Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.3785/j.issn.1008-973X.2015.06.005

2015-01-01

Abstract:A points-to analysis approach was proposed to generate partial call graphs of application part without analyzing the method bodies of libraries. A set of rules was bulit to model the interaction between application and libraries in order to infer the pointer information libraries. The approach was implemented based on the Soot program analysis framework. The performance, completeness and precision of generated call graphs were evaluated on 14 Java benchmarks. The experimental results showed that the proposed approach was faster than Averroes and Spark call graph construction approaches by a factor of 4.9 xand13. 7xrespectively. Meanwhile, the proposed approach can construct complete and precise partial call graphs.

Lei Xue,Chenxiong Qian,Hao Zhou,Xiapu Luo,Yajin Zhou,Yuru Shao,Alvin T. S. Chan

DOI: https://doi.org/10.1109/tifs.2018.2866347

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:For performance and compatibility reasons, developers tend to use native code in their applications (or simply apps). This makes a bidirectional data flow through multiple contexts, i.e., the Java context and the native context, in Android apps. Unfortunately, this interaction brings serious challenges to existing dynamic analysis systems, which fail to capture the data flow across different contexts. In this paper, we first performed a large-scale study on apps using native code and reported some observations. Then, we identified several scenarios where data flow cannot be tracked by existing systems, leading to uncaught information leakage. Based on these insights, we designed and implemented NDroid, an efficient dynamic taint analysis system that could track the data flow between both Java context and native context. The evaluation of real apps demonstrated the effectiveness of NDroid in identifying information leakage with reasonable performance overhead.

Danilo Dominguez Perez,Wei Le

DOI: https://doi.org/10.48550/arXiv.1703.08902

2017-03-30

Abstract:One of the challenges of analyzing, testing and debugging Android apps is that the potential execution orders of callbacks are missing from the apps' source code. However, bugs, vulnerabilities and refactoring transformations have been found to be related to callback sequences. Existing work on control flow analysis of Android apps have mainly focused on analyzing GUI events. GUI events, although being a key part of determining control flow of Android apps, do not offer a complete picture. Our observation is that orthogonal to GUI events, the Android API calls also play an important role in determining the order of callbacks. In the past, such control flow information has been modeled manually. This paper presents a complementary solution of constructing program paths for Android apps. We proposed a specification technique, called Predicate Callback Summary (PCS), that represents the callback control flow information (including callback sequences as well as the conditions under which the callbacks are invoked) in Android API methods and developed static analysis techniques to automatically compute and apply such summaries to construct apps' callback sequences. Our experiments show that by applying PCSs, we are able to construct Android apps' control flow graphs, including inter-callback relations, and also to detect infeasible paths involving multiple callbacks. Such control flow information can help program analysis and testing tools to report more precise results. Our detailed experimental data is available at: <a class="link-external link-http" href="http://goo.gl/NBPrKs" rel="external noopener nofollow">this http URL</a>

Software Engineering

Jikai Wang,Haoyu Wang

DOI: https://doi.org/10.1145/3650212.3680335

2024-01-01

Abstract:With the prosperity of Android app research in the last decade, many static analysis techniques have been proposed. They generally aim to tackle DEX bytecode in Android apps. Beyond DEX bytecode, native code (usually written in C/C++) is prevalent in modern Android apps, whose analysis is usually overlooked by most existing analysis frameworks. Although a few recent works attempted to handle native code, they suffer from scalability and accuracy issues. In this paper, we propose NativeSummary, a novel inter-language static analysis framework for Android apps with high accuracy, scalability, and compatibility. Our key idea is to extract semantic summary of the native binary code, then convert common usage patterns of JNI interface functions into Java bytecode operations, and additionally transform native library function calls to bytecode calls. Along with this effort, we can empower the legacy Java static frameworks with the ability of inter-language data flow analysis without tampering their inherent logic. Extensive evaluation suggests that NativeSummary outperforms SOTA techniques in terms of accuracy, scalability and compatibility. NativeSummary sheds light on the promising direction of inter-language analysis, and thousands of existing app analysis works can be boosted atop NativeSummary with almost no effort.

Shashin Halalingaiah,Vijay Sundaresan,Daryl Maier,V. Krishna Nandivada

DOI: https://doi.org/10.1145/3689803

2024-09-03

Abstract:Data-flow analyses like points-to analysis can vastly improve the precision of other analyses, and help perform powerful code optimizations. However, whole-program points-to analysis of large programs tend to be expensive - both in terms of time and memory. Consequently, many compilers (both static and JIT) and program-analysis tools tend to employ faster - but more conservative - points-to analysis to improve usability. As an alternative to such trading of precision for performance, various techniques have been proposed to perform precise yet expensive fixed-point points-to analyses ahead of time in a static analyzer, store the results, and then transmit them to independent compilation/program-analysis stages that may need them. However, an underlying concern of safety affects all such techniques - can a compiler (or program analysis tool) trust the points-to analysis results generated by another compiler/tool? In this work, we address this issue of trust, while keeping the issues of performance efficiency in mind. We propose ART: Analysis-results Representation Template - a novel scheme to efficiently and concisely encode results of flow-sensitive, context-insensitive points-to analysis computed by a static analyzer for use in any independent system that may benefit from such a highly precise points-to analysis. Our scheme has two components: (i) a producer that can statically perform expensive points-to analysis and encode the same concisely. (ii) a consumer that, on receiving such encoded results, can regenerate the points-to analysis results encoded by the artwork if it is deemed safe. We demonstrate the usage of ART by implementing a producer (in Soot) and two consumers (in Soot and the Eclipse OpenJ9 JIT compiler). We evaluate our implementation over various benchmarks from the DaCapo and SPECjvm2008 suites.

Programming Languages

LI Qian,TANG En-Yi,DAI Xue-Feng,WANG Lin-Zhang,ZHAO Jian-Hua

DOI: https://doi.org/10.3724/sp.j.1001.2011.04025

2011-01-01

Journal of Software

Abstract:Points-to analysis mainly aims to attain the runtime points-to sets of program variables.This paper describes the design and implementation of an efficient Andersen-style,context-sensitive points-to analysis for Java code.The implementation supports language features such as inheritance,polymorphism,and field objects.The study tracks the fields of individual objects separately and makes the algorithm in field-sensitive style for aggregate objects.To improve the efficiency and scalability of the algorithm,this study employs two kinds of optimizations,nodes topology construction with concomitance on-line cycle detection and cycle elimination.Experiment results show that this algorithm can be used to compute precise points-to sets for large-scale Java programs.

Yongfeng Li,Jinbin Ouyang,Shanqing Guo,Bing Mao

DOI: https://doi.org/10.1007/978-3-319-59608-2_35

2017-01-01

ICST Transactions on Security and Safety

Abstract:Smartphones carry a large quantity of sensitive information to satisfy people’s various requirements, but the way of using information is important to keep the security of users’ privacy. There are two kinds of misuses of sensitive information for apps. On the one hand, careless programmers may leak the data by accident. On the other hand, the attackers develop malware to collect sensitive data intentionally. Many researchers apply data flow analysis to detect data leakages of an app. However, data flow analysis on Android platform is quite different from the programs on desktop. Many researchers have solved some problems of data flow analysis on Android platform, like Activity lifecycle, callback methods, inter-component communication. We find that Fragment’s lifecycle also has an effect on the data flow analysis of Android apps. Some data will be leaked if we don’t take Fragment’s lifecycle into consideration when performing data flow analysis in Android apps. So in this paper, we propose an approach to model Fragment’s lifecycle and its relationship with Activity’s lifecycle, then introduce a tool called FragDroid based on FlowDroid [7]. We conduct some experiments to evaluate the effectiveness of our tool and the results show that there are 8% of apps in our data set using Fragment. In particular, for popular apps, the result is 50.8%. We also evaluate the performance of using FragDroid to analyze Android apps, the result shows the average overhead is 17%.

Zhiyuan Wan,Bo Zhou,Ye Wang,Yuanhong Shen

2014-01-01

Abstract:Many static analysis tools provide whole-program analysis to generate call graphs. However, the whole-program analysis suffers from scalability issue. The increasing size of the libraries exacerbates the issue. For many Web applications, the libraries (e.g. Servlet containers) are even not available for whole-program analysis. We present HyPta, a points-to analysis approach, to construct partial call graphs for Java programs. HyPta extends the standard points-to analysis by establishing a hybrid heap model. Since our approach does not analyze the method bodies of the library classes, the heap model distinguishes between the abstract memory locations in the application and those in the library. HyPta infers the pointer information in the library from the interactions between the application and the library. We implement HyPta based on Spark framework and evaluate it on 14 widely cited Java benchmarks. The evaluation shows that HyPta is faster than Averroes and Spark by a factor of 4.9x and 13.7x, respectively. Meanwhile, it constructs sound and precise partial call graphs.

Dongming Xiang,Shuai Lin,Ke Huang,Zuohua Ding,Guanjun Liu,Xiaofeng Li

DOI: https://doi.org/10.1016/j.cose.2024.104162

IF: 5.105

2024-10-21

Computers & Security

Abstract:Static taint analysis is a widely used method to identify vulnerabilities in Android applications. However, the existing tools for static analysis often struggle with processing times, particularly when dealing with complex real-world programs. To reduce time consumption, some tools choose to sacrifice analytical precision, e.g., FastDroid sets an upper limit for analysis iterations in Android applications. In this paper, we propose a labeled taint value graph (LTVG) to store taint flows, and implement a fine-grained analysis tool called LabeledDroid . This graph is constructed based on the taint value graph (TVG) of FastDroid, and takes into account both precision and time consumption. That is, we decompile an Android app into Jimple statements, develop fine-grained propagation rules to handle List , and construct LTVGs according to these rules. Afterwards, we traverse LTVGs to obtain high-precision taint flows. An analysis of 39 apps from the TaintBench benchmark shows that LabeledDroid is 0.87 s faster than FastDroid on average. Furthermore, if some common accuracy parameters are adapted in both LabeledDroid and FastDroid, the experiment demonstrates that the former is more scalable. Moreover, the maximum analysis time of LabeledDroid is less than 200 s and its average time is 46.25 s, while FastDroid sometimes experiences timeouts with durations longer than 600 s. Additionally, LabeledDroid achieves a precision of 70% in handling lists, while FastDroid and TaintSA achieve precisions of 38.9% and 41.2%, respectively.

computer science, information systems

Yuchen Xing,Hanfei Wang,Jianhua Zhao

DOI: https://doi.org/10.1007/978-3-642-35795-4_58

2013-01-01

Abstract:This paper describes a tool which integrates three different kinds of data flow analysis techniques: null pointer dereference analysis, integer variables differences analysis and single linked list analysis. Each one of them can share and exchange program information with the other two. And also users can add properties manually to enhance the processing capabilities. Through the demonstration in the case study section, we can see that our tool achieves the goal to connect these three analysis techniques and can explore more insightful program information with the artificial help. © Springer-Verlag Berlin Heidelberg 2013.

Cong Sun,Yuwan Ma,Dongrui Zeng,Gang Tan,Siqi Ma,Yafei Wu

DOI: https://doi.org/10.48550/arXiv.2112.06702

2022-02-28

Abstract:The existence of native code in Android apps plays an important role in triggering inconspicuous propagation of secrets and circumventing malware detection. However, the state-of-the-art information-flow analysis tools for Android apps all have limited capabilities of analyzing native code. Due to the complexity of binary-level static analysis, most static analyzers choose to build conservative models for a selected portion of native code. Though the recent inter-language analysis improves the capability of tracking information flow in native code, it is still far from attaining similar effectiveness of the state-of-the-art information-flow analyzers that focus on non-native Java methods. To overcome the above constraints, we propose a new analysis framework, $\mu$Dep, to detect sensitive information flows of the Android apps containing native code. In this framework, we combine a control-flow based static binary analysis with a mutation-based dynamic analysis to model the tainting behaviors of native code in the apps. Based on the result of the analyses, $\mu$Dep conducts a stub generation for the related native functions to facilitate the state-of-the-art analyzer DroidSafe with fine-grained tainting behavior summaries of native code. The experimental results show that our framework is competitive on the accuracy, and effective in analyzing the information flows in real-world apps and malware compared with the state-of-the-art inter-language static analysis.

Cryptography and Security

Li Qian,Zhao Jianhua,Li Xuandong

DOI: https://doi.org/10.1007/978-3-642-16558-0_46

2010-01-01

Abstract:This paper presents an efficient context-sensitive, field-based Andersen-style points-to analysis algorithm for Java programs. This algorithm first summarizes methods of the program under analysis using directed graphs. Then it performs local circle elimination on these summary graphs to reduce their sizes. The main analysis algorithm uses these graphs to construct the main points-to graph. Topological sort and cycle-elimination is performed on the nodes of both main points-to graphs and summary graphs to speed up the transitive closure computation on the main points-to graph. A suite of Java program benchmarks are used to demonstrate the efficiency of our algorithm.

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Lei Shang,Yi Lu,Jingling Xue

DOI: https://doi.org/10.1145/2351676.2351720

2012-01-01

Abstract:We describe our preliminary experience in the design and implementation of a points-to analysis for Java, called EMU, that enables developers to perform pointer-related queries in programs undergoing constant changes in IDEs. EMU achieves fast response times by adopting a modular approach to incrementally updating method summaries upon small code changes: the points-to information in a method is summarised indirectly by CFL reachability rather than directly by points-to sets. Thus, the impact of a small code change made in a method is localised, requiring only its affected part to be re-summarised just to reflect the change. EMU achieves precision by being context-sensitive (for both method invocation and heap abstraction) and field-sensitive. Our evaluation shows that EMU can be promisingly deployed in IDEs where the changes are small.

Mingshen Sun,Tao Wei,John C. S. Lui

DOI: https://doi.org/10.1145/2976749.2978343

2016-01-01

Abstract:ABSTRACTMobile operating systems like Android failed to provide sufficient protection on personal data, and privacy leakage becomes a major concern. To understand the security risks and privacy leakage, analysts have to carry out data-flow analysis. In 2014, Android upgraded with a fundamentally new design known as Android RunTime (ART) environment in Android 5.0. ART adopts ahead-of-time compilation strategy and replaces previous virtual-machine-based Dalvik. Unfortunately, many data-flow analysis systems like TaintDroid were designed for the legacy Dalvik environment. This makes data-flow analysis of new apps and malware infeasible. We design a multi-level information-flow tracking system for the new Android system called TaintART. TaintART employs a multi-level taint analysis technique to minimize the taint tag storage. Therefore, taint tags can be stored in processor registers to provide efficient taint propagation operations. We also customize the ART compiler to maximize performance gains of the ahead-of-time compilation optimizations. Based on the general design of TaintART, we also implement a multi-level privacy enforcement to prevent sensitive data leakage. We demonstrate that TaintART only incurs less than 15% overheads on a CPU-bound microbenchmark and negligible overhead on built-in or third-party applications. Compared to legacy Dalvik environment in Android 4.4, TaintART achieves about 99.7% faster performance for Java runtime benchmark.

Ju Qian,Baowen Xu

DOI: https://doi.org/10.1109/ftdcs.2007.34

2007-01-01

Abstract:Inter-thread dataflows are of great importance in analyzing concurrent programs. Suffering from the complexity of currency, it is still difficult to identify them from Java programs precisely and efficiently. A fundamental problem in inter-thread dataflow analysis is pointer analysis. Currently, pointer analyses can be classified into context-sensitive ones and context-insensitive ones. They are either too time consuming or too imprecise and hence not suitable for scalable and high precision inter-thread dataflow analysis. To change the situation, this paper proposes a thread-sensitive pointer analysis algorithm which only uses sequences of thread starts as calling contexts. As in inter-thread dataflow analysis, the major objective is analyzing interthread dataflows not intra-thread ones, the coarse-grained context-sensitivity can not only effectively speed up the analysis, but also preserve the analyze precision as much as possible

Xiaofei Xie,Bihuan Chen,Liang Zou,Yang Liu,Wei Le,Xiaohong Li

DOI: https://doi.org/10.1109/tse.2017.2788018

IF: 7.4

2019-01-01

IEEE Transactions on Software Engineering

Abstract:Analyzing loops is very important for various software engineering tasks such as bug detection, test case generation and program optimization. However, loops are very challenging structures for program analysis, especially when (nested) loops contain multiple paths that have complex interleaving relationships. In this paper, we propose the path dependency automaton (PDA) to capture the dependencies among the multiple paths in a loop. Based on the PDA, we first propose a loop classification to understand the complexity of loop summarization. Then, we propose a loop analysis framework, named Proteus, which takes a loop program and a set of variables of interest as inputs and summarizes path-sensitive loop effects (i.e., disjunctive loop summary) on the variables of interest. An algorithm is proposed to traverse the PDA to summarize the effect for all possible executions in the loop. We have evaluated Proteus using loops from five open-source projects and two well-known benchmarks and applying the disjunctive loop summary to three applications: loop bound analysis, program verification and test case generation. The evaluation results have demonstrated that Proteus can compute a more precise bound than the existing loop bound analysis techniques; Proteus can significantly outperform the state-of-the-art tools for loop program verification; and Proteus can help generate test cases for deep loops within one second, while symbolic execution tools KLEE and Pex either need much more time or fail.

Mugdha Khedkar,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.2402.07889

2024-02-12

Software Engineering

Abstract:Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis.

Tian Tan,Yue Li,Jingling Xue

DOI: https://doi.org/10.1145/3062341.3062360

2017-01-01

ACM SIGPLAN Notices

Abstract:Mainstream points-to analysis techniques for object-oriented languages rely predominantly on the allocation-site abstraction to model heap objects. We present MAHJONG, a novel heap abstraction that is specifically developed to address the needs of an important class of type-dependent clients, such as call graph construction, devirtualization and may-fail casting. By merging equivalent automata representing type-consistent objects that are created by the allocation-site abstraction, MAHJONG enables an allocation-site-based points-to analysis to run significantly faster while achieving nearly the same precision for type-dependent clients. MAHJONG is simple conceptually, efficient, and drops easily on any allocation-site-based points-to analysis. We demonstrate its effectiveness by discussing some insights on why it is a better alternative of the allocation-site abstraction for type-dependent clients and evaluating it extensively on 12 large real-world Java programs with five context-sensitive points-to analyses and three widely used type-dependent clients. MAHJONG is expected to provide significant benefits for many program analyses where call graphs are required.

Mingwei Liu,Xin Peng,Andrian Marcus,Zhenchang Xing,Wenkai Xie,Shuangshuang Xing,Yang Liu

DOI: https://doi.org/10.1145/3338906.3338971

2019-01-01

Abstract:Source code summaries are concise representations, in form of text and/or code, of complex code elements and are meant to help developers gain a quick understanding that in turns help them perform specific tasks. Generation of summaries that are task-specific is still a challenge in the automatic code summarization field. We propose an approach for generating on-demand, extrinsic hybrid summaries for API classes, relevant to a programming task, formulated as a natural language query. The summaries include the most relevant sentences extracted from the API reference documentation and the most relevant methods. External evaluators assessed the summaries generated for classes retrieved from JDK and Android libraries for several programming tasks. The majority found that the summaries are complete, concise, and readable. A comparison with summaries produce by three baseline approaches revealed that the information present only in our summaries is more relevant than the one present only in the baselines summaries. Finally, an extrinsic evaluation study showed that the summaries help the users evaluating the correctness of API retrieval results, faster and more accurately.