Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android

A common security architecture is based on the protection of certain resources by permission checks (used e.g., in Android and Blackberry). It has some limitations, for instance, when applications are granted more permissions than they actually need, which facilitates all kinds of malicious usage (e.g., through code injection). The analysis of permission-based framework requires a precise mapping between API methods of the framework and the permissions they require. In this paper, we show that naive static analysis fails miserably when applied with off-the-shelf components on the Android framework. We then present an advanced class-hierarchy and field-sensitive set of analyses to extract this mapping. Those static analyses are capable of analyzing the Android framework. They use novel domain specific optimizations dedicated to Android.Comment: IEEE Transactions on Software Engineering (2014). arXiv admin note: substantial text overlap with arXiv:1206.582

Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android

A common security architecture, called the permission-based security model (used e.g. in Android and Blackberry), entails intrinsic risks. For instance, applications can be granted more permissions than they actually need, what we call a "permission gap". Malware can leverage the unused permissions for achieving their malicious goals, for instance using code injection. In this paper, we present an approach to detecting permission gaps using static analysis. Our prototype implementation in the context of Android shows that the static analysis must take into account a significant amount of platform-specific knowledge. Using our tool on two datasets of Android applications, we found out that a non negligible part of applications suffers from permission gaps, i.e. does not use all the permissions they declare

In-Vivo Bytecode Instrumentation for Improving Privacy on Android Smartphones in Uncertain Environments

In this paper we claim that an efficient and readily applicable means to improve privacy of Android applications is: 1) to perform runtime monitoring by instrumenting the application bytecode and 2) in-vivo, i.e. directly on the smartphone. We present a tool chain to do this and present experimental results showing that this tool chain can run on smartphones in a reasonable amount of time and with a realistic effort. Our findings also identify challenges to be addressed before running powerful runtime monitoring and instrumentations directly on smartphones. We implemented two use-cases leveraging the tool chain: BetterPermissions, a fine-grained user centric permission policy system and AdRemover an advertisement remover. Both prototypes improve the privacy of Android systems thanks to in-vivo bytecode instrumentation.Comment: ISBN: 978-2-87971-111-

Model Driven Mutation Applied to Adaptative Systems Testing

Dynamically Adaptive Systems modify their behav- ior and structure in response to changes in their surrounding environment and according to an adaptation logic. Critical sys- tems increasingly incorporate dynamic adaptation capabilities; examples include disaster relief and space exploration systems. In this paper, we focus on mutation testing of the adaptation logic. We propose a fault model for adaptation logics that classifies faults into environmental completeness and adaptation correct- ness. Since there are several adaptation logic languages relying on the same underlying concepts, the fault model is expressed independently from specific adaptation languages. Taking benefit from model-driven engineering technology, we express these common concepts in a metamodel and define the operational semantics of mutation operators at this level. Mutation is applied on model elements and model transformations are used to propagate these changes to a given adaptation policy in the chosen formalism. Preliminary results on an adaptive web server highlight the difficulty of killing mutants for adaptive systems, and thus the difficulty of generating efficient tests.Comment: IEEE International Conference on Software Testing, Verification and Validation, Mutation Analysis Workshop (Mutation 2011), Berlin : Allemagne (2011

You Cannot Fix What You Cannot Find! An Investigation of Fault Localization Bias in Benchmarking Automated Program Repair Systems

Properly benchmarking Automated Program Repair (APR) systems should contribute to the development and adoption of the research outputs by practitioners. To that end, the research community must ensure that it reaches significant milestones by reliably comparing state-of-the-art tools for a better understanding of their strengths and weaknesses. In this work, we identify and investigate a practical bias caused by the fault localization (FL) step in a repair pipeline. We propose to highlight the different fault localization configurations used in the literature, and their impact on APR systems when applied to the Defects4J benchmark. Then, we explore the performance variations that can be achieved by `tweaking' the FL step. Eventually, we expect to create a new momentum for (1) full disclosure of APR experimental procedures with respect to FL, (2) realistic expectations of repairing bugs in Defects4J, as well as (3) reliable performance comparison among the state-of-the-art APR systems, and against the baseline performance results of our thoroughly assessed kPAR repair tool. Our main findings include: (a) only a subset of Defects4J bugs can be currently localized by commonly-used FL techniques; (b) current practice of comparing state-of-the-art APR systems (i.e., counting the number of fixed bugs) is potentially misleading due to the bias of FL configurations; and (c) APR authors do not properly qualify their performance achievement with respect to the different tuning parameters implemented in APR systems.Comment: Accepted by ICST 201

L'analyse statistique de données appliquée à la surveillance multi-paramètres de versants instables

La difficulté à modéliser les mécanismes de rupture de mouvements de versants de grande ampleur limite fortement les capacités d'anticipation et d'alerte des dispositifs basés sur des critères de détection déterministes simples. De par la multiplicité et la complexité des phénomènes en jeu ces dispositifs sont de plus propices aux situations de fausses alarmes ou d'occurrence de l'aléa sans alarme. Pour s'affranchir de ces limites et faire face à la diversité et la complexité des situations d'aléas gravitaires rencontrées, des approches multi-paramètres d'observation et de surveillance sont mises en oeuvre. L'évolution technologique des capteurs, des systèmes d'alerte et de leurs protocoles d'acquisition permet aujourd'hui de collecter de manière synchronisée de nombreux types de données de mesure : mécaniques, hydrologiques, géodésiques, météorologiques, sismiques et micro-sismiques. L'enjeu des travaux actuels concerne l'exploitation automatique en routine des séries chronologiques ainsi collectées et notamment : (1) l'analyse de l'évolution dans le temps des différentes variables, (2) la détection des singularités dans ces séries, et (3) l'identification des interactions entre variables et des temps de transfert entre elles. In fine, ces travaux doivent permettre l'utilisation d'outils et méthodes d'analyse statistique éprouvés permettant d'établir des lois probabilistes d'occurrence de l'aléa redouté ou tout au moins une détection fiable des situations à risque. Dans cet article, il est proposé d'illustrer ce propos à l'aide des chroniques de données multi-paramètres collectées par l'INERIS sur le versant des Ruines de Séchilienne entre 2009 et 2013. Nous verrons que les processus d'analyse et d'exploitation ne sont pas immédiats et qu'ils requièrent des choix méthodologiques, ainsi qu'un recul sur les données de mesure, les incertitudes associées, la résolution des techniques instrumentales déployées qui peuvent combiner des variables quantitatives, qualitatives, ponctuelles, volumétriques, les scénarios attendus, ou encore sur la prise en compte des informations redondantes ou contradictoires

FixMiner: Mining Relevant Fix Patterns for Automated Program Repair

Patching is a common activity in software development. It is generally performed on a source code base to address bugs or add new functionalities. In this context, given the recurrence of bugs across projects, the associated similar patches can be leveraged to extract generic fix actions. While the literature includes various approaches leveraging similarity among patches to guide program repair, these approaches often do not yield fix patterns that are tractable and reusable as actionable input to APR systems. In this paper, we propose a systematic and automated approach to mining relevant and actionable fix patterns based on an iterative clustering strategy applied to atomic changes within patches. The goal of FixMiner is thus to infer separate and reusable fix patterns that can be leveraged in other patch generation systems. Our technique, FixMiner, leverages Rich Edit Script which is a specialized tree structure of the edit scripts that captures the AST-level context of the code changes. FixMiner uses different tree representations of Rich Edit Scripts for each round of clustering to identify similar changes. These are abstract syntax trees, edit actions trees, and code context trees. We have evaluated FixMiner on thousands of software patches collected from open source projects. Preliminary results show that we are able to mine accurate patterns, efficiently exploiting change information in Rich Edit Scripts. We further integrated the mined patterns to an automated program repair prototype, PARFixMiner, with which we are able to correctly fix 26 bugs of the Defects4J benchmark. Beyond this quantitative performance, we show that the mined fix patterns are sufficiently relevant to produce patches with a high probability of correctness: 81% of PARFixMiner's generated plausible patches are correct.Comment: 31 pages, 11 figure

Deformed vortices in (4+1)-dimensional Einstein-Yang-Mills theory

We study vortex-type solutions in a (4+1)-dimensional Einstein-Yang-Mills-SU(2) model. Assuming all fields to be independent on the extra coordinate, these solutions correspond in a four dimensional picture to axially symmetric multimonopoles, respectively monopole-antimonopole solutions. By boosting the five dimensional purely magnetic solutions we find new configurations which in four dimensions represents rotating regular nonabelian solutions with an additional electric charge.Comment: 11 pages, including 5 eps files; reference added, discussion extended; typos correcte