TU Darmstadt / ULB / TUbiblio

StubDroid: automatic inference of precise data-flow summaries for the android framework

Arzt, Steven ; Bodden, Eric (2016)
StubDroid: automatic inference of precise data-flow summaries for the android framework.
doi: 10.1145/2884781.2884816
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Smartphone users suffer from insufficient information on how commercial as well as malicious apps handle sensitive data stored on their phones. Automated taint analyses address this problem by allowing users to detect and investigate how applications access and handle this data. A current problem with virtually all those analysis approaches is, though, that they rely on explicit models of the Android runtime library. In most cases, the existence of those models is taken for granted, despite the fact that the models are hard to come by: Given the size and evolution speed of a modern smartphone operating system it is prohibitively expensive to derive models manually from code or documentation. In this work, we therefore present StubDroid, the first fully automated approach for inferring precise and efficient library models for taint-analysis problems. StubDroid automatically constructs these summaries from a binary distribution of the library. In our experiments, we use StubDroid-inferred models to prevent the static taint analysis FlowDroid from having to re-analyze the Android runtime library over and over again for each analyzed app. As the results show, the models make it possible to analyze apps in seconds whereas most complete re-analyses would time out after 30 minutes. Yet, StubDroid yields comparable precision. In comparison to manually crafted summaries, StubDroid’s cause the analysis to be more precise and to use less time and memory.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2016
Autor(en): Arzt, Steven ; Bodden, Eric
Art des Eintrags: Bibliographie
Titel: StubDroid: automatic inference of precise data-flow summaries for the android framework
Sprache: Deutsch
Publikationsjahr: Mai 2016
Verlag: ACM
(Heft-)Nummer: 38
Buchtitel: ICSE '16 Proceedings of the 38th International Conference on Software Engineering
DOI: 10.1145/2884781.2884816
Kurzbeschreibung (Abstract):

Smartphone users suffer from insufficient information on how commercial as well as malicious apps handle sensitive data stored on their phones. Automated taint analyses address this problem by allowing users to detect and investigate how applications access and handle this data. A current problem with virtually all those analysis approaches is, though, that they rely on explicit models of the Android runtime library. In most cases, the existence of those models is taken for granted, despite the fact that the models are hard to come by: Given the size and evolution speed of a modern smartphone operating system it is prohibitively expensive to derive models manually from code or documentation. In this work, we therefore present StubDroid, the first fully automated approach for inferring precise and efficient library models for taint-analysis problems. StubDroid automatically constructs these summaries from a binary distribution of the library. In our experiments, we use StubDroid-inferred models to prevent the static taint analysis FlowDroid from having to re-analyze the Android runtime library over and over again for each analyzed app. As the results show, the models make it possible to analyze apps in seconds whereas most complete re-analyses would time out after 30 minutes. Yet, StubDroid yields comparable precision. In comparison to manually crafted summaries, StubDroid’s cause the analysis to be more precise and to use less time and memory.

Freie Schlagworte: Static analysis, summary, library, framework model, model inference
ID-Nummer: TUD-CS-2016-14760
Fachbereich(e)/-gebiet(e): Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
Hinterlegungsdatum: 10 Aug 2017 15:29
Letzte Änderung: 22 Jan 2019 11:17
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen