On the Soundness of Android Static Analysis

On the Soundness of
Android Static Analysis
15th September
2023
Dr. Jordan Samhi
The 6th International Workshop on
Advances in Mobile App Analysis
Luxembourg
CISPA – Helmholtz Center for Information Security
Who Am I?
Dr. Jordan Samhi
Post-doc at CISPA – Helmholtz Center for Information
Security
Research group: Software Research
jordan.samhi@cispa.de
https://www.jordansamhi.com
15th September 2023 - Jordan Samhi
2
On the Soundness of Android Static Analysis
Solutions and open challenges
15th September 2023 - Jordan Samhi
3
“
> 6 billion people own a
smartphone
> 71% are Android-based
> Sensitive data
15th September 2023 - Jordan Samhi
4
High security risks
Bugs
Malicious
Code
Vulnera
bilities
15th September 2023 - Jordan Samhi
5
6
15th September 2023 - Jordan Samhi
7
15th September 2023 - Jordan Samhi
FlowDroid1
1Arzt, Steven, et al. - Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android
- malware detection
- features extraction
- instrumentation
- incompatibility issues
- Type-state issues
- etc.
8
15th September 2023 - Jordan Samhi
Can you trust this model?
ICC
Reflection
Callbacks
Real Behavior
m()
n()
Soundness of Program Analysis
15th September 2023 - Jordan Samhi
9
Agenda
• Inter-component
communication
• Native Code
15th September 2023 - Jordan Samhi
10
Inter-Component
Communication
15th September 2023 - Jordan Samhi
11
Activity
Activity
Activity
Activity
Activity
Activity
Service
Service
Service
Activity
Broadcast
Receiver
Broadcast
Receiver
15th September 2023 - Jordan Samhi
12
// Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
startActivity(i);
}
// Target Activity
protected void onCreate(Bundle b) {
Intent i = getIntent();
String msg = i.getStringExtra("test");
Log.i(“Test”, msg);
}
● sendBroadcast
● sendBroadcastAsUser
● sendOrderedBroadcast
● sendOrderedBroadcastAsUser
● sendStickyBroadcast
● sendStickyBroadcastAsUser
● sendStickyOrderedBroadcast
● sendStickyOrderedBroadcastAsUser
● startActivities
● startActivity
● startActivityForResult
● startActivityFromChild
● startActivityFromFragment
● startActivityIfNeeded
● startService
● bindService
15th September 2023 - Jordan Samhi
13
// Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(“0”, null, “0”, pi, null);
} // Target Activity
protected void onCreate(Bundle b) {
Intent i = getIntent();
String msg = i.getStringExtra("test");
Log.i(“Test”, msg);
}
Atypical Inter-Component Communication (AICC)
15th September 2023 - Jordan Samhi
14
What are the
problems?
• What are AICC methods?
• How to reveal AICC
methods to existing
analyzers?
15th September 2023 - Jordan Samhi
15
● setRepeating
● requestLocationUpdates
● registerNetworkCallback
● setCancelButtonIntent
● sendMultimediaMessage
● setOnClickPendingIntent
● onSuccess
● installExistingPackage
● startDownloadServiceIfRequired
● sendTextMessage
● addAction
● setExact
● setFullScreenIntent
● setDeleteIntent
● setPendingIntentTemplate
● setLatestEventInfo
● setInexactRepeating
● etc.
Systematic study of the Android
Framework
15th September 2023 - Jordan Samhi
16
Revealing Atypical Inter-Component Communication
STEP 1
STEP 2
STEP 3
STEP 4
RAICC leverages the IFDS framework to propagate Intents to
PendingIntent objects
RAICC leverages the IFDS framework to propagate target
component type to PendingIntent objects
App instrumentation to add typical ICC method depending on
Intent targets
App is repackaged
Main idea: add typical ICC calls for existing analyzers
15th September 2023 - Jordan Samhi
17
Revealing Atypical Inter-Component Communication
STEP 1
What Intents are “linked” to this PendingIntent?
PendingIntentx {Intenta, …, Intentn}
↦
15th September 2023 - Jordan Samhi
18
Revealing Atypical Inter-Component Communication
STEP 2
What is the type of the target component that the
PendingIntent refers to?
PendingIntentx {“activity”, “service”}
↦
15th September 2023 - Jordan Samhi
19
Revealing Atypical Inter-Component Communication
STEP 3
// Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(“0”, null, “0”, pi, null);
pi
i
↦ { }
pi
↦ { }
Activity
} startActivity(i);
15th September 2023 - Jordan Samhi
20
Revealing Atypical Inter-Component Communication
STEP 4
15th September 2023 - Jordan Samhi
21
// Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(“0”, null, “0”, pi, null);
startActivity(i);
}
Evaluation
Real-world apps
Benchmark
20 hand-crafted apps
5 000 goodware / 5 000 malware
15th September 2023 - Jordan Samhi
22
Main Results
Number of ICC links found by IC3
5 000 goodware 5 000 malware
Before RAICC 20 300 16 222
After RAICC 25 708 26 223
Improvement
+ 5408
(+26.2%)
+10 001
(+61.6%)
15th September 2023 - Jordan Samhi
23
Reflection
Callback
ICC
?
?
?
15th September 2023 - Jordan Samhi
24
Reflection
Callback
ICC
?
?
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
● RAICC improves ICC modeling
● It is is already used by
collaborators
● It is maintained
● Improvable on-demand
● RAICC and artifacts are available
at:
https://github.com/JordanSamhi/RAICC
15th September 2023 - Jordan Samhi
25
26
Native Code
27
27
15th September 2023 - Jordan Samhi
What are the
problems?
• How to account for
native code?
• How to model native
code?
28
15th September 2023 - Jordan Samhi
Native code
29
Results are bridged
15th September 2023 - Jordan Samhi
A unified model
30
15th September 2023 - Jordan Samhi
31
JuCify Overview
15th September 2023 - Jordan Samhi
32
First part: NativeDiscloser
Extracting native methods information
15th September 2023 - Jordan Samhi
First part: NativeDiscloser
Extracting native methods information
Method call in the bytecode – native function
Static registration:
nativeGetImei – Java_com_example_app_MainActivity_nativeGetImei
Dynamic registration:
nativeGetImei – some_native_function
15th September 2023 - Jordan Samhi
33
34
First part: NativeDiscloser
Extracting native methods information
15th September 2023 - Jordan Samhi
Second part: Call Graph Generation
Native CG Bytecode CG
15th September 2023 - Jordan Samhi
35
Second part: Call Graph Generation
Native CG Bytecode CG
15th September 2023 - Jordan Samhi
36
Third part: Call Graph Unification
Unified
Call Graph
Representatio
n
15th September 2023 - Jordan Samhi
37
38
Let’s see an example
15th September 2023 - Jordan Samhi
Without JuCify
39
15th September 2023 - Jordan Samhi
40
With JuCify
15th September 2023 - Jordan Samhi
 Call-Graph is not enough
 Our ambition is to unify both representations
41
15th September 2023 - Jordan Samhi
Main results
42
15th September 2023 - Jordan Samhi
Main results
Number of nodes and edges computed by Soot with
and without JuCify
43
15th September 2023 - Jordan Samhi
Reflection
Callback
ICC
?
?
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
15th September 2023 - Jordan Samhi
44
Reflection
Callback
ICC
?
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
J. Samhi et al., “JuCify: A Step Towards
Android Code Unification for Enhanced
Static Analysis”, ICSE 2022.
https://github.com/JordanSamhi/JuCify
● We proposed a new approach to
unify the bytecode and native code
representations
● We demonstrated how JuCify is a
step toward code unification
● JuCify and artifacts are available at:
15th September 2023 - Jordan Samhi
45
Logic Bomb detection
If (…)
[ ]
[ ]
Normal
Abnormal
Check out: J. Samhi, et al. "Difuzer: Uncovering suspicious hidden
sensitive operations in android apps." ICSE 2022.
15th September 2023 - Jordan Samhi
46
Reflection
Callback
ICC
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
J. Samhi et al., ”Implicit calls triggered
under certain circumstances”
15th September 2023 - Jordan Samhi
47
J. Samhi et al., “JuCify: A Step Towards
Android Code Unification for Enhanced
Static Analysis”, ICSE 2022.
OK!
Enough of the
past!
What are next
challenges?
15th September 2023 - Jordan Samhi
48
The static analysis paradox
Promise
Sound Analysis
15th September 2023 - Jordan Samhi
49
Reflection
Callback
ICC
Native Code
Conditional implicit calls
AICC
?
?
?
?
?
?
?
?
Analyzing the
Unanalyzable
15th September 2023 - Jordan Samhi
50
Security is Adversarial
Attackers will try to find
ways to bypass static
analysis
Libraries
15th September 2023 - Jordan Samhi
51
The Dream in Program Analysis
Find the Ultimate
Abstractions
15th September 2023 - Jordan Samhi
52
COBOL
ABAP
53
15th September 2023 - Jordan Samhi
Some Ideas for
Open Challenges
15th September 2023 - Jordan Samhi
54
What is currently covered by static
analyzers?
How can frameworks be effectively
represented through static modeling?
How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
55
Control Flow
Graph
Call
Graph
Static
Analysis
Dynamic
Analysis
What is currently covered
by static analyzers?
15th September 2023 - Jordan Samhi
56
Methods statically
reachable
Methods dynamically
called
?
?
?
What is currently covered
by static analyzers?
15th September 2023 - Jordan Samhi
57
58
15th September 2023 - Jordan Samhi
IMPLICIT CALLS
How can frameworks be effectively
represented through static
modeling?
Software are systems, they interact with
components
15th September 2023 - Jordan Samhi
59
How can frameworks be effectively
represented through static
modeling?
15th September 2023 - Jordan Samhi
60
1 – Identify development frameworks
How can frameworks be effectively
represented through static
modeling?
15th September 2023 - Jordan Samhi
61
2 – Statically find entry and exit points to and from
frameworks
3 – Propose a static model that connects the dots
How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
62
WebView wv = new WebView(context);
setContentView(wv);
webView.loadUrl("www.example.com");
WebSettings settings = wv.getSettings();
settings.setJavaScriptEnabled(true);
How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
63
1 – Study the static analysis ecosystem of different languages
2 –To what extent existing tools can be bridged with existing
frameworks
3 – Investigate how to provide unified static model
How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
64
Implications for Security
Better Static Code Modeling
=
Better Code Coverage
15th September 2023 - Jordan Samhi
65
Data leak detection
Aggressive Ads
Trojan horses
Logic vulnerabilities
SQL injection detection
Sensitive operations
detection
Bug detection
Type state misuse detection
Crypto API misuse
Type confusion detection
Hijacking
Spyware
Vulnerability detection
Privacy policy compliance
Logic bombs
GDPR compliance
15th September 2023 - Jordan Samhi
66
Real Behavior
m()
n()
Soundness of Program Analysis
15th September 2023 - Jordan Samhi
9
Reflection
Callback
ICC
Native Code
Conditional implicit calls
AICC
?
?
?
?
?
?
?
?
Analyzing the Unanalyzable
My Dream in Program Analysis
Find the Ultimate
Abstractions
What is currently covered by static analyzers?
How can frameworks be effectively represented
through static modeling?
How can multi-language software be effectively
represented through static modeling?
7th February 2023 - Jordan Samhi
1 de 66

Recomendados

IRJET- Android Malware Detection using Machine Learning por
IRJET-  	  Android Malware Detection using Machine LearningIRJET-  	  Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET Journal
180 vistas4 diapositivas
Object Detection in UAVs por
Object Detection in UAVsObject Detection in UAVs
Object Detection in UAVsijtsrd
70 vistas6 diapositivas
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut... por
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
450 vistas17 diapositivas
Object Detection Bot por
Object Detection BotObject Detection Bot
Object Detection BotIRJET Journal
4 vistas4 diapositivas
A Survey on Vehicle Tracking System using IoT por
A Survey on Vehicle Tracking System using IoTA Survey on Vehicle Tracking System using IoT
A Survey on Vehicle Tracking System using IoTIRJET Journal
9 vistas5 diapositivas
IRJET- Android Malware Detection System por
IRJET-  	  Android Malware Detection SystemIRJET-  	  Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
160 vistas3 diapositivas

Más contenido relacionado

Similar a On the Soundness of Android Static Analysis

SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT... por
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...IJNSA Journal
9 vistas18 diapositivas
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS por
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSIJNSA Journal
5 vistas21 diapositivas
Androinspector a system for por
Androinspector a system forAndroinspector a system for
Androinspector a system forIJNSA Journal
232 vistas21 diapositivas
IRJET - NETRA: Android Application for Visually Challenged People to Dete... por
IRJET -  	  NETRA: Android Application for Visually Challenged People to Dete...IRJET -  	  NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...IRJET Journal
11 vistas10 diapositivas
Security and Authentication of Internet of Things (IoT) Devices por
Security and Authentication of Internet of Things (IoT) DevicesSecurity and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSanjayKumarYadav58
102 vistas28 diapositivas
Virtual Contact Discovery using Facial Recognition por
Virtual Contact Discovery using Facial RecognitionVirtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial RecognitionIRJET Journal
5 vistas4 diapositivas

Similar a On the Soundness of Android Static Analysis(20)

SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT... por IJNSA Journal
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
IJNSA Journal9 vistas
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS por IJNSA Journal
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
IJNSA Journal5 vistas
Androinspector a system for por IJNSA Journal
Androinspector a system forAndroinspector a system for
Androinspector a system for
IJNSA Journal232 vistas
IRJET - NETRA: Android Application for Visually Challenged People to Dete... por IRJET Journal
IRJET -  	  NETRA: Android Application for Visually Challenged People to Dete...IRJET -  	  NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET Journal11 vistas
Security and Authentication of Internet of Things (IoT) Devices por SanjayKumarYadav58
Security and Authentication of Internet of Things (IoT) DevicesSecurity and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) Devices
SanjayKumarYadav58102 vistas
Virtual Contact Discovery using Facial Recognition por IRJET Journal
Virtual Contact Discovery using Facial RecognitionVirtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial Recognition
IRJET Journal5 vistas
건설 스타트업과 오픈소스 por Tae wook kang
건설 스타트업과 오픈소스건설 스타트업과 오픈소스
건설 스타트업과 오픈소스
Tae wook kang679 vistas
Bank Locker System Using Fingerprint Authentication & Image Processing por IRJET Journal
Bank Locker System Using Fingerprint Authentication & Image ProcessingBank Locker System Using Fingerprint Authentication & Image Processing
Bank Locker System Using Fingerprint Authentication & Image Processing
IRJET Journal6 vistas
3M Secure Transportation System. por IRJET Journal
3M Secure Transportation System.3M Secure Transportation System.
3M Secure Transportation System.
IRJET Journal3 vistas
4 th International Conference on Signal Processing and Machine Learning (SIGM... por ijscai
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
ijscai5 vistas
4 th International Conference on Signal Processing and Machine Learning (SIGM... por ijesajournal
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
ijesajournal4 vistas
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ... por Amélie Gyrard
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
Amélie Gyrard994 vistas
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin... por Amélie Gyrard
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Amélie Gyrard1.2K vistas
Proposed Workable Process Flow with Analysis Framework for Android Forensics ... por theijes
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
theijes33 vistas
Autonomous Vehicle and Augmented Reality Usage por Dr. Amarjeet Singh
Autonomous Vehicle and Augmented Reality UsageAutonomous Vehicle and Augmented Reality Usage
Autonomous Vehicle and Augmented Reality Usage
Dr. Amarjeet Singh55 vistas
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A... por CODE BLUE
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
CODE BLUE735 vistas
Permission based Android Malware Detection using Random Forest por IRJET Journal
Permission based Android Malware Detection using Random ForestPermission based Android Malware Detection using Random Forest
Permission based Android Malware Detection using Random Forest
IRJET Journal7 vistas

Último

Light Pollution for LVIS students por
Light Pollution for LVIS studentsLight Pollution for LVIS students
Light Pollution for LVIS studentsCWBarthlmew
5 vistas12 diapositivas
A training, certification and marketing scheme for informal dairy vendors in ... por
A training, certification and marketing scheme for informal dairy vendors in ...A training, certification and marketing scheme for informal dairy vendors in ...
A training, certification and marketing scheme for informal dairy vendors in ...ILRI
11 vistas13 diapositivas
Disinfectants & Antiseptic por
Disinfectants & AntisepticDisinfectants & Antiseptic
Disinfectants & AntisepticSanket P Shinde
8 vistas36 diapositivas
Guinea Pig as a Model for Translation Research por
Guinea Pig as a Model for Translation ResearchGuinea Pig as a Model for Translation Research
Guinea Pig as a Model for Translation ResearchPervaizDar1
11 vistas21 diapositivas
Distinct distributions of elliptical and disk galaxies across the Local Super... por
Distinct distributions of elliptical and disk galaxies across the Local Super...Distinct distributions of elliptical and disk galaxies across the Local Super...
Distinct distributions of elliptical and disk galaxies across the Local Super...Sérgio Sacani
30 vistas12 diapositivas
Batrachospermum.pptx por
Batrachospermum.pptxBatrachospermum.pptx
Batrachospermum.pptxnisarahmad632316
34 vistas37 diapositivas

Último(20)

Light Pollution for LVIS students por CWBarthlmew
Light Pollution for LVIS studentsLight Pollution for LVIS students
Light Pollution for LVIS students
CWBarthlmew5 vistas
A training, certification and marketing scheme for informal dairy vendors in ... por ILRI
A training, certification and marketing scheme for informal dairy vendors in ...A training, certification and marketing scheme for informal dairy vendors in ...
A training, certification and marketing scheme for informal dairy vendors in ...
ILRI11 vistas
Guinea Pig as a Model for Translation Research por PervaizDar1
Guinea Pig as a Model for Translation ResearchGuinea Pig as a Model for Translation Research
Guinea Pig as a Model for Translation Research
PervaizDar111 vistas
Distinct distributions of elliptical and disk galaxies across the Local Super... por Sérgio Sacani
Distinct distributions of elliptical and disk galaxies across the Local Super...Distinct distributions of elliptical and disk galaxies across the Local Super...
Distinct distributions of elliptical and disk galaxies across the Local Super...
Sérgio Sacani30 vistas
Conventional and non-conventional methods for improvement of cucurbits.pptx por gandhi976
Conventional and non-conventional methods for improvement of cucurbits.pptxConventional and non-conventional methods for improvement of cucurbits.pptx
Conventional and non-conventional methods for improvement of cucurbits.pptx
gandhi97618 vistas
별헤는 사람들 2023년 12월호 전명원 교수 자료 por sciencepeople
별헤는 사람들 2023년 12월호 전명원 교수 자료별헤는 사람들 2023년 12월호 전명원 교수 자료
별헤는 사람들 2023년 12월호 전명원 교수 자료
sciencepeople31 vistas
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... por ILRI
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
ILRI5 vistas
RemeOs science and clinical evidence por PetrusViitanen1
RemeOs science and clinical evidenceRemeOs science and clinical evidence
RemeOs science and clinical evidence
PetrusViitanen135 vistas
CSF -SHEEBA.D presentation.pptx por SheebaD7
CSF -SHEEBA.D presentation.pptxCSF -SHEEBA.D presentation.pptx
CSF -SHEEBA.D presentation.pptx
SheebaD711 vistas
Experimental animal Guinea pigs.pptx por Mansee Arya
Experimental animal Guinea pigs.pptxExperimental animal Guinea pigs.pptx
Experimental animal Guinea pigs.pptx
Mansee Arya13 vistas
Open Access Publishing in Astrophysics por Peter Coles
Open Access Publishing in AstrophysicsOpen Access Publishing in Astrophysics
Open Access Publishing in Astrophysics
Peter Coles725 vistas
Pollination By Nagapradheesh.M.pptx por MNAGAPRADHEESH
Pollination By Nagapradheesh.M.pptxPollination By Nagapradheesh.M.pptx
Pollination By Nagapradheesh.M.pptx
MNAGAPRADHEESH15 vistas
"How can I develop my learning path in bioinformatics? por Bioinformy
"How can I develop my learning path in bioinformatics?"How can I develop my learning path in bioinformatics?
"How can I develop my learning path in bioinformatics?
Bioinformy21 vistas
Metatheoretical Panda-Samaneh Borji.pdf por samanehborji
Metatheoretical Panda-Samaneh Borji.pdfMetatheoretical Panda-Samaneh Borji.pdf
Metatheoretical Panda-Samaneh Borji.pdf
samanehborji16 vistas
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... por ILRI
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
ILRI5 vistas

On the Soundness of Android Static Analysis

  • 1. On the Soundness of Android Static Analysis 15th September 2023 Dr. Jordan Samhi The 6th International Workshop on Advances in Mobile App Analysis Luxembourg CISPA – Helmholtz Center for Information Security
  • 2. Who Am I? Dr. Jordan Samhi Post-doc at CISPA – Helmholtz Center for Information Security Research group: Software Research jordan.samhi@cispa.de https://www.jordansamhi.com 15th September 2023 - Jordan Samhi 2
  • 3. On the Soundness of Android Static Analysis Solutions and open challenges 15th September 2023 - Jordan Samhi 3
  • 4. “ > 6 billion people own a smartphone > 71% are Android-based > Sensitive data 15th September 2023 - Jordan Samhi 4
  • 6. 6 15th September 2023 - Jordan Samhi
  • 7. 7 15th September 2023 - Jordan Samhi FlowDroid1 1Arzt, Steven, et al. - Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android - malware detection - features extraction - instrumentation - incompatibility issues - Type-state issues - etc.
  • 8. 8 15th September 2023 - Jordan Samhi Can you trust this model? ICC Reflection Callbacks
  • 9. Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9
  • 10. Agenda • Inter-component communication • Native Code 15th September 2023 - Jordan Samhi 10
  • 13. // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); startActivity(i); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } ● sendBroadcast ● sendBroadcastAsUser ● sendOrderedBroadcast ● sendOrderedBroadcastAsUser ● sendStickyBroadcast ● sendStickyBroadcastAsUser ● sendStickyOrderedBroadcast ● sendStickyOrderedBroadcastAsUser ● startActivities ● startActivity ● startActivityForResult ● startActivityFromChild ● startActivityFromFragment ● startActivityIfNeeded ● startService ● bindService 15th September 2023 - Jordan Samhi 13
  • 14. // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } Atypical Inter-Component Communication (AICC) 15th September 2023 - Jordan Samhi 14
  • 15. What are the problems? • What are AICC methods? • How to reveal AICC methods to existing analyzers? 15th September 2023 - Jordan Samhi 15
  • 16. ● setRepeating ● requestLocationUpdates ● registerNetworkCallback ● setCancelButtonIntent ● sendMultimediaMessage ● setOnClickPendingIntent ● onSuccess ● installExistingPackage ● startDownloadServiceIfRequired ● sendTextMessage ● addAction ● setExact ● setFullScreenIntent ● setDeleteIntent ● setPendingIntentTemplate ● setLatestEventInfo ● setInexactRepeating ● etc. Systematic study of the Android Framework 15th September 2023 - Jordan Samhi 16
  • 17. Revealing Atypical Inter-Component Communication STEP 1 STEP 2 STEP 3 STEP 4 RAICC leverages the IFDS framework to propagate Intents to PendingIntent objects RAICC leverages the IFDS framework to propagate target component type to PendingIntent objects App instrumentation to add typical ICC method depending on Intent targets App is repackaged Main idea: add typical ICC calls for existing analyzers 15th September 2023 - Jordan Samhi 17
  • 18. Revealing Atypical Inter-Component Communication STEP 1 What Intents are “linked” to this PendingIntent? PendingIntentx {Intenta, …, Intentn} ↦ 15th September 2023 - Jordan Samhi 18
  • 19. Revealing Atypical Inter-Component Communication STEP 2 What is the type of the target component that the PendingIntent refers to? PendingIntentx {“activity”, “service”} ↦ 15th September 2023 - Jordan Samhi 19
  • 20. Revealing Atypical Inter-Component Communication STEP 3 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); pi i ↦ { } pi ↦ { } Activity } startActivity(i); 15th September 2023 - Jordan Samhi 20
  • 21. Revealing Atypical Inter-Component Communication STEP 4 15th September 2023 - Jordan Samhi 21 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); startActivity(i); }
  • 22. Evaluation Real-world apps Benchmark 20 hand-crafted apps 5 000 goodware / 5 000 malware 15th September 2023 - Jordan Samhi 22
  • 23. Main Results Number of ICC links found by IC3 5 000 goodware 5 000 malware Before RAICC 20 300 16 222 After RAICC 25 708 26 223 Improvement + 5408 (+26.2%) +10 001 (+61.6%) 15th September 2023 - Jordan Samhi 23
  • 25. Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. ● RAICC improves ICC modeling ● It is is already used by collaborators ● It is maintained ● Improvable on-demand ● RAICC and artifacts are available at: https://github.com/JordanSamhi/RAICC 15th September 2023 - Jordan Samhi 25
  • 27. 27 27 15th September 2023 - Jordan Samhi
  • 28. What are the problems? • How to account for native code? • How to model native code? 28 15th September 2023 - Jordan Samhi
  • 29. Native code 29 Results are bridged 15th September 2023 - Jordan Samhi
  • 30. A unified model 30 15th September 2023 - Jordan Samhi
  • 31. 31 JuCify Overview 15th September 2023 - Jordan Samhi
  • 32. 32 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
  • 33. First part: NativeDiscloser Extracting native methods information Method call in the bytecode – native function Static registration: nativeGetImei – Java_com_example_app_MainActivity_nativeGetImei Dynamic registration: nativeGetImei – some_native_function 15th September 2023 - Jordan Samhi 33
  • 34. 34 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
  • 35. Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 35
  • 36. Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 36
  • 37. Third part: Call Graph Unification Unified Call Graph Representatio n 15th September 2023 - Jordan Samhi 37
  • 38. 38 Let’s see an example 15th September 2023 - Jordan Samhi
  • 39. Without JuCify 39 15th September 2023 - Jordan Samhi
  • 40. 40 With JuCify 15th September 2023 - Jordan Samhi
  • 41.  Call-Graph is not enough  Our ambition is to unify both representations 41 15th September 2023 - Jordan Samhi
  • 42. Main results 42 15th September 2023 - Jordan Samhi
  • 43. Main results Number of nodes and edges computed by Soot with and without JuCify 43 15th September 2023 - Jordan Samhi
  • 44. Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. 15th September 2023 - Jordan Samhi 44
  • 45. Reflection Callback ICC ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022. https://github.com/JordanSamhi/JuCify ● We proposed a new approach to unify the bytecode and native code representations ● We demonstrated how JuCify is a step toward code unification ● JuCify and artifacts are available at: 15th September 2023 - Jordan Samhi 45
  • 46. Logic Bomb detection If (…) [ ] [ ] Normal Abnormal Check out: J. Samhi, et al. "Difuzer: Uncovering suspicious hidden sensitive operations in android apps." ICSE 2022. 15th September 2023 - Jordan Samhi 46
  • 47. Reflection Callback ICC J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., ”Implicit calls triggered under certain circumstances” 15th September 2023 - Jordan Samhi 47 J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022.
  • 48. OK! Enough of the past! What are next challenges? 15th September 2023 - Jordan Samhi 48
  • 49. The static analysis paradox Promise Sound Analysis 15th September 2023 - Jordan Samhi 49
  • 50. Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable 15th September 2023 - Jordan Samhi 50
  • 51. Security is Adversarial Attackers will try to find ways to bypass static analysis Libraries 15th September 2023 - Jordan Samhi 51
  • 52. The Dream in Program Analysis Find the Ultimate Abstractions 15th September 2023 - Jordan Samhi 52
  • 54. Some Ideas for Open Challenges 15th September 2023 - Jordan Samhi 54
  • 55. What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 55
  • 56. Control Flow Graph Call Graph Static Analysis Dynamic Analysis What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 56
  • 57. Methods statically reachable Methods dynamically called ? ? ? What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 57
  • 58. 58 15th September 2023 - Jordan Samhi IMPLICIT CALLS
  • 59. How can frameworks be effectively represented through static modeling? Software are systems, they interact with components 15th September 2023 - Jordan Samhi 59
  • 60. How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 60
  • 61. 1 – Identify development frameworks How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 61 2 – Statically find entry and exit points to and from frameworks 3 – Propose a static model that connects the dots
  • 62. How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 62
  • 63. WebView wv = new WebView(context); setContentView(wv); webView.loadUrl("www.example.com"); WebSettings settings = wv.getSettings(); settings.setJavaScriptEnabled(true); How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 63
  • 64. 1 – Study the static analysis ecosystem of different languages 2 –To what extent existing tools can be bridged with existing frameworks 3 – Investigate how to provide unified static model How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 64
  • 65. Implications for Security Better Static Code Modeling = Better Code Coverage 15th September 2023 - Jordan Samhi 65 Data leak detection Aggressive Ads Trojan horses Logic vulnerabilities SQL injection detection Sensitive operations detection Bug detection Type state misuse detection Crypto API misuse Type confusion detection Hijacking Spyware Vulnerability detection Privacy policy compliance Logic bombs GDPR compliance
  • 66. 15th September 2023 - Jordan Samhi 66 Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9 Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable My Dream in Program Analysis Find the Ultimate Abstractions What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 7th February 2023 - Jordan Samhi