TU Darmstadt / ULB / TUbiblio

StubDroid: automatic inference of precise data-flow summaries for the android framework

Arzt, Steven and Bodden, Eric (2016):
StubDroid: automatic inference of precise data-flow summaries for the android framework.
In: ICSE '16 Proceedings of the 38th International Conference on Software Engineering, ACM, ISBN 978-1-4503-3900-1,
DOI: 10.1145/2884781.2884816,
[Conference or Workshop Item]

Abstract

Smartphone users suffer from insufficient information on how commercial as well as malicious apps handle sensitive data stored on their phones. Automated taint analyses address this problem by allowing users to detect and investigate how applications access and handle this data. A current problem with virtually all those analysis approaches is, though, that they rely on explicit models of the Android runtime library. In most cases, the existence of those models is taken for granted, despite the fact that the models are hard to come by: Given the size and evolution speed of a modern smartphone operating system it is prohibitively expensive to derive models manually from code or documentation. In this work, we therefore present StubDroid, the first fully automated approach for inferring precise and efficient library models for taint-analysis problems. StubDroid automatically constructs these summaries from a binary distribution of the library. In our experiments, we use StubDroid-inferred models to prevent the static taint analysis FlowDroid from having to re-analyze the Android runtime library over and over again for each analyzed app. As the results show, the models make it possible to analyze apps in seconds whereas most complete re-analyses would time out after 30 minutes. Yet, StubDroid yields comparable precision. In comparison to manually crafted summaries, StubDroid’s cause the analysis to be more precise and to use less time and memory.

Item Type: Conference or Workshop Item
Erschienen: 2016
Creators: Arzt, Steven and Bodden, Eric
Title: StubDroid: automatic inference of precise data-flow summaries for the android framework
Language: German
Abstract:

Smartphone users suffer from insufficient information on how commercial as well as malicious apps handle sensitive data stored on their phones. Automated taint analyses address this problem by allowing users to detect and investigate how applications access and handle this data. A current problem with virtually all those analysis approaches is, though, that they rely on explicit models of the Android runtime library. In most cases, the existence of those models is taken for granted, despite the fact that the models are hard to come by: Given the size and evolution speed of a modern smartphone operating system it is prohibitively expensive to derive models manually from code or documentation. In this work, we therefore present StubDroid, the first fully automated approach for inferring precise and efficient library models for taint-analysis problems. StubDroid automatically constructs these summaries from a binary distribution of the library. In our experiments, we use StubDroid-inferred models to prevent the static taint analysis FlowDroid from having to re-analyze the Android runtime library over and over again for each analyzed app. As the results show, the models make it possible to analyze apps in seconds whereas most complete re-analyses would time out after 30 minutes. Yet, StubDroid yields comparable precision. In comparison to manually crafted summaries, StubDroid’s cause the analysis to be more precise and to use less time and memory.

Title of Book: ICSE '16 Proceedings of the 38th International Conference on Software Engineering
Number: 38
Publisher: ACM
ISBN: 978-1-4503-3900-1
Uncontrolled Keywords: Static analysis, summary, library, framework model, model inference
Divisions: Profile Areas
Profile Areas > Cybersecurity (CYSEC)
Date Deposited: 10 Aug 2017 15:29
DOI: 10.1145/2884781.2884816
Identification Number: TUD-CS-2016-14760
Export:

Optionen (nur für Redakteure)

View Item View Item