Static Analysis of Implicit Control Flow: Resolving Java Reflection and Android Intents (T)

Barros, Paulo; Just, René; Millstein, Suzanne; Vines, Paul; Dietl, Werner; d’Amorim, Marcelo; Ernst, M.

doi:10.1109/ase.2015.69

Cited by 62 publications

(50 citation statements)

References 20 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The closest work to ours was concurrently proposed by Barros et al [11] within their Checker framework. Their work differs from ours in several ways: first, the design of their approach focus on helping developers checking the information-flow in their own apps, using annotations in the source code; this limits the potential use of their approach by security analysts in large markets of Android apps such as GooglePlay or AppChina.…”

Section: Related Workmentioning

confidence: 97%

“…The approach proposed by Barros et al [11] is the closest work to ours. Their recent publication presents an approach, hereon referred to as Checker, to address reflection in the Information Checker Framework (IFC) [12].…”

Section: Rq2: Comparison With Checkermentioning

confidence: 99%

“…We thank Paulo Barros, René Just and Michael Ernst, from the Checker [11] team, for sharing detailed results of their approach to deal with reflection. This work was supported by the Fonds National de la Recherche (FNR), Luxembourg, under the project AndroMap C13/IS/5921289.…”

Section: Acknowledgmentsmentioning

confidence: 99%

“…However, there is a nascent commitment in the Android research community to propose solutions for improving the analysis of reflection. For example, in a recent work [11], Barros et al propose an approach for resolving reflective calls in their Checker static analysis framework [12]. Their approach however 1) requires application source code (which is not available for most Android apps), 2) targets specific check analyses based on developer annotations (which thus needs additional developer efforts, e.g., learn the target framework, find the right place to annotate, etc.)…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

DroidRA: taming reflection to support whole-program analysis of Android apps

Bissyandé

Octeau

et al. 2016

Proceedings of the 25th International Symposium on Software Testing and Analysis

127

View full text Add to dashboard Cite

Android developers heavily use reflection in their apps for legitimate reasons, but also significantly for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are inconsistent given the measures taken by malware writers to elude static detection. We propose the DroidRA instrumentationbased approach to address this issue in a non-invasive way. With DroidRA, we reduce the resolution of reflective calls to a composite constant propagation problem. We leverage the COAL solver to infer the values of reflection targets and app, and we eventually instrument this app to include the corresponding traditional Java call for each reflective call. Our approach allows to boost an app so that it can be immediately analyzable, including by such static analyzers that were not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and demonstrate that it can allow state-of-the-art tools to provide more sound and complete analysis results.

show abstract

Section: Related Workmentioning

confidence: 97%

Section: Rq2: Comparison With Checkermentioning

confidence: 99%

Section: Acknowledgmentsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

DroidRA: taming reflection to support whole-program analysis of Android apps

Bissyandé

Octeau

et al. 2016

Proceedings of the 25th International Symposium on Software Testing and Analysis

127

View full text Add to dashboard Cite

show abstract

“…Most recently, Barros et al [4] propose to tackle Android ICC and reflection challenges at the same time within their Checker framework. They use annotations on top of source code to help developers checking information flows in their own apps.…”

Section: Related Workmentioning

confidence: 99%

Boosting static analysis of Android apps through code instrumentation

2016

Proceedings of the 38th International Conference on Software Engineering Companion

View full text Add to dashboard Cite

An empirical study of the Python/C API on evolution and bug patterns

Zhang

2022

J Software Evolu Process

View full text Add to dashboard Cite

Python is a popular programming language, and a large part of its appeal comes from diverse libraries and extension modules. In the bloom of data science and machine learning, Python frontend with C/C++ native implementation achieves both productivity and performance and has almost become the standard structure for many mainstream software systems. However, feature discrepancies between two languages such as exception handling, memory management, and type system can pose many safety hazards in the interface layer using the Python/C API. In this paper, we carry out an empirical study of the Python/C API on evolution and bug patterns. The evolution analysis includes Python/C API design in CPython compilers and its usage in mainstream software. By designing and applying a static analysis toolset, we reveal the evolution and usage statistics of the Python/C API and provide a summary and classification of 9 common bug patterns. In Pillow, a widely used Python imaging library, we find 48 bugs, 19 of which are undiscovered before. Our toolset can be easily extended to access different types of syntactic bug‐finding checkers, and our systematical taxonomy to classify bugs can guide the construction of more highly automated and high‐precision bug‐finding tools.

show abstract

Static Analysis of Implicit Control Flow: Resolving Java Reflection and Android Intents (T)

Cited by 62 publications

References 20 publications

DroidRA: taming reflection to support whole-program analysis of Android apps

DroidRA: taming reflection to support whole-program analysis of Android apps

Boosting static analysis of Android apps through code instrumentation

An empirical study of the Python/C API on evolution and bug patterns

Contact Info

Product

Resources

About