Benz, Manuel (2016)
Interprocedural Graph-based Object Usage Model Generation for Detecting Anomalous Usage of Cryptographic APIs.
Technische Universität Darmstadt
Masterarbeit, Bibliographie
Kurzbeschreibung (Abstract)
Security of modern applications is oftentimes flawed due to incorrect usage of cryptographic APIs. Re- searchers have shown that such incorrect usages can automatically be identified using graph-based ap- proaches to detect API usage anomalies. However, these approaches suffer from large amounts of false positives. We have conducted experiments that aim at detecting such API usage anomalies in Android applications utilizing the Java Cryptography Extension (JCE). After manual investigation, we were able to identify 70% of the detected anomalies as false positives caused by the intraprocedural nature of the graph model. This thesis proposes an approach for generating interprocedural graph models of library usage by inlining method calls on the graph level. For this purpose, an augmentation of the previous model that carries necessary information for the inlining process is presented. Furthermore, several heuristics which allow for fine-grained selection of methods that should be inlined are introduced and evaluated. Our experiments on 50 Android applications utilizing the JCE show that the interprocedural model yields a reduction of those false positives by up to 42.86% with an overall reduction of detected anomalies by 30.37%.
| Typ des Eintrags: | Masterarbeit |
|---|---|
| Erschienen: | 2016 |
| Autor(en): | Benz, Manuel |
| Art des Eintrags: | Bibliographie |
| Titel: | Interprocedural Graph-based Object Usage Model Generation for Detecting Anomalous Usage of Cryptographic APIs |
| Sprache: | Englisch |
| Referenten: | Mezini, Prof. Dr. Mira |
| Publikationsjahr: | 20 Oktober 2016 |
| Kurzbeschreibung (Abstract): | Security of modern applications is oftentimes flawed due to incorrect usage of cryptographic APIs. Re- searchers have shown that such incorrect usages can automatically be identified using graph-based ap- proaches to detect API usage anomalies. However, these approaches suffer from large amounts of false positives. We have conducted experiments that aim at detecting such API usage anomalies in Android applications utilizing the Java Cryptography Extension (JCE). After manual investigation, we were able to identify 70% of the detected anomalies as false positives caused by the intraprocedural nature of the graph model. This thesis proposes an approach for generating interprocedural graph models of library usage by inlining method calls on the graph level. For this purpose, an augmentation of the previous model that carries necessary information for the inlining process is presented. Furthermore, several heuristics which allow for fine-grained selection of methods that should be inlined are introduced and evaluated. Our experiments on 50 Android applications utilizing the JCE show that the interprocedural model yields a reduction of those false positives by up to 42.86% with an overall reduction of detected anomalies by 30.37%. |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Softwaretechnik |
| Hinterlegungsdatum: | 18 Apr 2017 08:42 |
| Letzte Änderung: | 18 Apr 2017 08:42 |
| PPN: | |
| Referenten: | Mezini, Prof. Dr. Mira |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum