![Page 1: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/1.jpg)
1
FlowDroidPrecise Context, Flow, Field, Object-sensitiveand Lifecycle-aware Taint Analysis for Android Apps
From Dalvik Bytecode Analysis to Leak Detection in Android Applications
Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried Rasthofer
1st ICFEM Workshop on Default PrivacyThursday 6 November 2014Luxembourg, Luxembourg
![Page 2: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/2.jpg)
2
Evolution of Phones
1985 1995 2005 201510,000 100,000 1,000,000 10,000,000 loc
![Page 3: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/3.jpg)
3
“Smart”Phone = Computer + Sensors + Apps
![Page 4: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/4.jpg)
4
Smartphone Penetration
![Page 5: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/5.jpg)
5
Personal Information Stored on Smartphones
![Page 6: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/6.jpg)
6
Android Market Share > 80%!
![Page 7: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/7.jpg)
7
Why Analyze Android Apps?
![Page 8: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/8.jpg)
8
Overview
DalvikBytecode
Sources/Sinks
Leak detection
![Page 9: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/9.jpg)
9
How to Analyze Dalvik Bytecode?
![Page 10: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/10.jpg)
10
Problem: Type Information is Missing
![Page 11: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/11.jpg)
11
Solution: Find the Missing Information!
![Page 12: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/12.jpg)
12
99.4% of the Apps have Numerical Constants
![Page 13: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/13.jpg)
13
Evaluation: Do we Correctly Type the Code?
l Set of 27,846 Android applicationsl Total of 135,289,314 methods
Our algorithm correctly types
99% of the analyzed methods
![Page 14: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/14.jpg)
14
Future Work
l Unresolved referencel Jump to code in arrayl Multiple types for a single variable
Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to jimple for static analysis with soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis (pp. 27-38). ACM.
![Page 15: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/15.jpg)
15
Overview
DalvikBytecode
Sources/Sinks
Leak detection
![Page 16: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/16.jpg)
16
Detecting Privacy Leaks
l Dynamic Approaches:l TaintDroid [OSDI’10], l Aurasium [USENIX’12], l “Dr. Android and Mr. Hide“[SPSM’12], l etc.
l Static Approaches:l ScanDroid [TR 09], l DeD [SEC’11], l CHEX [CCS’12], l LeakMiner [WCSE’12], l ScanDal [Most’12], l AndroidLeaks [TRUST’12],l SAAF [SAC’13], l FlowDroid [PLDI’14], l etc.
![Page 17: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/17.jpg)
17
Detecting Privacy Leaks: Generic Approach
![Page 18: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/18.jpg)
18
But...
![Page 19: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/19.jpg)
19
Complete List Available?
![Page 20: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/20.jpg)
20
Machine Learning with Code Features
![Page 21: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/21.jpg)
21
Evaluation on Android Versions
![Page 22: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/22.jpg)
22
Top Source/Sink Methods in Malware
Rasthofer, Siegfried, Steven Arzt, and Eric Bodden. "A machine-learning approach for classifying and categorizing android sources and sinks." 2014 Network and Distributed System Security Symposium (NDSS). 2014.
![Page 23: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/23.jpg)
23
Overview
DalvikBytecode
Sources/Sinks
Leak detection
![Page 24: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/24.jpg)
24
FlowDroid
• Challenges in the Android World
• Highly Precise Taint Analysis• The Principles• Aliasing for Highly Precise Analyses
• Experiments• The DroidBench Micro Benchmark Suite
![Page 25: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/25.jpg)
25
Challenges in the Android World
public class M ain {
public static void m ain(String[] args) {…
}
}
![Page 26: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/26.jpg)
26
Modeling The Android Lifecycle
• Model Lifecycle Through Dummy Main Method
• Use Opaque Predicates and Jumps• All paths allowed in spec must be possible in method• Lots of paths, but doesn’t matter (see later)
![Page 27: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/27.jpg)
27
Modeling The Android Lifecycle
i = 0;l1: if (i = = 0) goto l9; // Skip the activity
Activity1 act1 = new com .ext.Activity1();act1.onCreate(… ); act1.onStart;l2: act.onResum e();…act1.onPause(… );l1: if (i = = 1) goto l2;act1.onStop();act1.onDestroy();if (i = = 2) goto l1; // Run activity again
![Page 28: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/28.jpg)
28
Challenges in the Android World
![Page 29: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/29.jpg)
29
Challenges in the Android World
onLocationChanged
onLowMemory
onSensorChangedonZoomChange
onGpsStatusChanged
onGesture
![Page 30: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/30.jpg)
30
Modeling Callbacks
• Same Technique as for Lifecycle• Call callback methods in dummy main method
• Simplification: Callbacks never die• Registered from app start till termination
• Not as Easy as it Sounds• Callbacks that register new callbacks• Callbacks defined in XML files
![Page 31: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/31.jpg)
31
Modeling Callbacks
Create Dummy Main Method
Get Reachable Methods
Look for New Callback
New Callbacks Found
Add XML Callbacks
Done
Else
![Page 32: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/32.jpg)
32
Challenges in the Android World
• Many Sources and Sinks• API methods from the SuSi list (NDSS’14)• User Interface Controls (e.g., Password Fields)
• Scalability Issue When Running With All Sources/Sinks• Piggybacking source on taint abstraction won’t scale
• The Android Framework is Huge• Analyzing the framework with every app doesn’t scale• Need library abstractions
![Page 33: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/33.jpg)
33
Dissecting Android Apps: Layout Files
Resource Table
Code Layout XML Files
ID ID
![Page 34: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/34.jpg)
34
Dissecting Android Apps: Layout Files
1.Parse The Global Resource Table
2.Parse The Layout XML Files
3.For every Layout File:1.Scan the code for registrations of the component ID2.Lookup the method ID to get the name3.Add the handler to the dummy main method
![Page 35: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/35.jpg)
35
Highly Precise Taint Tracking
• Based on the IFDS Framework by Reps and Horwitz• Idea: Data flow programs reduced to graph reachability
• Field-Sensitive• Object-Sensitive• Flow-Sensitive• Context-Sensitive
• Unlimited Depth!• Fix-Point iteration until no new callee-side contextsAnd what about aliasing?
![Page 36: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/36.jpg)
36
Highly Precise Taint Tracking
• Need an Alias Analysis With Same Precision
• Upfront Analysis Does Not Scale
• Solution: On-Demand Alias Analysis• Idea: Re-use same IFDS-based analysis• Two interleaved solvers• Technique adapted from Andromeda by Tripp et al.
(in: Fundamental Approaches to Software Engineering)
![Page 37: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/37.jpg)
37
Highly Precise Taint Tracking
void main() {
void foo(z) {
w = source();
x.f = w;
}
w
x = z.g;
x.f
return;
}
sink(b.f);
foo(a);
b = a.g;
a = new A();
x.f
z.g.f
a.g.f
b.f
Flow Sensitivity?
a.g.f
![Page 38: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/38.jpg)
38
Highly Precise Taint Tracking
void main() {
w = source();
z = x;
x.f = w;
return;
}
w
x.f
x.f leak(z.f);
z.f
Need to remember when taint
becomes “live”
We call it “Activation Statement”
![Page 39: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/39.jpg)
39
DroidBench – Benchmarks for Android
• Compare Static/Dynamic Analysis Tools for Android
• Open Source
• You’re Welcome to Contribute!
![Page 40: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/40.jpg)
40
DroidBench – Benchmarks for Android
• 64 Test Cases So Far• Arrays and Lists• Callbacks• Field And Object Sensitivity• Inter-App Communcation• Lifecycle• General Java• Miscellaneous Android-Specific• Implicit Flows• Reflection
![Page 41: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/41.jpg)
41
FlowDroid vs. The Rest on DroidBench
Precision
Recall
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
AppScan Source
Fortify
FlowDroid
![Page 42: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/42.jpg)
42
Future Work
• Native Code• Currently under-approximated by default• NativeCallHandler interface for custom implementations
• Library Functions• TaintPropagationHandler interface• Default implementation: Simple rules• More clever solution under submission
• More Efficient Callgraph Algorithms
![Page 43: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/43.jpg)
43
Future Work
• Inter-Component Communication• 320 different activities in Facebook app• Support for static fields
• Communication using intents possible• Solution under submission
Activity
Service
Broadcast Receiver
Content Provider
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., ... & McDaniel, P. (2014, June). Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (p. 29). ACM.
![Page 44: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/44.jpg)
44
Overview
DalvikBytecode
Sources/Sinks
Leak detection
![Page 45: Precise Context, Flow, Field, Object-sensitive From Dalvik ... · Bartel, A., Klein, J., Le Traon, Y., & Monperrus, M. (2012, June). Dexpler: converting android dalvik bytecode to](https://reader036.vdocument.in/reader036/viewer/2022070801/5f0264f17e708231d4040f48/html5/thumbnails/45.jpg)
45
Dexpler http://www.abartel.net/dexpler/Soot https://github.com/Sable/sootSuSi http://sseblog.ec-spride.de/tools/susi/FlowDroid http://sseblog.ec-spride.de/tools/flowdroid/Epicc http://siis.cse.psu.edu/epicc/IccTA https://sites.google.com/site/icctawebpage/DroidForce https://github.com/secure-software-engineering/DroidForce
Alexandre BartelCenter for Advanced Security Research Darmstadt (CASED)Secure Software Engineering Group (EC-SPRIDE)Email: [email protected]
The End