When program analysis meets bytecode search: Targeted and efficient inter-procedural analysis of modern Android apps in BackDroid
Widely-used Android static program analysis tools,e.g., Amandroid and FlowDroid, perform the whole-app interprocedural analysis that is comprehensive but fundamentallydifficult to handle modern (large) apps. The average app size hasincreased three to four times over five years. In this paper, weexpl...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/6540 https://ink.library.smu.edu.sg/context/sis_research/article/7543/viewcontent/When_program_analysis_meets_bytecode_search_Targeted_and_efficient_inter_procedural_analysis_of_modern_Android_apps_in_BackDroid__1_.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| Summary: | Widely-used Android static program analysis tools,e.g., Amandroid and FlowDroid, perform the whole-app interprocedural analysis that is comprehensive but fundamentallydifficult to handle modern (large) apps. The average app size hasincreased three to four times over five years. In this paper, weexplore a new paradigm of targeted inter-procedural analysis thatcan skip irrelevant code and focus only on the flows of securitysensitive sink APIs. To this end, we propose a technique calledon-the-fly bytecode search, which searches the disassembled appbytecode text just in time when a caller needs to be located. In thisway, it guides targeted (and backward) inter-procedural analysisstep by step until reaching entry points, without relying on awhole-app graph. Such search-based inter-procedural analysis,however, is challenging due to Java polymorphism, callbacks,asynchronous flows, static initializers, and inter-component communication in Android apps. We overcome these unique obstaclesin our context by proposing a set of bytecode search mechanismsthat utilize flexible searches and forward object taint analysis.Atop this new inter-procedural analysis, we further adjust thetraditional backward slicing and forward constant propagation toprovide the complete dataflow tracking of sink API calls. We haveimplemented a prototype called BackDroid and compared it withAmandroid in analyzing 3,178 modern popular apps for cryptoand SSL misconfigurations. The evaluation shows that for suchsink-based problems, BackDroid is 37 times faster (2.13 v.s. 78.15minutes) and has no timed-out failure (v.s. 35% in Amandroid)while maintaining close or even better detection effectiveness. |
|---|