Do Android Taint Analysis Tools Keep Their Promises?

In recent years, researchers have developed a number of tools to conduct taint analysis of Android applications. While all the respective papers aim at providing a thorough empirical evaluation, comparability is hindered by varying or unclear evaluation targets. Sometimes, the apps used for evaluation are not precisely described. In other cases, authors use an established benchmark but cover it only partially. In yet other cases, the evaluations differ in terms of the data leaks searched for, or lack a ground truth to compare against. All those limitations make it impossible to truly compare the tools based on those published evaluations. We thus present ReproDroid, a framework allowing the accurate comparison of Android taint analysis tools. ReproDroid supports researchers in inferring the ground truth for data leaks in apps, in automatically applying tools to benchmarks, and in evaluating the obtained results. We use ReproDroid to comparatively evaluate on equal grounds the six prominent taint analysis tools Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are largely positive although four tools violate some promises concerning features and accuracy. Finally, we contribute to the area of unbiased benchmarking with a new and improved version of the open test suite DroidBench

ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android's permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. In this paper, we propose Authorization Check Miner (ACMiner), a framework for evaluating the correctness of Android's access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities. We used ACMiner to study the AOSP version of Android 7.1.1 to identify 28 vulnerabilities relating to missing authorization checks. In doing so, we demonstrate ACMiner's ability to help domain experts process thousands of authorization checks scattered across millions of lines of code

Practical Virtual Method Call Resolution for Java

This paper addresses the problem of resolving virtual method and interface calls in Java. The main focus is on practical, flow-insensitive techniques that can be used to analyze large applications. We present a new flow-insensitive analysis called reaching-type analysis, which is used to estimate the set of types that reach the receiver of virtual method/interface calls. We present two variations of this analysis, variable-type analysis and a coarser-grain version called declared-type analysis. We also demonstrate how a points-to style analysis, called refers-to analysis, can be used to resolve the types of receivers. We have implemented our techniques using the Soot framework, and we report on empirical results for 9 Java benchmarks, including the 7 benchmarks from SPECjvm98. We have measured the success of the various analyses at building accurate call graphs, and we conclude that reaching-type analysis leads to call graphs with 17% to 44% fewer edges and 14% to 48% fewer nodes than the corresponding call graph built using a standard class hierarchy analysis

Practical Virtual Method Call Resolution for Java

This paper addresses the problem of resolving virtual method and interface calls in Java. The main focus is on practical, flow-insensitive techniques that can be used to analyze large applications. We present a new flow-insensitive analysis called reaching-type analysis, which is used to estimate the set of types that reach the receiver of virtual method/interface calls. We present two variations of this analysis, variable-type analysis and a coarser-grain version called declared-type analysis. We also demonstrate how a points-to style analysis, called refers-to analysis, can be used to resolve the types of receivers. We have implemented our techniques using the Soot framework, and we report on empirical results for 9 Java benchmarks, including the 7 benchmarks from SPECjvm98. We have measured the success of the various analyses at building accurate call graphs, and we conclude that reaching-type analysis leads to call graphs with 17% to 44% fewer edges and 14% to 48% fewer nodes than ..

Practical virtual method call resolution for Java

This paper addresses the problem of resolving virtual method and interface calls in Java. The main focus is on practical, flow-insensitive techniques that can be used to analyze large applications. We present a new flow-insensitive analysis called reaching-type analysis, which is used to estimate the set of types that reach the receiver of virtual method/interface calls. We present two variations of this analysis, variable-type analysis and a coarser-grain version called declared-type analysis. We also demonstrate how a points-to style analysis, called refers-to analysis, can be used to resolve the types of receivers. We have implemented our techniques using the Soot framework, and we report on empirical results for 9 Java benchmarks, including the 7 benchmarks from SPECjvm98. We have measured the success of the various analyses at building accurate call graphs, and we conclude that reaching-type analysis leads to call graphs with 17 % to 44 % fewer edges and 14 % to 48 % fewer nodes than the corresponding call graph built using a standard class hierarchy analysis.

Reviser: efficiently updating IDE-/IFDS-based data-flow analyses in response to incremental program changes

Most application code evolves incrementally, and especially so when being maintained after the applications have been deployed. Yet, most data-flow analyses do not take advantage of this fact. Instead they require clients to recompute the entire analysis even if little code has changed - a time consuming undertaking, especially with large libraries or when running static analyses often, e.g., on a continuous-integration server. In this work, we present Reviser, a novel approach for automatically and efficiently updating inter-procedural data-flow analysis results in response to incremental program changes. Reviser follows a clear-and-propagate philosophy, aiming at clearing and recomputing analysis information only where required, thereby greatly reducing the required computational effort. The Reviser algorithm is formulated as an extension to the IDE framework for Inter-procedural Finite Distributed Environment problems and automatically updates arbitrary IDE-based analyses. We have implemented Reviser as an open-source extension to the Heros IFDS/IDE solver and the Soot program-analysis framework. An evaluation of Reviser on various client analyses and target programs shows performance gains of up to 80% in comparison to a full recomputation. The experiments also show Reviser to compute the same results as a full recomputation on all instances tested

Practical Virtual Method Call Resolution for Java

This paper addresses the problem of resolving virtual method and interface calls in Java bytecode. The main focus is on a new practical technique that can be used to analyze large applications. Our fundamental design goal was to develop a technique that can be solved with only one iteration, and thus scales linearly with the size of the program, while at the same time providing more accurate results than two popular existing linear techniques, class hierarchy analysis and rapid type analysis. We present two variations of our new technique, variable-type analysis and a coarser-grain version called declared-type analysis. Both of these analyses are inexpensive, easy to implement, and our experimental results show that they scale linearly in the size of the program. We have implemented our new analyses using the Soot framework, and we report on empirical results for seven benchmarks. We have used our techniques to build accurate call graphs for complete applications (including librarie..

Transparent proxies for java futures

A proxy object is a surrogate or placeholder that controls access to another target object. Proxies can be used to support distributed programming, lazy or parallel evaluation, access control, and other simple forms of behavioral reflection. However, wrapper proxies (like futures or suspensions for yet-to-be-computed results) can require significant code changes to be used in statically-typed languages, while proxies more generally can inadvertently violate assumptions of transparency, resulting in subtle bugs. To solve these problems, we have designed and implemented a simple framework for proxy programming that employs a static analysis based on qualifier inference, but with additional novelties. Code for using wrapper proxies is automatically introduced via a classfile-to-classfile transformation, and potential violations of transparency are signaled to the programmer. We have formalized our analysis and proven it sound. Our framework has a variety of applications, including support for asynchronous method calls returning futures. Experimental results demonstrate the benefits of our framework: programmers are relieved of managing and/or checking proxy usage, analysis times are reasonably fast, overheads introduced by added dynamic checks are negligible, and performance improvements can be significant. For example, changing two lines in a simple RMI-based peer-to-peer application and then using our framework resulted in a large performance gain.