SlideShare a Scribd company logo

On the Soundness of Android Static Analysis

Download as PPTX, PDF
J
JordanSamhi

Android applications have pervaded the digital landscape, making static analysis an indispensable tool for vetting app security. While existing static models offer valuable insights, they are fraught with a high degree of unsoundness. This keynote discusses our recent work aimed at enhancing the soundness of static analysis in the Android ecosystem. We not only explore innovative solutions to current limitations but also propose future research directions to address open challenges in this domain.

1 of 66
On the Soundness of Android Static Analysis 15th September 2023 Dr. Jordan Samhi The 6th International Workshop on Advances in Mobile App Analysis Luxembourg CISPA – Helmholtz Center for Information Security
Who Am I? Dr. Jordan Samhi Post-doc at CISPA – Helmholtz Center for Information Security Research group: Software Research jordan.samhi@cispa.de https://www.jordansamhi.com 15th September 2023 - Jordan Samhi 2
On the Soundness of Android Static Analysis Solutions and open challenges 15th September 2023 - Jordan Samhi 3
“ > 6 billion people own a smartphone > 71% are Android-based > Sensitive data 15th September 2023 - Jordan Samhi 4
High security risks Bugs Malicious Code Vulnera bilities 15th September 2023 - Jordan Samhi 5
6 15th September 2023 - Jordan Samhi
7 15th September 2023 - Jordan Samhi FlowDroid1 1Arzt, Steven, et al. - Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android - malware detection - features extraction - instrumentation - incompatibility issues - Type-state issues - etc.
8 15th September 2023 - Jordan Samhi Can you trust this model? ICC Reflection Callbacks
Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9
Agenda • Inter-component communication • Native Code 15th September 2023 - Jordan Samhi 10
Inter-Component Communication 15th September 2023 - Jordan Samhi 11
Activity Activity Activity Activity Activity Activity Service Service Service Activity Broadcast Receiver Broadcast Receiver 15th September 2023 - Jordan Samhi 12
// Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); startActivity(i); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } ● sendBroadcast ● sendBroadcastAsUser ● sendOrderedBroadcast ● sendOrderedBroadcastAsUser ● sendStickyBroadcast ● sendStickyBroadcastAsUser ● sendStickyOrderedBroadcast ● sendStickyOrderedBroadcastAsUser ● startActivities ● startActivity ● startActivityForResult ● startActivityFromChild ● startActivityFromFragment ● startActivityIfNeeded ● startService ● bindService 15th September 2023 - Jordan Samhi 13
// Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } Atypical Inter-Component Communication (AICC) 15th September 2023 - Jordan Samhi 14
What are the problems? • What are AICC methods? • How to reveal AICC methods to existing analyzers? 15th September 2023 - Jordan Samhi 15
● setRepeating ● requestLocationUpdates ● registerNetworkCallback ● setCancelButtonIntent ● sendMultimediaMessage ● setOnClickPendingIntent ● onSuccess ● installExistingPackage ● startDownloadServiceIfRequired ● sendTextMessage ● addAction ● setExact ● setFullScreenIntent ● setDeleteIntent ● setPendingIntentTemplate ● setLatestEventInfo ● setInexactRepeating ● etc. Systematic study of the Android Framework 15th September 2023 - Jordan Samhi 16
Revealing Atypical Inter-Component Communication STEP 1 STEP 2 STEP 3 STEP 4 RAICC leverages the IFDS framework to propagate Intents to PendingIntent objects RAICC leverages the IFDS framework to propagate target component type to PendingIntent objects App instrumentation to add typical ICC method depending on Intent targets App is repackaged Main idea: add typical ICC calls for existing analyzers 15th September 2023 - Jordan Samhi 17
Revealing Atypical Inter-Component Communication STEP 1 What Intents are “linked” to this PendingIntent? PendingIntentx {Intenta, …, Intentn} ↦ 15th September 2023 - Jordan Samhi 18
Revealing Atypical Inter-Component Communication STEP 2 What is the type of the target component that the PendingIntent refers to? PendingIntentx {“activity”, “service”} ↦ 15th September 2023 - Jordan Samhi 19
Revealing Atypical Inter-Component Communication STEP 3 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); pi i ↦ { } pi ↦ { } Activity } startActivity(i); 15th September 2023 - Jordan Samhi 20
Revealing Atypical Inter-Component Communication STEP 4 15th September 2023 - Jordan Samhi 21 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); startActivity(i); }
Evaluation Real-world apps Benchmark 20 hand-crafted apps 5 000 goodware / 5 000 malware 15th September 2023 - Jordan Samhi 22
Main Results Number of ICC links found by IC3 5 000 goodware 5 000 malware Before RAICC 20 300 16 222 After RAICC 25 708 26 223 Improvement + 5408 (+26.2%) +10 001 (+61.6%) 15th September 2023 - Jordan Samhi 23
Reflection Callback ICC ? ? ? 15th September 2023 - Jordan Samhi 24
Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. ● RAICC improves ICC modeling ● It is is already used by collaborators ● It is maintained ● Improvable on-demand ● RAICC and artifacts are available at: https://github.com/JordanSamhi/RAICC 15th September 2023 - Jordan Samhi 25
26 Native Code
27 27 15th September 2023 - Jordan Samhi
What are the problems? • How to account for native code? • How to model native code? 28 15th September 2023 - Jordan Samhi
Native code 29 Results are bridged 15th September 2023 - Jordan Samhi
A unified model 30 15th September 2023 - Jordan Samhi
31 JuCify Overview 15th September 2023 - Jordan Samhi
32 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
First part: NativeDiscloser Extracting native methods information Method call in the bytecode – native function Static registration: nativeGetImei – Java_com_example_app_MainActivity_nativeGetImei Dynamic registration: nativeGetImei – some_native_function 15th September 2023 - Jordan Samhi 33
34 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 35
Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 36
Third part: Call Graph Unification Unified Call Graph Representatio n 15th September 2023 - Jordan Samhi 37
38 Let’s see an example 15th September 2023 - Jordan Samhi
Without JuCify 39 15th September 2023 - Jordan Samhi
40 With JuCify 15th September 2023 - Jordan Samhi
 Call-Graph is not enough  Our ambition is to unify both representations 41 15th September 2023 - Jordan Samhi
Main results 42 15th September 2023 - Jordan Samhi
Main results Number of nodes and edges computed by Soot with and without JuCify 43 15th September 2023 - Jordan Samhi
Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. 15th September 2023 - Jordan Samhi 44
Reflection Callback ICC ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022. https://github.com/JordanSamhi/JuCify ● We proposed a new approach to unify the bytecode and native code representations ● We demonstrated how JuCify is a step toward code unification ● JuCify and artifacts are available at: 15th September 2023 - Jordan Samhi 45
Logic Bomb detection If (…) [ ] [ ] Normal Abnormal Check out: J. Samhi, et al. "Difuzer: Uncovering suspicious hidden sensitive operations in android apps." ICSE 2022. 15th September 2023 - Jordan Samhi 46
Reflection Callback ICC J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., ”Implicit calls triggered under certain circumstances” 15th September 2023 - Jordan Samhi 47 J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022.
OK! Enough of the past! What are next challenges? 15th September 2023 - Jordan Samhi 48
The static analysis paradox Promise Sound Analysis 15th September 2023 - Jordan Samhi 49
Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable 15th September 2023 - Jordan Samhi 50
Security is Adversarial Attackers will try to find ways to bypass static analysis Libraries 15th September 2023 - Jordan Samhi 51
The Dream in Program Analysis Find the Ultimate Abstractions 15th September 2023 - Jordan Samhi 52
COBOL ABAP 53 15th September 2023 - Jordan Samhi
Some Ideas for Open Challenges 15th September 2023 - Jordan Samhi 54
What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 55
Control Flow Graph Call Graph Static Analysis Dynamic Analysis What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 56
Methods statically reachable Methods dynamically called ? ? ? What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 57
58 15th September 2023 - Jordan Samhi IMPLICIT CALLS
How can frameworks be effectively represented through static modeling? Software are systems, they interact with components 15th September 2023 - Jordan Samhi 59
How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 60
1 – Identify development frameworks How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 61 2 – Statically find entry and exit points to and from frameworks 3 – Propose a static model that connects the dots
How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 62
WebView wv = new WebView(context); setContentView(wv); webView.loadUrl("www.example.com"); WebSettings settings = wv.getSettings(); settings.setJavaScriptEnabled(true); How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 63
1 – Study the static analysis ecosystem of different languages 2 –To what extent existing tools can be bridged with existing frameworks 3 – Investigate how to provide unified static model How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 64
Implications for Security Better Static Code Modeling = Better Code Coverage 15th September 2023 - Jordan Samhi 65 Data leak detection Aggressive Ads Trojan horses Logic vulnerabilities SQL injection detection Sensitive operations detection Bug detection Type state misuse detection Crypto API misuse Type confusion detection Hijacking Spyware Vulnerability detection Privacy policy compliance Logic bombs GDPR compliance
15th September 2023 - Jordan Samhi 66 Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9 Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable My Dream in Program Analysis Find the Ultimate Abstractions What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 7th February 2023 - Jordan Samhi

Recommended

Android Malware Detection Literature Review
Android Malware Detection Literature ReviewAndroid Malware Detection Literature Review
Android Malware Detection Literature Review
Ahmed Sabbah
 
IRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine Learning
IRJET Journal
 
Object Detection in UAVs
Object Detection in UAVsObject Detection in UAVs
Object Detection in UAVs
ijtsrd
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Black Duck by Synopsys
 
Object Detection Bot
Object Detection BotObject Detection Bot
Object Detection Bot
IRJET Journal
 
A Survey on Vehicle Tracking System using IoT
A Survey on Vehicle Tracking System using IoTA Survey on Vehicle Tracking System using IoT
A Survey on Vehicle Tracking System using IoT
IRJET Journal
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection System
IRJET Journal
 
Web Development in Advanced Threat Prevention
Web Development in Advanced Threat PreventionWeb Development in Advanced Threat Prevention
Web Development in Advanced Threat Prevention
IRJET Journal
 

Recommended

Android Malware Detection Literature Review
Android Malware Detection Literature ReviewAndroid Malware Detection Literature Review
Android Malware Detection Literature Review
Ahmed Sabbah
 
IRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine Learning
IRJET Journal
 
Object Detection in UAVs
Object Detection in UAVsObject Detection in UAVs
Object Detection in UAVs
ijtsrd
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Black Duck by Synopsys
 
Object Detection Bot
Object Detection BotObject Detection Bot
Object Detection Bot
IRJET Journal
 
A Survey on Vehicle Tracking System using IoT
A Survey on Vehicle Tracking System using IoTA Survey on Vehicle Tracking System using IoT
A Survey on Vehicle Tracking System using IoT
IRJET Journal
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection System
IRJET Journal
 
Web Development in Advanced Threat Prevention
Web Development in Advanced Threat PreventionWeb Development in Advanced Threat Prevention
Web Development in Advanced Threat Prevention
IRJET Journal
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
IJNSA Journal
 
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
IJNSA Journal
 
Androinspector a system for
Androinspector a system forAndroinspector a system for
Androinspector a system for
IJNSA Journal
 
IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET Journal
 
Security and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSecurity and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) Devices
SanjayKumarYadav58
 
Virtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial RecognitionVirtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial Recognition
IRJET Journal
 
건설 스타트업과 오픈소스
건설 스타트업과 오픈소스건설 스타트업과 오픈소스
건설 스타트업과 오픈소스
Tae wook kang
 
Bank Locker System Using Fingerprint Authentication & Image Processing
Bank Locker System Using Fingerprint Authentication & Image ProcessingBank Locker System Using Fingerprint Authentication & Image Processing
Bank Locker System Using Fingerprint Authentication & Image Processing
IRJET Journal
 
3M Secure Transportation System.
3M Secure Transportation System.3M Secure Transportation System.
3M Secure Transportation System.
IRJET Journal
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
ijscai
 
4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
ijesajournal
 
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning TechniquesIJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
ijwmn
 
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUESMALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
ijwmn
 
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
Amélie Gyrard
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Amélie Gyrard
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
theijes
 
Autonomous Vehicle and Augmented Reality Usage
Autonomous Vehicle and Augmented Reality UsageAutonomous Vehicle and Augmented Reality Usage
Autonomous Vehicle and Augmented Reality Usage
Dr. Amarjeet Singh
 
Motion capture for Animation
Motion capture for AnimationMotion capture for Animation
Motion capture for Animation
IRJET Journal
 
Immersive Learning That Works: Research Grounding and Paths Forward
Immersive Learning That Works: Research Grounding and Paths ForwardImmersive Learning That Works: Research Grounding and Paths Forward
Immersive Learning That Works: Research Grounding and Paths Forward
Leonel Morgado
 
Basics of crystallography, crystal systems, classes and different forms
Basics of crystallography, crystal systems, classes and different formsBasics of crystallography, crystal systems, classes and different forms
Basics of crystallography, crystal systems, classes and different forms
MaheshaNanjegowda
 

More Related Content

Similar to On the Soundness of Android Static Analysis

Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
IJNSA Journal
 
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
IJNSA Journal
 
Androinspector a system for
Androinspector a system forAndroinspector a system for
Androinspector a system for
IJNSA Journal
 
IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET Journal
 
Security and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSecurity and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) Devices
SanjayKumarYadav58
 
Virtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial RecognitionVirtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial Recognition
IRJET Journal
 
건설 스타트업과 오픈소스
건설 스타트업과 오픈소스건설 스타트업과 오픈소스
건설 스타트업과 오픈소스
Tae wook kang
 
Bank Locker System Using Fingerprint Authentication & Image Processing
Bank Locker System Using Fingerprint Authentication & Image ProcessingBank Locker System Using Fingerprint Authentication & Image Processing
Bank Locker System Using Fingerprint Authentication & Image Processing
IRJET Journal
 
3M Secure Transportation System.
3M Secure Transportation System.3M Secure Transportation System.
3M Secure Transportation System.
IRJET Journal
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
ijscai
 
4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
ijesajournal
 
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning TechniquesIJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
ijwmn
 
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUESMALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
ijwmn
 
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
Amélie Gyrard
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Amélie Gyrard
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
theijes
 
Autonomous Vehicle and Augmented Reality Usage
Autonomous Vehicle and Augmented Reality UsageAutonomous Vehicle and Augmented Reality Usage
Autonomous Vehicle and Augmented Reality Usage
Dr. Amarjeet Singh
 
Motion capture for Animation
Motion capture for AnimationMotion capture for Animation
Motion capture for Animation
IRJET Journal
 

Similar to On the Soundness of Android Static Analysis (20)

Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
 
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
 
Androinspector a system for
Androinspector a system forAndroinspector a system for
Androinspector a system for
 
IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...IRJET - NETRA: Android Application for Visually Challenged People to Dete...
IRJET - NETRA: Android Application for Visually Challenged People to Dete...
 
Security and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) DevicesSecurity and Authentication of Internet of Things (IoT) Devices
Security and Authentication of Internet of Things (IoT) Devices
 
Virtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial RecognitionVirtual Contact Discovery using Facial Recognition
Virtual Contact Discovery using Facial Recognition
 
건설 스타트업과 오픈소스
건설 스타트업과 오픈소스건설 스타트업과 오픈소스
건설 스타트업과 오픈소스
 
Bank Locker System Using Fingerprint Authentication & Image Processing
Bank Locker System Using Fingerprint Authentication & Image ProcessingBank Locker System Using Fingerprint Authentication & Image Processing
Bank Locker System Using Fingerprint Authentication & Image Processing
 
3M Secure Transportation System.
3M Secure Transportation System.3M Secure Transportation System.
3M Secure Transportation System.
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
 
4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...4 th International Conference on Signal Processing and Machine Learning (SIGM...
4 th International Conference on Signal Processing and Machine Learning (SIGM...
 
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning TechniquesIJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
 
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUESMALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
 
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
 
Autonomous Vehicle and Augmented Reality Usage
Autonomous Vehicle and Augmented Reality UsageAutonomous Vehicle and Augmented Reality Usage
Autonomous Vehicle and Augmented Reality Usage
 
Motion capture for Animation
Motion capture for AnimationMotion capture for Animation
Motion capture for Animation
 

Recently uploaded

Immersive Learning That Works: Research Grounding and Paths Forward
Immersive Learning That Works: Research Grounding and Paths ForwardImmersive Learning That Works: Research Grounding and Paths Forward
Immersive Learning That Works: Research Grounding and Paths Forward
Leonel Morgado
 
Basics of crystallography, crystal systems, classes and different forms
Basics of crystallography, crystal systems, classes and different formsBasics of crystallography, crystal systems, classes and different forms
Basics of crystallography, crystal systems, classes and different forms
MaheshaNanjegowda
 
Micronuclei test.M.sc.zoology.fisheries.
Micronuclei test.M.sc.zoology.fisheries.Micronuclei test.M.sc.zoology.fisheries.
Micronuclei test.M.sc.zoology.fisheries.
Aditi Bajpai
 
Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...
Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...
Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...
Travis Hills MN
 
Compexometric titration/Chelatorphy titration/chelating titration
Compexometric titration/Chelatorphy titration/chelating titrationCompexometric titration/Chelatorphy titration/chelating titration
Compexometric titration/Chelatorphy titration/chelating titration
Vandana Devesh Sharma
 
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdf
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdfMending Clothing to Support Sustainable Fashion_CIMaR 2024.pdf
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdf
Selcen Ozturkcan
 
GBSN - Biochemistry (Unit 6) Chemistry of Proteins
GBSN - Biochemistry (Unit 6) Chemistry of ProteinsGBSN - Biochemistry (Unit 6) Chemistry of Proteins
GBSN - Biochemistry (Unit 6) Chemistry of Proteins
Areesha Ahmad
 
23PH301 - Optics - Optical Lenses.pptx
23PH301 - Optics - Optical Lenses.pptx23PH301 - Optics - Optical Lenses.pptx
23PH301 - Optics - Optical Lenses.pptx
RDhivya6
 
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
PsychoTech Services
 
The binding of cosmological structures by massless topological defects
The binding of cosmological structures by massless topological defectsThe binding of cosmological structures by massless topological defects
The binding of cosmological structures by massless topological defects
Sérgio Sacani
 
8.Isolation of pure cultures and preservation of cultures.pdf
8.Isolation of pure cultures and preservation of cultures.pdf8.Isolation of pure cultures and preservation of cultures.pdf
8.Isolation of pure cultures and preservation of cultures.pdf
by6843629
 
Farming systems analysis: what have we learnt?.pptx
Farming systems analysis: what have we learnt?.pptxFarming systems analysis: what have we learnt?.pptx
Farming systems analysis: what have we learnt?.pptx
Frédéric Baudron
 
Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...
Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...
Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...
frank0071
 
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
Advanced-Concepts-Team
 
The cost of acquiring information by natural selection
The cost of acquiring information by natural selectionThe cost of acquiring information by natural selection
The cost of acquiring information by natural selection
Carl Bergstrom
 
ESR spectroscopy in liquid food and beverages.pptx
ESR spectroscopy in liquid food and beverages.pptxESR spectroscopy in liquid food and beverages.pptx
ESR spectroscopy in liquid food and beverages.pptx
PRIYANKA PATEL
 
molar-distalization in orthodontics-seminar.pptx
molar-distalization in orthodontics-seminar.pptxmolar-distalization in orthodontics-seminar.pptx
molar-distalization in orthodontics-seminar.pptx
Anagha Prasad
 
The debris of the ‘last major merger’ is dynamically young
The debris of the ‘last major merger’ is dynamically youngThe debris of the ‘last major merger’ is dynamically young
The debris of the ‘last major merger’ is dynamically young
Sérgio Sacani
 
Pests of Storage_Identification_Dr.UPR.pdf
Pests of Storage_Identification_Dr.UPR.pdfPests of Storage_Identification_Dr.UPR.pdf
Pests of Storage_Identification_Dr.UPR.pdf
PirithiRaju
 
11.1 Role of physical biological in deterioration of grains.pdf
11.1 Role of physical biological in deterioration of grains.pdf11.1 Role of physical biological in deterioration of grains.pdf
11.1 Role of physical biological in deterioration of grains.pdf
PirithiRaju
 

Recently uploaded (20)

Immersive Learning That Works: Research Grounding and Paths Forward
Immersive Learning That Works: Research Grounding and Paths ForwardImmersive Learning That Works: Research Grounding and Paths Forward
Immersive Learning That Works: Research Grounding and Paths Forward
 
Basics of crystallography, crystal systems, classes and different forms
Basics of crystallography, crystal systems, classes and different formsBasics of crystallography, crystal systems, classes and different forms
Basics of crystallography, crystal systems, classes and different forms
 
Micronuclei test.M.sc.zoology.fisheries.
Micronuclei test.M.sc.zoology.fisheries.Micronuclei test.M.sc.zoology.fisheries.
Micronuclei test.M.sc.zoology.fisheries.
 
Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...
Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...
Travis Hills of MN is Making Clean Water Accessible to All Through High Flux ...
 
Compexometric titration/Chelatorphy titration/chelating titration
Compexometric titration/Chelatorphy titration/chelating titrationCompexometric titration/Chelatorphy titration/chelating titration
Compexometric titration/Chelatorphy titration/chelating titration
 
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdf
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdfMending Clothing to Support Sustainable Fashion_CIMaR 2024.pdf
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdf
 
GBSN - Biochemistry (Unit 6) Chemistry of Proteins
GBSN - Biochemistry (Unit 6) Chemistry of ProteinsGBSN - Biochemistry (Unit 6) Chemistry of Proteins
GBSN - Biochemistry (Unit 6) Chemistry of Proteins
 
23PH301 - Optics - Optical Lenses.pptx
23PH301 - Optics - Optical Lenses.pptx23PH301 - Optics - Optical Lenses.pptx
23PH301 - Optics - Optical Lenses.pptx
 
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
 
The binding of cosmological structures by massless topological defects
The binding of cosmological structures by massless topological defectsThe binding of cosmological structures by massless topological defects
The binding of cosmological structures by massless topological defects
 
8.Isolation of pure cultures and preservation of cultures.pdf
8.Isolation of pure cultures and preservation of cultures.pdf8.Isolation of pure cultures and preservation of cultures.pdf
8.Isolation of pure cultures and preservation of cultures.pdf
 
Farming systems analysis: what have we learnt?.pptx
Farming systems analysis: what have we learnt?.pptxFarming systems analysis: what have we learnt?.pptx
Farming systems analysis: what have we learnt?.pptx
 
Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...
Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...
Juaristi, Jon. - El canon espanol. El legado de la cultura española a la civi...
 
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...
 
The cost of acquiring information by natural selection
The cost of acquiring information by natural selectionThe cost of acquiring information by natural selection
The cost of acquiring information by natural selection
 
ESR spectroscopy in liquid food and beverages.pptx
ESR spectroscopy in liquid food and beverages.pptxESR spectroscopy in liquid food and beverages.pptx
ESR spectroscopy in liquid food and beverages.pptx
 
molar-distalization in orthodontics-seminar.pptx
molar-distalization in orthodontics-seminar.pptxmolar-distalization in orthodontics-seminar.pptx
molar-distalization in orthodontics-seminar.pptx
 
The debris of the ‘last major merger’ is dynamically young
The debris of the ‘last major merger’ is dynamically youngThe debris of the ‘last major merger’ is dynamically young
The debris of the ‘last major merger’ is dynamically young
 
Pests of Storage_Identification_Dr.UPR.pdf
Pests of Storage_Identification_Dr.UPR.pdfPests of Storage_Identification_Dr.UPR.pdf
Pests of Storage_Identification_Dr.UPR.pdf
 
11.1 Role of physical biological in deterioration of grains.pdf
11.1 Role of physical biological in deterioration of grains.pdf11.1 Role of physical biological in deterioration of grains.pdf
11.1 Role of physical biological in deterioration of grains.pdf
 

On the Soundness of Android Static Analysis

  • 1. On the Soundness of Android Static Analysis 15th September 2023 Dr. Jordan Samhi The 6th International Workshop on Advances in Mobile App Analysis Luxembourg CISPA – Helmholtz Center for Information Security
  • 2. Who Am I? Dr. Jordan Samhi Post-doc at CISPA – Helmholtz Center for Information Security Research group: Software Research jordan.samhi@cispa.de https://www.jordansamhi.com 15th September 2023 - Jordan Samhi 2
  • 3. On the Soundness of Android Static Analysis Solutions and open challenges 15th September 2023 - Jordan Samhi 3
  • 4. “ > 6 billion people own a smartphone > 71% are Android-based > Sensitive data 15th September 2023 - Jordan Samhi 4
  • 6. 6 15th September 2023 - Jordan Samhi
  • 7. 7 15th September 2023 - Jordan Samhi FlowDroid1 1Arzt, Steven, et al. - Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android - malware detection - features extraction - instrumentation - incompatibility issues - Type-state issues - etc.
  • 8. 8 15th September 2023 - Jordan Samhi Can you trust this model? ICC Reflection Callbacks
  • 9. Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9
  • 10. Agenda • Inter-component communication • Native Code 15th September 2023 - Jordan Samhi 10
  • 13. // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); startActivity(i); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } ● sendBroadcast ● sendBroadcastAsUser ● sendOrderedBroadcast ● sendOrderedBroadcastAsUser ● sendStickyBroadcast ● sendStickyBroadcastAsUser ● sendStickyOrderedBroadcast ● sendStickyOrderedBroadcastAsUser ● startActivities ● startActivity ● startActivityForResult ● startActivityFromChild ● startActivityFromFragment ● startActivityIfNeeded ● startService ● bindService 15th September 2023 - Jordan Samhi 13
  • 14. // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); } // Target Activity protected void onCreate(Bundle b) { Intent i = getIntent(); String msg = i.getStringExtra("test"); Log.i(“Test”, msg); } Atypical Inter-Component Communication (AICC) 15th September 2023 - Jordan Samhi 14
  • 15. What are the problems? • What are AICC methods? • How to reveal AICC methods to existing analyzers? 15th September 2023 - Jordan Samhi 15
  • 16. ● setRepeating ● requestLocationUpdates ● registerNetworkCallback ● setCancelButtonIntent ● sendMultimediaMessage ● setOnClickPendingIntent ● onSuccess ● installExistingPackage ● startDownloadServiceIfRequired ● sendTextMessage ● addAction ● setExact ● setFullScreenIntent ● setDeleteIntent ● setPendingIntentTemplate ● setLatestEventInfo ● setInexactRepeating ● etc. Systematic study of the Android Framework 15th September 2023 - Jordan Samhi 16
  • 17. Revealing Atypical Inter-Component Communication STEP 1 STEP 2 STEP 3 STEP 4 RAICC leverages the IFDS framework to propagate Intents to PendingIntent objects RAICC leverages the IFDS framework to propagate target component type to PendingIntent objects App instrumentation to add typical ICC method depending on Intent targets App is repackaged Main idea: add typical ICC calls for existing analyzers 15th September 2023 - Jordan Samhi 17
  • 18. Revealing Atypical Inter-Component Communication STEP 1 What Intents are “linked” to this PendingIntent? PendingIntentx {Intenta, …, Intentn} ↦ 15th September 2023 - Jordan Samhi 18
  • 19. Revealing Atypical Inter-Component Communication STEP 2 What is the type of the target component that the PendingIntent refers to? PendingIntentx {“activity”, “service”} ↦ 15th September 2023 - Jordan Samhi 19
  • 20. Revealing Atypical Inter-Component Communication STEP 3 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); pi i ↦ { } pi ↦ { } Activity } startActivity(i); 15th September 2023 - Jordan Samhi 20
  • 21. Revealing Atypical Inter-Component Communication STEP 4 15th September 2023 - Jordan Samhi 21 // Main Activity protected void onCreate(Bundle b) { Intent i = new Intent(this,TargetActivity.class); i.putExtra("test", "value"); PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage(“0”, null, “0”, pi, null); startActivity(i); }
  • 22. Evaluation Real-world apps Benchmark 20 hand-crafted apps 5 000 goodware / 5 000 malware 15th September 2023 - Jordan Samhi 22
  • 23. Main Results Number of ICC links found by IC3 5 000 goodware 5 000 malware Before RAICC 20 300 16 222 After RAICC 25 708 26 223 Improvement + 5408 (+26.2%) +10 001 (+61.6%) 15th September 2023 - Jordan Samhi 23
  • 25. Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. ● RAICC improves ICC modeling ● It is is already used by collaborators ● It is maintained ● Improvable on-demand ● RAICC and artifacts are available at: https://github.com/JordanSamhi/RAICC 15th September 2023 - Jordan Samhi 25
  • 27. 27 27 15th September 2023 - Jordan Samhi
  • 28. What are the problems? • How to account for native code? • How to model native code? 28 15th September 2023 - Jordan Samhi
  • 29. Native code 29 Results are bridged 15th September 2023 - Jordan Samhi
  • 30. A unified model 30 15th September 2023 - Jordan Samhi
  • 31. 31 JuCify Overview 15th September 2023 - Jordan Samhi
  • 32. 32 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
  • 33. First part: NativeDiscloser Extracting native methods information Method call in the bytecode – native function Static registration: nativeGetImei – Java_com_example_app_MainActivity_nativeGetImei Dynamic registration: nativeGetImei – some_native_function 15th September 2023 - Jordan Samhi 33
  • 34. 34 First part: NativeDiscloser Extracting native methods information 15th September 2023 - Jordan Samhi
  • 35. Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 35
  • 36. Second part: Call Graph Generation Native CG Bytecode CG 15th September 2023 - Jordan Samhi 36
  • 37. Third part: Call Graph Unification Unified Call Graph Representatio n 15th September 2023 - Jordan Samhi 37
  • 38. 38 Let’s see an example 15th September 2023 - Jordan Samhi
  • 39. Without JuCify 39 15th September 2023 - Jordan Samhi
  • 40. 40 With JuCify 15th September 2023 - Jordan Samhi
  • 41.  Call-Graph is not enough  Our ambition is to unify both representations 41 15th September 2023 - Jordan Samhi
  • 42. Main results 42 15th September 2023 - Jordan Samhi
  • 43. Main results Number of nodes and edges computed by Soot with and without JuCify 43 15th September 2023 - Jordan Samhi
  • 44. Reflection Callback ICC ? ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. 15th September 2023 - Jordan Samhi 44
  • 45. Reflection Callback ICC ? J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022. https://github.com/JordanSamhi/JuCify ● We proposed a new approach to unify the bytecode and native code representations ● We demonstrated how JuCify is a step toward code unification ● JuCify and artifacts are available at: 15th September 2023 - Jordan Samhi 45
  • 46. Logic Bomb detection If (…) [ ] [ ] Normal Abnormal Check out: J. Samhi, et al. "Difuzer: Uncovering suspicious hidden sensitive operations in android apps." ICSE 2022. 15th September 2023 - Jordan Samhi 46
  • 47. Reflection Callback ICC J. Samhi et al., “RAICC: Revealing Atypical Inter-Component Communication in Android apps”, ICSE 2021. J. Samhi et al., ”Implicit calls triggered under certain circumstances” 15th September 2023 - Jordan Samhi 47 J. Samhi et al., “JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis”, ICSE 2022.
  • 48. OK! Enough of the past! What are next challenges? 15th September 2023 - Jordan Samhi 48
  • 49. The static analysis paradox Promise Sound Analysis 15th September 2023 - Jordan Samhi 49
  • 50. Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable 15th September 2023 - Jordan Samhi 50
  • 51. Security is Adversarial Attackers will try to find ways to bypass static analysis Libraries 15th September 2023 - Jordan Samhi 51
  • 52. The Dream in Program Analysis Find the Ultimate Abstractions 15th September 2023 - Jordan Samhi 52
  • 54. Some Ideas for Open Challenges 15th September 2023 - Jordan Samhi 54
  • 55. What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 55
  • 56. Control Flow Graph Call Graph Static Analysis Dynamic Analysis What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 56
  • 57. Methods statically reachable Methods dynamically called ? ? ? What is currently covered by static analyzers? 15th September 2023 - Jordan Samhi 57
  • 58. 58 15th September 2023 - Jordan Samhi IMPLICIT CALLS
  • 59. How can frameworks be effectively represented through static modeling? Software are systems, they interact with components 15th September 2023 - Jordan Samhi 59
  • 60. How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 60
  • 61. 1 – Identify development frameworks How can frameworks be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 61 2 – Statically find entry and exit points to and from frameworks 3 – Propose a static model that connects the dots
  • 62. How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 62
  • 63. WebView wv = new WebView(context); setContentView(wv); webView.loadUrl("www.example.com"); WebSettings settings = wv.getSettings(); settings.setJavaScriptEnabled(true); How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 63
  • 64. 1 – Study the static analysis ecosystem of different languages 2 –To what extent existing tools can be bridged with existing frameworks 3 – Investigate how to provide unified static model How can multi-language software be effectively represented through static modeling? 15th September 2023 - Jordan Samhi 64
  • 65. Implications for Security Better Static Code Modeling = Better Code Coverage 15th September 2023 - Jordan Samhi 65 Data leak detection Aggressive Ads Trojan horses Logic vulnerabilities SQL injection detection Sensitive operations detection Bug detection Type state misuse detection Crypto API misuse Type confusion detection Hijacking Spyware Vulnerability detection Privacy policy compliance Logic bombs GDPR compliance
  • 66. 15th September 2023 - Jordan Samhi 66 Real Behavior m() n() Soundness of Program Analysis 15th September 2023 - Jordan Samhi 9 Reflection Callback ICC Native Code Conditional implicit calls AICC ? ? ? ? ? ? ? ? Analyzing the Unanalyzable My Dream in Program Analysis Find the Ultimate Abstractions What is currently covered by static analyzers? How can frameworks be effectively represented through static modeling? How can multi-language software be effectively represented through static modeling? 7th February 2023 - Jordan Samhi