Effective Real-time Android Application Auditing有效的Android應(yīng)用程序?qū)崟r審計

EffectiveReal-timeAndroidApplicationAuditingPresentedbyLihuaRenPersonaldatainmobiledevices1ProblemDefinition2AbusesofpersonaldataDataleaksTamperuserprivacyAbandonappsHarmingappdevelopersHarmingappmarketintentionallye.g.forimproperadvertisingrevenueunintentionallye.g.exposingtheredatainplain-textoverpublicnetworksExistingwork3Analyzeandidentifydata-leakingappsbasedonstaticprogramanalysis:AppIntentPiosFlowdroidMerits

：comprehensivelyexamineprogramdataflowscomprehensivelyrevealdata-leakingcodepathsLimitation

：inefficient(time-andmemory-consuming)producesfalsealarmsOutlineProblemdefinitionPriorwork

AppAudit(newidea)DesignoverviewEfficientStaticAPIAnalysisApproximatedExecutionEvaluationDiscussion4ApproachofthisstudyApproach:AppAudit:aprogramanalysisframeworkthatcananalyzeappsefficientlyandeffectively.5Inreal-timeReportactualdataleaks/2014/01/setting-goals-to-pass-the-cse-in-2014/AppAudit:Usecases6integratedintoIDEstocheckappsfordevelopersbeforereleaseidentifyproblematic3rd-partymodulesdeployedasanautomaticappauditingserviceatappmarketswipeouthumaninvolvementinvalidatinganalysisresultsinstalledonmobiledevicestocheckappsbeforeinstallationprotectusersagainstdata-leakingappsfromuntrustedsourcesorappmarketsthatlackauditingserviceAppAudit:Designoverview7Goal:tackleanalysisefficiencyandfalsepositivesIdea:2stepsstartwithaverylightweightstaticAPIanalysisrelyonadynamicanalysistopruneitsfalsepositivesTacklefalsepositivesStaticanalysissolutions(existingwork)VSAppAuditStaticanalysissolutions:exploreallcodepathsAppAudit:onlyexplorescodepathsthatcouldhappeninreal->few

falsepositivesChallengeofAppAuditWhendynamicanalysismeetsunknowns,itcanhardlyexploredeeplyintocodepaths,whichwillcausefalsenegatives.ApproachofAppAuditdesignanovel

objectmodeltorepresentandpropagateunknownsdesignseveralexecutionmechanismstoincreasethedepthofouranalysisandavoidfalsenegatives8Step1:EfficientStaticAPIAnalysisGoal:EfficientlyfindfunctionsthatcanpotentiallycausedataleaksEssentialconditionsfordataleakReachaSourceAPItoretrievepersonaldataReachaSinkAPItotransmitdataoutofthedevice9Findingdataleak〓

FindingonepathfromthefunctiontoasourceAPIandanothertoasinkAPIStep1:EfficientStaticAPIAnalysis(CONT)10APIUsageAnalysisFirstly,buildastandardcallgraphfromprogrambytecodeThenextenditFinally,performabreadth-firstsearchtomarkallsuspiciousfunctionsWhyextend?howtoextend?CallGraphExtensions11TraditionalcallgraphMissingpaths:DynamicJavalanguagefeatures,AndroidprogrammingmodelAppAudit:CallGraphExtensionsJavaVirtualCallsandReflectionCallsAssumevirtualcallscanreachanymatchingmethodfromallinheritedclasseswhileareflectioncallwilldirectlybemarkedsuspiciousStaticFieldsasIntermediatesAndroidLifeCycleMethodsMulti-threadingGUIEventCallbacksAndroidRemoteProcedureCall(RPC)CallGraphExtensions(CONT)12CallGraphExtensions(CONT)13Step2:ApproximatedexecutionDefinitionAdynamic

analysisthatexecutesthebytecodeinstructionsofasuspiciousfunctionandreportswhendataleakhappensComponenttypicalregistersetaprogramcounter(pc)acallstackasitsexecutioncontext3workingmodes“execution(exec)”mode:interpretbytecodesandperformoperations“check”mode:checktheparametersforthesinkAPI“approximation(approx)”mode:facingunknown->switchtothismodeforapproximationstocontinuetheexecution.14ApproximatedExecutorStateMachine15

exec:Taintedobjectspropagatewiththeexecutionandtaintanyobjectderivedfromthem

check:Taintedobjectsarefound,reportandterminate(“end”finalstate);otherwise,revertback

approx:Iffail,enter“l(fā)eap”finalstate

leap:terminatecurrentexecutionandstartexecutingoneofitscallerfunctionObjectRepresentation16Type:i.e.int,long,stringobjectkind:

concreteobject(CON):createdduringtheexecutionprocess

priorunknown(PU):existpriortotheexecutionprocessandcontainunknownvalues

derivedunknown(DU):apriorunknownbutischangedduringtheexecutionprocessstoretheknownvalue(s)oftheobjecti.e.Unknownvalue17ExecutionRules(TableⅡ)TaintTaintrepresentation:

TaintingrulesPersonaldataismarkedastainted.Taintspropagatealongwiththeobject.IfasinkAPImeetsataintedobject,reportaleak.18ApproximationModeWhentochangetoapproximationmode:aconditionaljumpinstructionmeetsunknownvaluesUnknownBranchingApproximationIdea:skipunknownloopastheseloopscannotprovideusefulknowninformationfromunknowns.19/2014/01/setting-goals-to-pass-the-cse-in-2014/UnknownBranchingApproximation20ChoosenottotaketheconditionalbranchtoskiptheseloopsUnknownBranchingApproximation21Cannotdistinguishifsandloops

->

Onlyexplorethe“then”branchforunknownif-elsestructures->ThisbiasisbenignAccuracyAnalysisExecutionmode:faithfullyreproducetheactualpathoftherealexecutionApproximationmode:onlymissesnon-leakingpathsandisbenigntotheoverallaccuracyLimitationsofTaintAnalysisTaintSanitization:onlyaddandpropagatetaintsbutneverremovethem->inaccuracyandfalsepositives.(i.e.)ArrayIndexing:i.e.,willbetaintedif

istainted.->over-taints->falsepositivesControlFlowDependentTaints:22x,yarecorrelatedbutitalwaysproduceuntaintedyOutlineProblemdefinitionPriorwork

AppAudit(newidea)DesignoverviewEfficientStaticAPIAnalysisApproximatedExecutionEvaluationDiscussion23EvaluationMethodology:

CompletenessofStaticAPIAnalysis:bymicro-benchmark

DetectionAccuracy:bymalwaresamples

Usability:byreal-wordapps

CharacterizationofDataLeaksinRealApps:toprovideguidanceEvaluationdatasets:24CompletenessofStaticAPIAnalysis25FlowDroid:astate-of-the-artpurestaticanalysistoolFalsenegatives:

When:particularuserinputsha