Map of Android Inter-App Communication” is supported with 50,000 USD, but more importantly the award also gives us direct access to the related Google employees. Another award went to Prof. Michael Waidner for a collaborative project with Goethe Universität Frankfurt on “More Privacy in Online Social Networks”.

Google awards about 100 Google Faculty Awards twice a year to promote promising research projects in the field of computer science. For the current awards 600 entries have been submitted from 46 countries, 102 were successful.

Read more about the two funded projects here.

Comments
Comments Off on Two Google Research Awards for EC SPRIDE
Categories
Research

RefaFlex at CeBIT

Eric | March 4, 2013

Andreas Thies from Fenruni Hagen will be presenting our award-winning tool RefaFlex at this year’s CeBIT, at Hall 9 at  stand E08 of Fraunhofer SIT. RefaFlex is our novel tool for securing programs against unintentional program changes provoked by refactorings on reflective Java programs. In case you are visiting CeBIT, make sure to stop by!

Comments
Comments Off on RefaFlex at CeBIT
Categories
Research

PPPJ 2013 – Call for Papers

Eric | March 1, 2013

2013 International Conference on Principles and Practices of Programming on the Java platform

The Java platform is multi-faceted, covering a rich diversity of systems, languages, tools, frameworks, and techniques. PPPJ’13 – the 10th conference in the PPPJ series – provides a forum for researchers, practitioners, and educators to present and discuss novel results on all aspects of programming on the Java platform including virtual machines, languages, tools, methods, frameworks, libraries, case studies, and experience reports. Read the rest of this entry »

Comments
Comments Off on PPPJ 2013 – Call for Papers
Categories
Research

2nd ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis (SOAP 2013)

Eric | March 1, 2013

Co-located with PLDI, at Seattle, submit by April 4th

For more than a decade, the Soot analysis framework has enabled hundreds of users to carry out research in static analysis of Java applications. To help bring together the community, the Soot community organized a first International Workshop on the State Of the Art in JavaProgram Analysis (SOAP) in 2012. As expected, discussions and presentations at this workshop helped catalyze future development of the Soot framework, spurring discussions and collaborations between different groups using Soot and other compiler frameworks. SOAP’13 will continue that positive experience. Although the focus of SOAP will be on the Soot framework, we warmly welcome influences and inspirations from other compilers and analysis frameworks. We are particularly interested in exciting framework ideas and innovative design approaches. The agenda for SOAP will also include discussions and work on integrating external contributions into the main Soot framework, as well as explorations of potential future extensions to Soot. Find out more here.

Important dates

Paper submissions: April 3rd, 2013
Notification of authors: May 4th, 2013
Submission of camera-ready copies: May 18th, 2013
Workshop date: June 20th, 2013

Comments
Comments Off on 2nd ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis (SOAP 2013)
Categories
Research

Analyzing Software Product Lines in Minutes instead of Years (updated)

Eric | February 18, 2013

SPLlift

In our new publication SPLLIFT — Statically Analyzing Software Product Lines in Minutes Instead of Years (to appear at PLDI’13) we show how to efficiently conduct inter-procedural, flow-sensitive, context-sensitive data-flow analysis for software product lines. Previously, such analyses would have taken years, due to the many software configurations a product line encodes. Our approach SPLlift processes the entire product line at once, and typically within minutes, without any loss of precision. It works for any IFDS-based data-flow analysis. SPLlift is available as an open-source extension to our IFDS/IDE solver Heros. To access our benchmark data, click here. This is joint work with Mira Mezini, Claus Brabrand, Társis Tolêdo, Márcio Ribeiro and Paulo Borba. Read the rest of this entry »

Comments
Comments Off on Analyzing Software Product Lines in Minutes instead of Years (updated)
Categories
Research

AOSD 2013 – Early registration ends February 24th

Eric | February 18, 2013

Early-registration rates for AOSD 2013 are only available for six more days, so register now to benefit from the discount.

Comments
Comments Off on AOSD 2013 – Early registration ends February 24th
Categories
Research

Java and flash as a gateway for hackers

Eric | February 14, 2013

My colleague Ben Hermann gave an interview today on recent attacks on the Java and Flash platforms, what those attacks mean for end users and how such users can protect themselves. Ben is a member of Mira Mezini’s Software Technology Group which is closely collaborating with my own research group to develop automated software analysis tools that will in the near future allow software developers to identify possible security vulnerabilities upfront.

Comments
Comments Off on Java and flash as a gateway for hackers
Categories
Research