Abstract
App stores are increasingly the preferred mechanism for distributing software, including mobile apps (Google Play), desktop apps (Mac App Store and Ubuntu Software Center), computer games (the Steam Store), and browser extensions (Chrome Web Store). The centralized nature of these stores has important implications for security. While app stores have unprecedented ability to audit apps, users now trust hosted apps, making them more vulnerable to malware that evades detection and finds its way onto the app store. Sound static explicit information flow analysis has the potential to significantly aid human auditors, but it is handicapped by high false positive rates. Instead, auditors currently rely on a combination of dynamic analysis (which is unsound) and lightweight static analysis (which cannot identify information flows) to help detect malicious behaviors. We propose a process for producing apps certified to be free of malicious explicit information flows. In practice, imprecision in the reachability analysis is a major source of false positive information flows that are difficult to understand and discharge. In our approach, the developer provides tests that specify what code is reachable, allowing the static analysis to restrict its search to tested code. The app hosted on the store is instrumented to enforce the provided specification (i.e., executing untested code terminates the app). We use abductive inference to minimize the necessary instrumentation, and then interact with the developer to ensure that the instrumentation only cuts unreachable code. We demonstrate the effectiveness of our approach in verifying a corpus of 77 Android apps—our interactive verification process successfully discharges 11 out of the 12 false positives.
- M. Abadi, M. Budiu, ´ U. Erlingsson, J. Ligatti. Control-flow integrity. In CCS, 2005. Google Scholar
Digital Library
- T. Achterberg. SCIP: solving constraint integer programs. In Mathematical Programming Computation, 2009.Google Scholar
Cross Ref
- A. Aiken, S. Bugrara, I. Dillig, T. Dillig, B. Hackett, P. Hawkins. An overview of the Saturn project. In PASTE, 43-48, 2007. Google Scholar
Digital Library
- R. Alur, P. ˇ Cern´y, P. Madhusudan, W. Nam. Synthesis of interface specifications for Java classes. In POPL, 2005. Google Scholar
Digital Library
- G. Ammons, R. Bod´ık, J. Larus. Mining specifications. In POPL, 2002. Google Scholar
Digital Library
- Android developers blog, Mar. 2015. http://android-developers.blogspot.com/2015/03/ creating-better-user-experiences-on.htmlGoogle Scholar
- Android security blog, Feb. 2012. http://googlemobile.blogspot.com/2012/02/ android-and-security.htmlGoogle Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, P. McDaniel. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI, 2014. Google Scholar
Digital Library
- N. Ayewah, D. Hovemeyer, J. D. Morgenthaler, J. Penix, W. Pugh. Using static analysis to find bugs. In IEEE Software, 2008. Google Scholar
Digital Library
- T. Ball, S. Rajamani. The SLAM project: debugging system software via static analysis. In POPL, 2002. Google Scholar
Digital Library
- O. Bastani, S. Anand, A. Aiken. Specification inference using context-free language reachability. In POPL, 2015. Google Scholar
Digital Library
- N. Beckman, A. Nori. Probabilistic, modular and scalable inference of typestate specifications. In PLDI, 2011. Google Scholar
Digital Library
- E. Bodden, A. Sewe, J. Sinschek, H. Oueslati, M. Mezini. Taming reflection: aiding static analysis in the presence of reflection and custom class loaders. In ICSE, 2011. Google Scholar
Digital Library
- Exception analysis and points-to analysis: better together. M. Bravenboer, Y. Smaragdakis. In ISSTA, 2009.Google Scholar
- Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, Y. Chen. EdgeMiner: automatically detecting implicit control flow transitions through the Android framework. In NDSS, 2015.Google Scholar
Cross Ref
- A. Chou, B. Chelf, D. Engler, M. Heinrich. Using meta-level compilation to check FLASH protocol code. In ASPLOS, 2000. Google Scholar
Digital Library
- L. Clapp, S. Anand, A. Aiken. Modelgen: mining explicit information flow specifications from concrete executions. In ISSTA, 2015. Google Scholar
Digital Library
- I. Dillig, T. Dillig, A. Aiken. Automated error diagnosis using abductive inference. In PLDI, 2012. Google Scholar
Digital Library
- I. Dillig, T. Dillig, B. Li, K. McMillan. Inductive invariant generation via abductive inference. In OOPSLA, 2013. Google Scholar
Digital Library
- W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, A. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010. Google Scholar
Digital Library
- M. D. Ernst, R. Just, S. Millstein, W. M. Dietl, S. Pernsteiner, F. Roesner, K. Koscher, P. Barros, R. Bhoraskar, S. Han, P. Vines, E. X. Wu. Collaborative verification of information flow for a high-assurance app store. In CCS, 2014. Google Scholar
Digital Library
- M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, C. Xiao. The Daikon system for dynamic detection of likely invariants. In Science of Computer Programming, 2007. Google Scholar
Digital Library
- Espresso, Jan. 2015.Google Scholar
- https://code.google.com/p/android-test-kit/ wiki/Espresso.Google Scholar
- Y. Feng, S. Anand, I. Dillig, A. Aiken. Apposcopy: semanticsbased detection of Android malware through static analysis. In FSE, 2014. Google Scholar
Digital Library
- A. P. Fuchs, A. Chaudhuri, J. S. Foster. SCanDroid: automated security certification of Android applications. In IEEE Symposium on Security and Privacy, 2010.Google Scholar
- P. Godefroid, A. V. Nori, S. K. Rajamani, S. D. Tetali Compositional may-must program analysis: unleashing the power of alternation. In POPL, 2010. Google Scholar
Digital Library
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, X. Jiang. RiskRanker: scalable and accurate zero-day Android malware detection. In MobiSys’, 2012. Google Scholar
Digital Library
- F. Henglein. Global tagging optimization by type inference. In ACM Conference on Lisp & Functional Programming, 1992. Google Scholar
Digital Library
- D. King, B. Hicks, M. Hicks, T. Jaeger. Implicit flows: cant live with em, cant live without em. In ICISS, 2008. Google Scholar
Digital Library
- J. Kodumal, A. Aiken. Banshee: a scalable constraint-based analysis toolkit. In SAS, 2005. Google Scholar
Digital Library
- J. Kodumal, A. Aiken. Regularly annotated set constraints. In PLDI, 2007. Google Scholar
Digital Library
- J. Kodumal, A. Aiken. The set constraint/CFL reachability connection in practice. In PLDI, 2004. Google Scholar
Digital Library
- T. Kremenek, P. Twohey, G. Back, A. Ng, D. Engler. From uncertainty to belief: inferring the specification within. In OSDI, 2006. Google Scholar
Digital Library
- B. Livshits, S. Chong. Towards fully automated placement of security sanitizers and declassifiers. In POPL, 2013. Google Scholar
Digital Library
- B. Livshits, A. V. Nori, S. K. Rajamani, A. Banerjee. Merlin: specification inference for explicit information flow problems. In PLDI, 2009. Google Scholar
Digital Library
- Y. Li, T. Tan, J. Xue Effective soundness-guided reflection analysis. In SAS, 2015.Google Scholar
Cross Ref
- B. Livshits, M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium, 2005. Google Scholar
Digital Library
- B. Livshits, M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In FSE, 2003. Google Scholar
Digital Library
- D. Melski, T. Reps. Interconvertibility of a class of set constraints and context-free language reachability. In Theoretical Computer Science, 248(1):29-98, 2000. Google Scholar
Digital Library
- M. Naik, A. Aiken, J. Whaley. Effective static race detection for Java. In PLDI, 2006. Google Scholar
Digital Library
- M. Naik, H. Yang, G. Castelnuovo, M. Sagiv. Abstractions from tests. In POPL, 2012. Google Scholar
Digital Library
- G. C. Necula, J. Condit, M. Harren, S. McPeak, W. Weimer. CCured: type-safe retrofitting of legacy software. In TOPLAS, 2005. Google Scholar
Digital Library
- J. W. Nimmer, M. D. Ernst. Automatic generation of program specifications. In ISSTA, 2002. Google Scholar
Digital Library
- A. Nori, R. Sharma. Termination proofs from tests. In FSE, 2013. Google Scholar
Digital Library
- M. K. Ramanathan, A. Grama, S. Jagannathan. Static specification inference using predicate mining. In PLDI, 2007. Google Scholar
Digital Library
- T. Reps. Program analysis via graph reachability. In ILPS, 1997. Google Scholar
Digital Library
- T. Reps, S. Horwitz, M. Sagiv. Precise interprocedural data flow analysis via graph reachability. In POPL, 1995. Google Scholar
Digital Library
- M. Rinard. Acceptability-oriented computing In OOPSLA, 2003. Google Scholar
Digital Library
- M. Rinard. Living in the comfort zone. In OOPSLA, 2007. Google Scholar
Digital Library
- Robotium, 2015.Google Scholar
- https://code.google.com/p/robotium/.Google Scholar
- G. Russello, A. B. Jimenez, H. Naderi, W. van der Mark. FireDroid: hardening security in almost-stock Android. In ACSAC, 2013. Google Scholar
Digital Library
- A. Sabelfeld, A. C. Myers. Language-based information-flow security. In IEEE Journal on Selected Areas in Communications, 2003. Google Scholar
Digital Library
- Selendroid, 2015. http://selendroid.io/.Google Scholar
- R. Sharma, S. Gupta, B. Hariharan, A. Aiken, A. Nori. Verification as learning geometric concepts. In SAS, 2013.Google Scholar
Cross Ref
- R. Sharma, E. Schkufza, B. Churchill, A. Aiken. Data-driven equivalence checking. In OOPSLA, 2013. Google Scholar
Digital Library
- M. Sridharan, D. Gopan, L. Shan, R. Bodik. Demand-driven points-to analysis for Java. In OOPSLA, 2005. Google Scholar
Digital Library
- M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, R. Berg. F4F: taint analysis of framework-based web applications. In OOPSLA, 2011. Google Scholar
Digital Library
- M. Sridharan, R. Bodik. Refinement-based context-sensitive points-to analysis for Java. In PLDI, 2006. Google Scholar
Digital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, O. Weisman. TAJ: effective taint analysis of web applications. In PLDI, 2009. Google Scholar
Digital Library
- R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, V. Sundaresan. Soot: a Java bytecode optimization framework. In CASCON, 1999.Google Scholar
- T. Vidas, N. Cristin. Evading Android runtime analysis via sandbox detection. In ASIA CCS, 2014. Google Scholar
Digital Library
- J. Whaley, M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In OOPSLA, 2004. Google Scholar
Digital Library
- Y. Xie, A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium, 2006. Google Scholar
Digital Library
- J. Yang, D. Evans, D. Bhardwaj, T. Bhat, M. Das. Perracotta: mining temporal API rules from imperfect traces. In ICSE, 2006. Google Scholar
Digital Library
- X. Zhang, R. Mangal, R. Grigore, M. Naik, H. Yang. On abstraction refinement for program analyses in Datalog. In PLDI, 2014. Google Scholar
Digital Library
- Y. Zhou, X. Jiang. Dissecting Android malware: characterization and evolution. In IEEE Symposium on Security and Privacy, 2012. Google Scholar
Digital Library
- Y. Zhou, Z. Wang, W. Zhou, X. Jiang. Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In NDSS, 2012.Google Scholar
- H. Zhu, T. Dillig, I. Dillig. Automated inference of library specifications for source-sink property verification. In APLAS, 2013. Google Scholar
Digital Library
Index Terms
Interactively verifying absence of explicit information flows in Android apps
Recommendations
Interactively verifying absence of explicit information flows in Android apps
OOPSLA 2015: Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsApp stores are increasingly the preferred mechanism for distributing software, including mobile apps (Google Play), desktop apps (Mac App Store and Ubuntu Software Center), computer games (the Steam Store), and browser extensions (Chrome Web Store). ...
Towards verifying android apps for the absence of no-sleep energy bugs
HotPower'12: Proceedings of the 2012 USENIX conference on Power-Aware Computing and SystemsThe Android OS conserves battery life by aggressively turning off components, such as screen and GPS, while allowing application developers to explicitly prevent part of this behavior using the WakeLock API. Unfortunately, the inherent complexity of the ...






Comments