![Logic Bomb detection
If (…)
[ ]
[ ]
Normal
Abnormal
Check out: J. Samhi, et al. "Difuzer: Uncovering suspicious hidden
sensitive operations in android apps." ICSE 2022.
15th September 2023 - Jordan Samhi
46](https://image.slidesharecdn.com/amobile2023keynote-230915085443-3b8325be/75/on-the-soundness-of-android-static-analysis-46-2048.jpg?cb=1694768446)
On the Soundness of Android Static Analysis
•0 likes•49 views
Report
Share
Download to read offline
Android applications have pervaded the digital landscape, making static analysis an indispensable tool for vetting app security. While existing static models offer valuable insights, they are fraught with a high degree of unsoundness. This keynote discusses our recent work aimed at enhancing the soundness of static analysis in the Android ecosystem. We not only explore innovative solutions to current limitations but also propose future research directions to address open challenges in this domain.
More Related Content
Similar to On the Soundness of Android Static Analysis
Similar to On the Soundness of Android Static Analysis(20)
![[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...](https://cdn.slidesharecdn.com/ss_thumbnails/cb16wagurien-161109051315-thumbnail.jpg?width=768&fit=bounds)
Recently uploaded
Recently uploaded(20)
On the Soundness of Android Static Analysis
- 1. On the Soundness of Android Static Analysis 15th September 2023 Dr. Jordan Samhi The 6th International Workshop on Advances in Mobile App Analysis Luxembourg CISPA – Helmholtz Center for Information Security
- 2. Who Am I? Dr. Jordan Samhi Post-doc at CISPA – Helmholtz Center for Information Security Research group: Software Research jordan.samhi@cispa.de https://www.jordansamhi.com 15th September 2023 - Jordan Samhi 2
- 3. On the Soundness of Android Static Analysis Solutions and open challenges 15th September 2023 - Jordan Samhi 3
- 4. “ > 6 billion people own a smartphone > 71% are Android-based > Sensitive data 15th September 2023 - Jordan Samhi 4
- 5. High security risks Bugs Malicious Code Vulnera bilities 15th September 2023 - Jordan Samhi 5
- 6. 6 15th September 2023 - Jordan Samhi
- 7. 7 15th September 2023 - Jordan Samhi FlowDroid1 1Arzt, Steven, et al. - Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android - malware detection - features extraction - instrumentation - incompatibility issues - Type-state issues - etc.
- 8. 8 15th September 2023 - Jordan Samhi Can you trust this model? ICC Reflection Callbacks
- 9. Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9
- 10. Agenda • Inter-component communication • Native Code 15th September 2023 - Jordan Samhi 10
- 11. Inter-Component Communication 15th September 2023 - Jordan Samhi 11
- 12. Activity Activity Activity Activity Activity Activity Service Service Service Activity Broadcast Receiver Broadcast Receiver 15th September 2023 - Jordan Samhi 12
- 13. // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); startActivity(i); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } ● sendBroadcast ● sendBroadcastAsUser ● sendOrderedBroadcast ● sendOrderedBroadcastAsUser ● sendStickyBroadcast ● sendStickyBroadcastAsUser ● sendStickyOrderedBroadcast ● sendStickyOrderedBroadcastAsUser ● startActivities ● startActivity ● startActivityForResult ● startActivityFromChild ● startActivityFromFragment ● startActivityIfNeeded ● startService ● bindService 15th September 2023 - Jordan Samhi 13
- 14. // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } Atypical Inter-Component Communication (AICC) 15th September 2023 - Jordan Samhi 14
- 15. What are the problems? • What are AICC methods? • How to reveal AICC methods to existing analyzers? 15th September 2023 - Jordan Samhi 15
- 16. ● setRepeating ● requestLocationUpdates ● registerNetworkCallback ● setCancelButtonIntent ● sendMultimediaMessage ● setOnClickPendingIntent ● onSuccess ● installExistingPackage ● startDownloadServiceIfRequired ● sendTextMessage ● addAction ● setExact ● setFullScreenIntent ● setDeleteIntent ● setPendingIntentTemplate ● setLatestEventInfo ● setInexactRepeating ● etc. Systematic study of the Android Framework 15th September 2023 - Jordan Samhi 16
- 17. Revealing Atypical Inter-Component Communication STEP 1 STEP 2 STEP 3 STEP 4 RAICC leverages the IFDS framework to propagate Intents to PendingIntent objects RAICC leverages the IFDS framework to propagate target component type to PendingIntent objects App instrumentation to add typical ICC method depending on Intent targets App is repackaged Main idea: add typical ICC calls for existing analyzers 15th September 2023 - Jordan Samhi 17
- 18. Revealing Atypical Inter-Component Communication STEP 1 What Intents are “linked” to this PendingIntent? PendingIntentx {Intenta, …, Intentn} ↦ 15th September 2023 - Jordan Samhi 18
- 19. Revealing Atypical Inter-Component Communication STEP 2 What is the type of the target component that the PendingIntent refers to? PendingIntentx {“activity”, “service”} ↦ 15th September 2023 - Jordan Samhi 19
- 20. Revealing Atypical Inter-Component Communication STEP 3 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); pi i ↦ { } pi ↦ { } Activity } startActivity(i); 15th September 2023 - Jordan Samhi 20
- 21. Revealing Atypical Inter-Component Communication STEP 4 15th September 2023 - Jordan Samhi 21 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); startActivity(i); }
- 22. Evaluation Real-world apps Benchmark 20 hand-crafted apps 5 000 goodware / 5 000 malware 15th September 2023 - Jordan Samhi 22
- 23. Main Results Number of ICC links found by IC3 5 000 goodware 5 000 malware Before RAICC 20 300 16 222 After RAICC 25 708 26 223 Improvement + 5408 (+26.2%) +10 001 (+61.6%) 15th September 2023 - Jordan Samhi 23
- 24. Reflection Callback ICC ? ? ? 15th September 2023 - Jordan Samhi 24
- 25. Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. ● RAICC improves ICC modeling ● It is is already used by collaborators ● It is maintained ● Improvable on-demand ● RAICC and artifacts are available at: https://github.com/JordanSamhi/RAICC 15th September 2023 - Jordan Samhi 25
- 26. 26 Native Code
- 27. 27 27 15th September 2023 - Jordan Samhi
- 28. What are the problems? • How to account for native code? • How to model native code? 28 15th September 2023 - Jordan Samhi
- 29. Native code 29 Results are bridged 15th September 2023 - Jordan Samhi
- 30. A unified model 30 15th September 2023 - Jordan Samhi
- 31. 31 JuCify Overview 15th September 2023 - Jordan Samhi
- 32. 32 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
- 33. First part: NativeDiscloser Extracting native methods information Method call in the bytecode – native function Static registration: nativeGetImei – Java_com_example_app_MainActivity_nativeGetImei Dynamic registration: nativeGetImei – some_native_function 15th September 2023 - Jordan Samhi 33
- 34. 34 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
- 35. Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 35
- 36. Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 36
- 37. Third part: Call Graph Unification Unified Call Graph Representatio n 15th September 2023 - Jordan Samhi 37
- 38. 38 Let’s see an example 15th September 2023 - Jordan Samhi
- 39. Without JuCify 39 15th September 2023 - Jordan Samhi
- 40. 40 With JuCify 15th September 2023 - Jordan Samhi
- 41. Call-Graph is not enough Our ambition is to unify both representations 41 15th September 2023 - Jordan Samhi
- 42. Main results 42 15th September 2023 - Jordan Samhi
- 43. Main results Number of nodes and edges computed by Soot with and without JuCify 43 15th September 2023 - Jordan Samhi
- 44. Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. 15th September 2023 - Jordan Samhi 44
- 45. Reflection Callback ICC ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022. https://github.com/JordanSamhi/JuCify ● We proposed a new approach to unify the bytecode and native code representations ● We demonstrated how JuCify is a step toward code unification ● JuCify and artifacts are available at: 15th September 2023 - Jordan Samhi 45
- 46. Logic Bomb detection If (…) [ ] [ ] Normal Abnormal Check out: J. Samhi, et al. "Difuzer: Uncovering suspicious hidden sensitive operations in android apps." ICSE 2022. 15th September 2023 - Jordan Samhi 46
- 47. Reflection Callback ICC J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., ”Implicit calls triggered under certain circumstances” 15th September 2023 - Jordan Samhi 47 J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022.
- 48. OK! Enough of the past! What are next challenges? 15th September 2023 - Jordan Samhi 48
- 49. The static analysis paradox Promise Sound Analysis 15th September 2023 - Jordan Samhi 49
- 50. Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable 15th September 2023 - Jordan Samhi 50
- 51. Security is Adversarial Attackers will try to find ways to bypass static analysis Libraries 15th September 2023 - Jordan Samhi 51
- 52. The Dream in Program Analysis Find the Ultimate Abstractions 15th September 2023 - Jordan Samhi 52
- 53. COBOL ABAP 53 15th September 2023 - Jordan Samhi
- 54. Some Ideas for Open Challenges 15th September 2023 - Jordan Samhi 54
- 55. What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 55
- 56. Control Flow Graph Call Graph Static Analysis Dynamic Analysis What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 56
- 57. Methods statically reachable Methods dynamically called ? ? ? What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 57
- 58. 58 15th September 2023 - Jordan Samhi IMPLICIT CALLS
- 59. How can frameworks be effectively represented through static modeling? Software are systems, they interact with components 15th September 2023 - Jordan Samhi 59
- 60. How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 60
- 61. 1 – Identify development frameworks How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 61 2 – Statically find entry and exit points to and from frameworks 3 – Propose a static model that connects the dots
- 62. How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 62
- 63. WebView wv = new WebView(context); setContentView(wv); webView.loadUrl("www.example.com"); WebSettings settings = wv.getSettings(); settings.setJavaScriptEnabled(true); How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 63
- 64. 1 – Study the static analysis ecosystem of different languages 2 –To what extent existing tools can be bridged with existing frameworks 3 – Investigate how to provide unified static model How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 64
- 65. Implications for Security Better Static Code Modeling = Better Code Coverage 15th September 2023 - Jordan Samhi 65 Data leak detection Aggressive Ads Trojan horses Logic vulnerabilities SQL injection detection Sensitive operations detection Bug detection Type state misuse detection Crypto API misuse Type confusion detection Hijacking Spyware Vulnerability detection Privacy policy compliance Logic bombs GDPR compliance
- 66. 15th September 2023 - Jordan Samhi 66 Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9 Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable My Dream in Program Analysis Find the Ultimate Abstractions What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 7th February 2023 - Jordan Samhi