Multi-source Taint Analysis Technique for Privacy Leak Detection of Android Apps

被引：0

作者：

Wang L. ^{[1
,2
]}

Zhou Q. ^{[1
,2
]}

He D.-J. ^{[1
,2
]}

Li L. ^{[1
,2
]}

Feng X.-B. ^{[1
,2
]}

机构：

[1] State Key Laboratory of Computer Architecture, Institute of Computing Technology, Chinese Academy of Sciences, Beijing

[2] University of Chinese Academy of Sciences, Beijing

来源：

Ruan Jian Xue Bao/Journal of Software | 2019年 / 30卷 / 02期

基金：

国家重点研发计划; 中国国家自然科学基金;

关键词：

Android; Program analysis; Software security; Static analysis; Taint analysis;

D O I：

10.13328/j.cnki.jos.005581

中图分类号：

学科分类号：

摘要：

Currently, the results of static taint analysis cannot explain whether the application has privacy leaks directly (high false positives), which causes inconvenience to the detectors or users. Aiming at this problem, this study puts forward a new technique-multi-source binding taint analysis, which can determine whether multiple sets of sources occur in one execution precisely and efficiently. In terms of precision, the technique supports context sensitivity, flow sensitivity, and field sensitivity, and can precisely distinguish exclusive branches. In terms of efficiency, an efficient implementation method is provided to reduce high complexity (exponential level) to an analysis close to traditional method (initial overhead is 19.7%, further multi-analysis stage time is 0.3s). A prototype called MultiFlow is implemented, and it is applied to 2 116 benign Apps and 2 089 malicious Apps. Such results support the feasibility of multi-source technique for precision enhancement of privacy leak detection (reducing multi-source pairs by 41.1%). Also, these characteristics are used as a risk rank standard of the Apps to improve detection convenience. Finally, the potential application scenarios of the technology are explored. © Copyright 2019, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

引用

页码：211 / 230

页数：19

共 30 条

[1] Mobile threat report, (2016)
[2] Livshits V.B., Lam M.S., Finding security vulnerabilities in Java applications with static analysis, Proc. of the Conf. on Usenix Security Symp., pp. 262-266, (2005)
[3] Sabelfeld A., Myers A.C., Language-based information-flow security, IEEE Journal on Selected Areas in Communications, 21, 1, pp. 5-19, (2003)
[4] Li L., Bissyande T.F., Papadakis M., Rasthofer S., Bartel A., Octeau D., Static analysis of Android apps: A systematic literature review, Proc. of the Information & Software Technology, pp. 67-95, (2017)
[5] Avdiienko V., Kuznetsov K., Gorla A., Zeller A., Arzt S., Rasthofer S., Bodden E., Mining apps for abnormal usage of sensitive data, Proc. of the 37th Int'l Conf. on Software Engineering (ICSE), 1, pp. 426-436, (2015)
[6] Feng Y., Anand S., Dillig I., Aiken A., Apposcopy: Semantics-based detection of android malware through static analysis, Proc. of the 22nd ACM SIGSOFT Int'l Symp. on Foundations of Software Engineering, pp. 576-587, (2014)
[7] Pan X., Wang X., Duan Y., Wang X., Yin H., Dark hazard: Learning-based, large-scale discovery of hidden sensitive operations in Android apps, Proc. of the NDSS, (2017)
[8] Li Y., Shen T., Sun X., Pan X., Mao B., Detection, classification and characterization of Android malware using API data dependency, Proc. of the Int'l Conf. on Security and Privacy in Communication Systems, pp. 23-40, (2015)
[9] Aho A.V., Sethi R., Ullman J.D., Compilers, Principles, Techniques, (1986)
[10] Reps T., Horwitz S., Sagiv M., Precise interprocedural dataflow analysis via graph reachability, Proc. of the 22nd ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages, pp. 49-61, (1995)

← 1 2 3 →