Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation
Mobile application security has been one of the major areas of security research in the last decade. Numerous application analysis tools have been proposed in response to malicious, curious, or vulnerable apps. However, existing tools, and specifically, static analysis tools, trade soundness of the...
Gespeichert in:
| Hauptverfasser: | , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Bonett, Richard Kafle, Kaushal Moran, Kevin Nadkarni, Adwait Poshyvanyk, Denys |
| description | Mobile application security has been one of the major areas of security
research in the last decade. Numerous application analysis tools have been
proposed in response to malicious, curious, or vulnerable apps. However,
existing tools, and specifically, static analysis tools, trade soundness of the
analysis for precision and performance, and are hence soundy. Unfortunately,
the specific unsound choices or flaws in the design of these tools are often
not known or well-documented, leading to a misplaced confidence among
researchers, developers, and users. This paper proposes the Mutation-based
soundness evaluation ($\mu$SE) framework, which systematically evaluates
Android static analysis tools to discover, document, and fix, flaws, by
leveraging the well-founded practice of mutation analysis. We implement $\mu$SE
as a semi-automated framework, and apply it to a set of prominent Android
static analysis tools that detect private data leaks in apps. As the result of
an in-depth analysis of one of the major tools, we discover 13 undocumented
flaws. More importantly, we discover that all 13 flaws propagate to tools that
inherit the flawed tool. We successfully fix one of the flaws in cooperation
with the tool developers. Our results motivate the urgent need for systematic
discovery and documentation of unsound choices in soundy tools, and demonstrate
the opportunities in leveraging mutation testing in achieving this goal. |
| doi_str_mv | 10.48550/arxiv.1806.09761 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_1806_09761</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1806_09761</sourcerecordid><originalsourceid>FETCH-LOGICAL-a671-e2c89bd8d7601499eda2797cf70a7b297a0f1dfb494dbd83b72317f9084d1bb83</originalsourceid><addsrcrecordid>eNotj01OwzAYRL1hgVoOwApfIMFO3NheVoUAUisWyT76_FdZSmNkJ4XcniawGmk086SH0CMlORO7HXmG-OOvORWkyonkFb1H8OKTDlcb_XDGdQ_fCfsBN1ZP0Y9zVgc9JWtwM8LoNd4P0M_JJ9yG0CfsQrxVJgZv8JQWQjOn0V7W7WlaPmHYojsHfbIP_7lBbf3aHt6z4-fbx2F_zKDiNLOFFlIZYXhFKJPSGii45NpxAlwVkgNx1DjFJDO3Wal4UVLuJBHMUKVEuUFPf9jVsfuK_gJx7hbXbnUtfwGr4lCc</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation</title><source>arXiv.org</source><creator>Bonett, Richard ; Kafle, Kaushal ; Moran, Kevin ; Nadkarni, Adwait ; Poshyvanyk, Denys</creator><creatorcontrib>Bonett, Richard ; Kafle, Kaushal ; Moran, Kevin ; Nadkarni, Adwait ; Poshyvanyk, Denys</creatorcontrib><description>Mobile application security has been one of the major areas of security
research in the last decade. Numerous application analysis tools have been
proposed in response to malicious, curious, or vulnerable apps. However,
existing tools, and specifically, static analysis tools, trade soundness of the
analysis for precision and performance, and are hence soundy. Unfortunately,
the specific unsound choices or flaws in the design of these tools are often
not known or well-documented, leading to a misplaced confidence among
researchers, developers, and users. This paper proposes the Mutation-based
soundness evaluation ($\mu$SE) framework, which systematically evaluates
Android static analysis tools to discover, document, and fix, flaws, by
leveraging the well-founded practice of mutation analysis. We implement $\mu$SE
as a semi-automated framework, and apply it to a set of prominent Android
static analysis tools that detect private data leaks in apps. As the result of
an in-depth analysis of one of the major tools, we discover 13 undocumented
flaws. More importantly, we discover that all 13 flaws propagate to tools that
inherit the flawed tool. We successfully fix one of the flaws in cooperation
with the tool developers. Our results motivate the urgent need for systematic
discovery and documentation of unsound choices in soundy tools, and demonstrate
the opportunities in leveraging mutation testing in achieving this goal.</description><identifier>DOI: 10.48550/arxiv.1806.09761</identifier><language>eng</language><subject>Computer Science - Cryptography and Security ; Computer Science - Software Engineering</subject><creationdate>2018-06</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,778,883</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/1806.09761$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.1806.09761$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Bonett, Richard</creatorcontrib><creatorcontrib>Kafle, Kaushal</creatorcontrib><creatorcontrib>Moran, Kevin</creatorcontrib><creatorcontrib>Nadkarni, Adwait</creatorcontrib><creatorcontrib>Poshyvanyk, Denys</creatorcontrib><title>Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation</title><description>Mobile application security has been one of the major areas of security
research in the last decade. Numerous application analysis tools have been
proposed in response to malicious, curious, or vulnerable apps. However,
existing tools, and specifically, static analysis tools, trade soundness of the
analysis for precision and performance, and are hence soundy. Unfortunately,
the specific unsound choices or flaws in the design of these tools are often
not known or well-documented, leading to a misplaced confidence among
researchers, developers, and users. This paper proposes the Mutation-based
soundness evaluation ($\mu$SE) framework, which systematically evaluates
Android static analysis tools to discover, document, and fix, flaws, by
leveraging the well-founded practice of mutation analysis. We implement $\mu$SE
as a semi-automated framework, and apply it to a set of prominent Android
static analysis tools that detect private data leaks in apps. As the result of
an in-depth analysis of one of the major tools, we discover 13 undocumented
flaws. More importantly, we discover that all 13 flaws propagate to tools that
inherit the flawed tool. We successfully fix one of the flaws in cooperation
with the tool developers. Our results motivate the urgent need for systematic
discovery and documentation of unsound choices in soundy tools, and demonstrate
the opportunities in leveraging mutation testing in achieving this goal.</description><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Software Engineering</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj01OwzAYRL1hgVoOwApfIMFO3NheVoUAUisWyT76_FdZSmNkJ4XcniawGmk086SH0CMlORO7HXmG-OOvORWkyonkFb1H8OKTDlcb_XDGdQ_fCfsBN1ZP0Y9zVgc9JWtwM8LoNd4P0M_JJ9yG0CfsQrxVJgZv8JQWQjOn0V7W7WlaPmHYojsHfbIP_7lBbf3aHt6z4-fbx2F_zKDiNLOFFlIZYXhFKJPSGii45NpxAlwVkgNx1DjFJDO3Wal4UVLuJBHMUKVEuUFPf9jVsfuK_gJx7hbXbnUtfwGr4lCc</recordid><startdate>20180625</startdate><enddate>20180625</enddate><creator>Bonett, Richard</creator><creator>Kafle, Kaushal</creator><creator>Moran, Kevin</creator><creator>Nadkarni, Adwait</creator><creator>Poshyvanyk, Denys</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20180625</creationdate><title>Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation</title><author>Bonett, Richard ; Kafle, Kaushal ; Moran, Kevin ; Nadkarni, Adwait ; Poshyvanyk, Denys</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a671-e2c89bd8d7601499eda2797cf70a7b297a0f1dfb494dbd83b72317f9084d1bb83</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Software Engineering</topic><toplevel>online_resources</toplevel><creatorcontrib>Bonett, Richard</creatorcontrib><creatorcontrib>Kafle, Kaushal</creatorcontrib><creatorcontrib>Moran, Kevin</creatorcontrib><creatorcontrib>Nadkarni, Adwait</creatorcontrib><creatorcontrib>Poshyvanyk, Denys</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Bonett, Richard</au><au>Kafle, Kaushal</au><au>Moran, Kevin</au><au>Nadkarni, Adwait</au><au>Poshyvanyk, Denys</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation</atitle><date>2018-06-25</date><risdate>2018</risdate><abstract>Mobile application security has been one of the major areas of security
research in the last decade. Numerous application analysis tools have been
proposed in response to malicious, curious, or vulnerable apps. However,
existing tools, and specifically, static analysis tools, trade soundness of the
analysis for precision and performance, and are hence soundy. Unfortunately,
the specific unsound choices or flaws in the design of these tools are often
not known or well-documented, leading to a misplaced confidence among
researchers, developers, and users. This paper proposes the Mutation-based
soundness evaluation ($\mu$SE) framework, which systematically evaluates
Android static analysis tools to discover, document, and fix, flaws, by
leveraging the well-founded practice of mutation analysis. We implement $\mu$SE
as a semi-automated framework, and apply it to a set of prominent Android
static analysis tools that detect private data leaks in apps. As the result of
an in-depth analysis of one of the major tools, we discover 13 undocumented
flaws. More importantly, we discover that all 13 flaws propagate to tools that
inherit the flawed tool. We successfully fix one of the flaws in cooperation
with the tool developers. Our results motivate the urgent need for systematic
discovery and documentation of unsound choices in soundy tools, and demonstrate
the opportunities in leveraging mutation testing in achieving this goal.</abstract><doi>10.48550/arxiv.1806.09761</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.1806.09761 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_1806_09761 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security Computer Science - Software Engineering |
| title | Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-16T07%3A12%3A16IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Discovering%20Flaws%20in%20Security-Focused%20Static%20Analysis%20Tools%20for%20Android%20using%20Systematic%20Mutation&rft.au=Bonett,%20Richard&rft.date=2018-06-25&rft_id=info:doi/10.48550/arxiv.1806.09761&rft_dat=%3Carxiv_GOX%3E1806_09761%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |