Eric Bodden scite author profile

Abstract-Shake Them All is a popular "Wallpaper" application exceeding millions of downloads on Google Play. At installation, this application is given permission to (1) access the Internet (for updating wallpapers) and (2) use the device microphone (to change background following noise changes). With these permissions, the application could silently record user conversations and upload them remotely. To give more confidence about how Shake Them All actually processes what it records, it is necessary to build a precise analysis tool that tracks the flow of any sensitive data from its source point to any sink, especially if those are in different components.Since Android applications may leak private data carelessly or maliciously, we propose IccTA, a static taint analyzer to detect privacy leaks among components in Android applications. IccTA goes beyond state-of-the-art approaches by supporting intercomponent detection. By propagating context information among components, IccTA improves the precision of the analysis. IccTA outperforms existing tools on two benchmarks for ICC-leak detectors: DroidBench and ICC-Bench. Moreover, our approach detects 534 ICC leaks in 108 apps from MalGenome and 2,395 ICC leaks in 337 apps in a set of 15,000 Google Play apps.

show abstract

Mining Apps for Abnormal Usage of Sensitive Data

Avdiienko

et al. 2015

View full text Add to dashboard Cite

A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks

Rasthofer¹,

Arzt²,

Bodden³

2014

257

153

View full text Add to dashboard Cite

Abstract-Today's smartphone users face a security dilemma: many apps they install operate on privacy-sensitive data, although they might originate from developers whose trustworthiness is hard to judge. Researchers have addressed the problem with more and more sophisticated static and dynamic analysis tools as an aid to assess how apps use private user data. Those tools, however, rely on the manual configuration of lists of sources of sensitive data as well as sinks which might leak data to untrusted observers. Such lists are hard to come by.We thus propose SUSI, a novel machine-learning guided approach for identifying sources and sinks directly from the code of any Android API. Given a training set of hand-annotated sources and sinks, SUSI identifies other sources and sinks in the entire API. To provide more fine-grained information, SUSI further categorizes the sources (e.g., unique identifier, location information, etc.) and sinks (e.g., network, file, etc.).For Android 4.2, SUSI identifies hundreds of sources and sinks with over 92% accuracy, many of which are missed by current information-flow tracking tools. An evaluation of about 11,000 malware samples confirms that many of these sources and sinks are indeed used. We furthermore show that SUSI can reliably classify sources and sinks even in new, previously unseen Android versions and components like Google Glass or the Chromecast API.

show abstract

A Staged Static Program Analysis to Improve the Performance of Runtime Monitoring

View full text Add to dashboard Cite

Join point interfaces for safe and flexible decoupling of aspects

Bodden

Tanter

Inostroza

2014

ACM Trans. Softw. Eng. Methodol.

View full text Add to dashboard Cite

Artículo de publicación ISIIn current aspect-oriented systems, aspects usually carry, through their pointcuts, explicit references to the base code. Those references are fragile and hinder important software engineering properties such as modular reasoning and independent evolution of aspects and base code. In this work, we introduce a novel abstraction called Join Point Interface, which, by design, aids modular reasoning and independent evolution by decoupling aspects from base code and by providing a modular type-checking algorithm. Join point interfaces can be used both with implicit announcement through pointcuts, and with explicit announcement, using closure join points. Join point interfaces further offer polymorphic dispatch on join points, with an advice-dispatch semantics akin to multimethods. To support flexible join point matching, we incorporate into our language an earlier proposal for generic advice, and introduce a mechanism for controlled global quantification.We motivate each language feature in detail, showing that it is necessary to obtain a language design that is both type safe and flexible enough to support typical aspect-oriented programming idioms. We have implemented join point interfaces as an open-source extension to AspectJ. A case study on existing aspect-oriented programs supports our design, and in particular shows the necessity of both generic interfaces and some mechanism for global quantification

show abstract

Temporal Assertions using AspectJ

Stolz

Bodden

2006

Electronic Notes in Theoretical Computer Science

135

View full text Add to dashboard Cite

We present a runtime verification framework for Java programs. Properties can be specified in Linear-time Temporal Logic (LTL) over AspectJ pointcuts. These properties are checked during program-execution by an automaton-based approach where transitions are triggered through aspects. No Java source code is necessary since AspectJ works on the bytecode level, thus even allowing instrumentation of third-party applications. As an example, we discuss safety properties and lock-order reversal.

show abstract

CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs

Krüger

Späth

Ali

et al. 2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Various studies have empirically shown that the majority of Java and Android apps misuse cryptographic libraries, causing devastating breaches of data security. erefore, it is crucial to detect such misuses early in the development process. e fact that insecure usages are not the exception but the norm precludes approaches based on property inference and anomaly detection.In this paper, we present C SL, a definition language that enables cryptography experts to specify the secure usage of the cryptographic libraries that they provide. C SL combines the generic concepts of method-call sequences and data-flow constraints with domain-specific constraints related to cryptographic algorithms and their parameters. We have implemented a compiler that translates a C SL ruleset into a context-and flow-sensitive demanddriven static analysis. e analysis automatically checks a given Java or Android app for violations of the C SL-encoded rules.We empirically evaluated our ruleset through analyzing 10,001 Android apps. Our results show that misuse of cryptographic APIs is still widespread, with 96% of apps containing at least one misuse. However, we observed fewer of the misuses that were reported in previous work.

show abstract

FlowDroid

et al. 2014

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Eric Bodden

IccTA: Detecting Inter-Component Privacy Leaks in Android Apps

Mining Apps for Abnormal Usage of Sensitive Data

A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks

A Staged Static Program Analysis to Improve the Performance of Runtime Monitoring

Join point interfaces for safe and flexible decoupling of aspects

Temporal Assertions using AspectJ

CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs

FlowDroid

Contact Info

Product

Resources

About