skip to main content
research-article
Public Access

Interactively verifying absence of explicit information flows in Android apps

Published:23 October 2015Publication History
Skip Abstract Section

Abstract

App stores are increasingly the preferred mechanism for distributing software, including mobile apps (Google Play), desktop apps (Mac App Store and Ubuntu Software Center), computer games (the Steam Store), and browser extensions (Chrome Web Store). The centralized nature of these stores has important implications for security. While app stores have unprecedented ability to audit apps, users now trust hosted apps, making them more vulnerable to malware that evades detection and finds its way onto the app store. Sound static explicit information flow analysis has the potential to significantly aid human auditors, but it is handicapped by high false positive rates. Instead, auditors currently rely on a combination of dynamic analysis (which is unsound) and lightweight static analysis (which cannot identify information flows) to help detect malicious behaviors. We propose a process for producing apps certified to be free of malicious explicit information flows. In practice, imprecision in the reachability analysis is a major source of false positive information flows that are difficult to understand and discharge. In our approach, the developer provides tests that specify what code is reachable, allowing the static analysis to restrict its search to tested code. The app hosted on the store is instrumented to enforce the provided specification (i.e., executing untested code terminates the app). We use abductive inference to minimize the necessary instrumentation, and then interact with the developer to ensure that the instrumentation only cuts unreachable code. We demonstrate the effectiveness of our approach in verifying a corpus of 77 Android apps—our interactive verification process successfully discharges 11 out of the 12 false positives.

References

  1. M. Abadi, M. Budiu, ´ U. Erlingsson, J. Ligatti. Control-flow integrity. In CCS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. T. Achterberg. SCIP: solving constraint integer programs. In Mathematical Programming Computation, 2009.Google ScholarGoogle ScholarCross RefCross Ref
  3. A. Aiken, S. Bugrara, I. Dillig, T. Dillig, B. Hackett, P. Hawkins. An overview of the Saturn project. In PASTE, 43-48, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. R. Alur, P. ˇ Cern´y, P. Madhusudan, W. Nam. Synthesis of interface specifications for Java classes. In POPL, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. G. Ammons, R. Bod´ık, J. Larus. Mining specifications. In POPL, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Android developers blog, Mar. 2015. http://android-developers.blogspot.com/2015/03/ creating-better-user-experiences-on.htmlGoogle ScholarGoogle Scholar
  7. Android security blog, Feb. 2012. http://googlemobile.blogspot.com/2012/02/ android-and-security.htmlGoogle ScholarGoogle Scholar
  8. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, P. McDaniel. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. N. Ayewah, D. Hovemeyer, J. D. Morgenthaler, J. Penix, W. Pugh. Using static analysis to find bugs. In IEEE Software, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. T. Ball, S. Rajamani. The SLAM project: debugging system software via static analysis. In POPL, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. O. Bastani, S. Anand, A. Aiken. Specification inference using context-free language reachability. In POPL, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. N. Beckman, A. Nori. Probabilistic, modular and scalable inference of typestate specifications. In PLDI, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. E. Bodden, A. Sewe, J. Sinschek, H. Oueslati, M. Mezini. Taming reflection: aiding static analysis in the presence of reflection and custom class loaders. In ICSE, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Exception analysis and points-to analysis: better together. M. Bravenboer, Y. Smaragdakis. In ISSTA, 2009.Google ScholarGoogle Scholar
  15. Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, Y. Chen. EdgeMiner: automatically detecting implicit control flow transitions through the Android framework. In NDSS, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  16. A. Chou, B. Chelf, D. Engler, M. Heinrich. Using meta-level compilation to check FLASH protocol code. In ASPLOS, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. L. Clapp, S. Anand, A. Aiken. Modelgen: mining explicit information flow specifications from concrete executions. In ISSTA, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. I. Dillig, T. Dillig, A. Aiken. Automated error diagnosis using abductive inference. In PLDI, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. I. Dillig, T. Dillig, B. Li, K. McMillan. Inductive invariant generation via abductive inference. In OOPSLA, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, A. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. D. Ernst, R. Just, S. Millstein, W. M. Dietl, S. Pernsteiner, F. Roesner, K. Koscher, P. Barros, R. Bhoraskar, S. Han, P. Vines, E. X. Wu. Collaborative verification of information flow for a high-assurance app store. In CCS, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, C. Xiao. The Daikon system for dynamic detection of likely invariants. In Science of Computer Programming, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Espresso, Jan. 2015.Google ScholarGoogle Scholar
  24. https://code.google.com/p/android-test-kit/ wiki/Espresso.Google ScholarGoogle Scholar
  25. Y. Feng, S. Anand, I. Dillig, A. Aiken. Apposcopy: semanticsbased detection of Android malware through static analysis. In FSE, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. A. P. Fuchs, A. Chaudhuri, J. S. Foster. SCanDroid: automated security certification of Android applications. In IEEE Symposium on Security and Privacy, 2010.Google ScholarGoogle Scholar
  27. P. Godefroid, A. V. Nori, S. K. Rajamani, S. D. Tetali Compositional may-must program analysis: unleashing the power of alternation. In POPL, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. Grace, Y. Zhou, Q. Zhang, S. Zou, X. Jiang. RiskRanker: scalable and accurate zero-day Android malware detection. In MobiSys’, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. F. Henglein. Global tagging optimization by type inference. In ACM Conference on Lisp & Functional Programming, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. D. King, B. Hicks, M. Hicks, T. Jaeger. Implicit flows: cant live with em, cant live without em. In ICISS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. J. Kodumal, A. Aiken. Banshee: a scalable constraint-based analysis toolkit. In SAS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. J. Kodumal, A. Aiken. Regularly annotated set constraints. In PLDI, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. J. Kodumal, A. Aiken. The set constraint/CFL reachability connection in practice. In PLDI, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. T. Kremenek, P. Twohey, G. Back, A. Ng, D. Engler. From uncertainty to belief: inferring the specification within. In OSDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. B. Livshits, S. Chong. Towards fully automated placement of security sanitizers and declassifiers. In POPL, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. B. Livshits, A. V. Nori, S. K. Rajamani, A. Banerjee. Merlin: specification inference for explicit information flow problems. In PLDI, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Y. Li, T. Tan, J. Xue Effective soundness-guided reflection analysis. In SAS, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  38. B. Livshits, M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. B. Livshits, M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In FSE, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. D. Melski, T. Reps. Interconvertibility of a class of set constraints and context-free language reachability. In Theoretical Computer Science, 248(1):29-98, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. M. Naik, A. Aiken, J. Whaley. Effective static race detection for Java. In PLDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. M. Naik, H. Yang, G. Castelnuovo, M. Sagiv. Abstractions from tests. In POPL, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. G. C. Necula, J. Condit, M. Harren, S. McPeak, W. Weimer. CCured: type-safe retrofitting of legacy software. In TOPLAS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. J. W. Nimmer, M. D. Ernst. Automatic generation of program specifications. In ISSTA, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. A. Nori, R. Sharma. Termination proofs from tests. In FSE, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. M. K. Ramanathan, A. Grama, S. Jagannathan. Static specification inference using predicate mining. In PLDI, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. T. Reps. Program analysis via graph reachability. In ILPS, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. T. Reps, S. Horwitz, M. Sagiv. Precise interprocedural data flow analysis via graph reachability. In POPL, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. M. Rinard. Acceptability-oriented computing In OOPSLA, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. M. Rinard. Living in the comfort zone. In OOPSLA, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Robotium, 2015.Google ScholarGoogle Scholar
  52. https://code.google.com/p/robotium/.Google ScholarGoogle Scholar
  53. G. Russello, A. B. Jimenez, H. Naderi, W. van der Mark. FireDroid: hardening security in almost-stock Android. In ACSAC, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. A. Sabelfeld, A. C. Myers. Language-based information-flow security. In IEEE Journal on Selected Areas in Communications, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Selendroid, 2015. http://selendroid.io/.Google ScholarGoogle Scholar
  56. R. Sharma, S. Gupta, B. Hariharan, A. Aiken, A. Nori. Verification as learning geometric concepts. In SAS, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  57. R. Sharma, E. Schkufza, B. Churchill, A. Aiken. Data-driven equivalence checking. In OOPSLA, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. M. Sridharan, D. Gopan, L. Shan, R. Bodik. Demand-driven points-to analysis for Java. In OOPSLA, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, R. Berg. F4F: taint analysis of framework-based web applications. In OOPSLA, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. M. Sridharan, R. Bodik. Refinement-based context-sensitive points-to analysis for Java. In PLDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, O. Weisman. TAJ: effective taint analysis of web applications. In PLDI, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, V. Sundaresan. Soot: a Java bytecode optimization framework. In CASCON, 1999.Google ScholarGoogle Scholar
  63. T. Vidas, N. Cristin. Evading Android runtime analysis via sandbox detection. In ASIA CCS, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. J. Whaley, M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In OOPSLA, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Y. Xie, A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. J. Yang, D. Evans, D. Bhardwaj, T. Bhat, M. Das. Perracotta: mining temporal API rules from imperfect traces. In ICSE, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. X. Zhang, R. Mangal, R. Grigore, M. Naik, H. Yang. On abstraction refinement for program analyses in Datalog. In PLDI, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Y. Zhou, X. Jiang. Dissecting Android malware: characterization and evolution. In IEEE Symposium on Security and Privacy, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. Y. Zhou, Z. Wang, W. Zhou, X. Jiang. Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In NDSS, 2012.Google ScholarGoogle Scholar
  70. H. Zhu, T. Dillig, I. Dillig. Automated inference of library specifications for source-sink property verification. In APLAS, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Interactively verifying absence of explicit information flows in Android apps

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM SIGPLAN Notices
          ACM SIGPLAN Notices  Volume 50, Issue 10
          OOPSLA '15
          October 2015
          953 pages
          ISSN:0362-1340
          EISSN:1558-1160
          DOI:10.1145/2858965
          • Editor:
          • Andy Gill
          Issue’s Table of Contents
          • cover image ACM Conferences
            OOPSLA 2015: Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications
            October 2015
            953 pages
            ISBN:9781450336895
            DOI:10.1145/2814270

          Copyright © 2015 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 23 October 2015

          Check for updates

          Qualifiers

          • research-article

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!