Jacques Klein

FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps

Todays smartphones are a ubiquitous source of private and confidential data. At the same time, smartphone users are plagued by carelessly programmed apps that leak important data by accident, and by malicious apps that exploit their given privileges to copy such data intentionally. While existing static taint-analysis approaches have the potential of detecting such data leaks ahead of time, all approaches for Android use a number of coarse-grain approximations that can yield high numbers of missed leaks and false alarms. In this work we thus present FlowDroid, a novel and highly precise static taint analysis for Android applications. A precise model of Androids lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help FlowDroid maintain high efficiency and precision at the same time. We also propose DroidBench, an open test suite for evaluating the effectiveness and accuracy of taint-analysis tools specifically for Android apps. As we show through a set of experiments using SecuriBench Micro, DroidBench, and a set of well-known Android test applications, FlowDroid finds a very high fraction of data leaks while keeping the rate of false positives low. On DroidBench, FlowDroid achieves 93% recall and 86% precision, greatly outperforming the commercial tools IBM AppScan Source and Fortify SCA. FlowDroid successfully finds leaks in a subset of 500 apps from Google Play and about 1,000 malware apps from the VirusShare project.

Aspect-oriented multi-view modeling

Multi-view modeling allows a developer to describe a software system from multiple points of view, e.g. structural and behavioral, using different modeling notations. Aspect-oriented modeling techniques have been proposed to address the scalability problem within individual modeling notations. This paper presents RAM, an aspect-oriented modeling approach that provides scalable multi-view modeling. RAM allows the modeler to define stand-alone reusable aspect models using 3 modeling notations. The aspect models support the modeling of structure (using UML class diagrams) and behavior (using UML state and sequence diagrams). RAM supports aspect dependency chains, which allows an aspect providing complex functionality to reuse the functionality provided by other aspects. The RAM weaver can create woven views of the composed model for debugging, simulation or code generation purpose, as well as perform consistency checks during the weaving and on the woven model to detect inconsistencies of the composition.

Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot

This paper introduces Dexpler, a software package which converts Dalvik bytecode to Jimple. Dexpler is built on top of Dedexer and Soot. As Jimple is Soots main internal representation of code, the Dalvik bytecode can be manipulated with any Jimple based tool, for instance for performing point-to or flow analysis.

Semantic-based weaving of scenarios

The notion of aspect looks promising for handling cross-cutting concerns earlier in the software life-cycle, up from programming to design, analysis and even requirements. Support for aspects is thus now raising interest also at the modeling level, including with behavioral modeling languages such as scenarios. With this kind of modeling languages, even if aspect weaving can be performed at the abstract syntax level, a weaving at the semantics level seems a far more appealing and powerful mechanism. In this paper we present a semantic-based aspect weaving algorithm for Hierarchical Message Sequence Charts (HMSCs). The algorithm proposed uses a set of transformations that take into account the compositional semantics of HMSCs to weave an initial HMSC and a behavioral aspect expressed with scenarios.

Automatically securing permission-based software by reducing the attack surface: an application to Android

In the permission-based security model (used e.g. in Android and Blackberry), applications can be granted more permissions than they actually need, what we call a “permission gap”. Malware can leverage the unused permissions for achieving their malicious goals, for instance using code injection. In this paper, we present an approach to detecting permission gaps using static analysis. Using our tool on a dataset of Android applications, we found out that a non negligible part of applications suffers from permission gaps, i.e. does not use all the permissions they declare.

Pairwise testing for software product lines: comparison of two approaches

Software Product Lines (SPL) are difficult to validate due to combinatorics induced by variability, which in turn leads to combinatorial explosion of the number of derivable products. Exhaustive testing in such a large products space is hardly feasible. Hence, one possible option is to test SPLs by generating test configurations that cover all possible t feature interactions (t-wise). It dramatically reduces the number of test products while ensuring reasonable SPL coverage. In this paper, we report our experience on applying t-wise techniques for SPL with two independent toolsets developed by the authors. One focuses on generality and splits the generation problem according to strategies. The other emphasizes providing efficient generation. To evaluate the respective merits of the approaches, measures such as the number of generated test configurations and the similarity between them are provided. By applying these measures, we were able to derive useful insights for pairwise and t-wise testing of product lines.

Bypassing the Combinatorial Explosion: Using Similarity to Generate and Prioritize T-Wise Test Configurations for Software Product Lines

Large Software Product Lines (SPLs) are common in industry, thus introducing the need of practical solutions to test them. To this end, t-wise can help to drastically reduce the number of product configurations to test. Current t-wise approaches for SPLs are restricted to small values of t. In addition, these techniques fail at providing means to finely control the configuration process. In view of this, means for automatically generating and prioritizing product configurations for large SPLs are required. This paper proposes (a) a search-based approach capable of generating product configurations for large SPLs, forming a scalable and flexible alternative to current techniques and (b) prioritization algorithms for any set of product configurations. Both these techniques employ a similarity heuristic. The ability of the proposed techniques is assessed in an empirical study through a comparison with state of the art tools. The comparison focuses on both the product configuration generation and the prioritization aspects. The results demonstrate that existing t-wise tools and prioritization techniques fail to handle large SPLs. On the contrary, the proposed techniques are both effective and scalable. Additionally, the experiments show that the similarity heuristic can be used as a viable alternative to t-wise.

Weaving multiple aspects in sequence diagrams

Handling aspects within models looks promising for managing crosscutting concerns early in the software life-cycle, up from programming to design, analysis and even requirements. At the modeling level, even complex behavioral aspects can easily be described for instance as pairs of sequence diagrams: one for the pointcut specifying the behavior to detect, and the second one for an advice representing the wanted behavior at the join point. While this is fine for informal documentation purposes, or even intuitive enough when a single aspect has to be woven, a more precise semantics of both join point detection and advice weaving is needed for using these modeling artifacts for Model Driven Engineering activities such as code generation or test synthesis. This paper proposes various interpretations for pointcuts that allow multiple behavioral aspects to be statically woven. The idea is to allow join points to match a pointcut even when some extra-messages occur in between. However, with this new way of specifying join points, the composition of the advice with the detected part cannot any longer be just a replacement of the detected part by the advice. We have to consider the events (or the messages) of the join point, but also the events which occur between them, and merge them with the behavior specified within the advice. We thus also propose a formal definition of a new merge operator, and describe its implementation on the Kermeta platform.

Multi-objective test generation for software product lines

Software Products Lines (SPLs) are families of products sharing common assets representing code or functionalities of a software product. These assets are represented as features, usually organized into Feature Models (FMs) from which the user can configure software products. Generally, few features are sufficient to allow configuring millions of software products. As a result, selecting the products matching given testing objectives is a difficult problem. The testing process usually involves multiple and potentially conflicting testing objectives to fulfill, e.g. maximizing the number of optional features to test while at the same time both minimizing the number of products and minimizing the cost of testing them. However, most approaches for generating products usually target a single objective, like testing the maximum amount of feature interactions. While focusing on one objective may be sufficient in certain cases, this practice does not reflect real-life testing situations. The present paper proposes a genetic algorithm to handle multiple conflicting objectives in test generation for SPLs. Experiments conducted on FMs of different sizes demonstrate the effectiveness, feasibility and practicality of the introduced approach.

A generic weaver for supporting product lines

Aspects have gained attention in the earlier steps of the software life-cycle leading to the creation of numerous ad-hoc Aspect-Oriented Modeling (AOM) approaches. These approaches mainly focus on architecture diagrams, class diagrams, state-charts, scenarios or requirements and generally propose Aspect-Oriented composition mechanisms specific to a given kind of models defined by its own meta-model. Recently, some generic AOM approaches propose to extend the notion of aspect to any domain specific modelling language (DSML). In this trend, this paper presents GeKo. GeKo has the following properties. i) It is a generic AOM approach easily adaptable to any DSML with no need to modify the domain meta-model or to generate domain-specific frameworks. ii) It keeps a graphical representation of the weaving between an aspect model and the base model. iii) It is a tool-supported approach with a clear semantics of the different operators used to define the weaving. GeKo relies on the definition of mappings between the different views of an aspect, based on the concrete (graphical) syntax associated to the DSML. To illustrate GeKo, we derive, from the Arcade Game Maker Pedagogical Product Line, a new product in which new features are woven into the Product Line models.