Droidel: a general approach to Android framework modeling

Blackshear, Sam; Gendreau, Alexandra; Chang, Bor-Yuh Evan

doi:10.1145/2771284.2771288

Cited by 24 publications

(14 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We classified the techniques in three kinds of analysis, different in the kind of information which is used to resolve reflection: static uses code analysis to resolve reflection (listed in Table III), dynamic uses information acquired at run-time for resolving reflection rather than code ( [30], [32], [43]- [47]) and annotations groups techniques based on are human-provided meta data rather than code or dynamic analysis ( [31], [48]- [51]). Note that papers solely about dynamic analysis were excluded in an earlier stage.…”

Section: B Documenting Properties Of Static Analysis Toolsmentioning

confidence: 99%

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

Landman

Serebrenik

Vinju

2017

2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Abstract-The behavior of software that uses the Java Reflection API is fundamentally hard to predict by analyzing code. Only recent static analysis approaches can resolve reflection under unsound yet pragmatic assumptions. We survey what approaches exist and what their limitations are. We then analyze how realworld Java code uses the Reflection API, and how many Java projects contain code challenging state-of-the-art static analysis.Using a systematic literature review we collected and categorized all known methods of statically approximating reflective Java code. Next to this we constructed a representative corpus of Java systems and collected descriptive statistics of the usage of the Reflection API. We then applied an analysis on the abstract syntax trees of all source code to count code idioms which go beyond the limitation boundaries of static analysis approaches. The resulting data answers the research questions. The corpus, the tool and the results are openly available.We conclude that the need for unsound assumptions to resolve reflection is widely supported. In our corpus, reflection can not be ignored for 78 % of the projects. Common challenges for analysis tools such as non-exceptional exceptions, programmatic filtering meta objects, semantics of collections, and dynamic proxies, widely occur in the corpus. For Java software engineers prioritizing on robustness, we list tactics to obtain more easy to analyze reflection code, and for static analysis tool builders we provide a list of opportunities to have significant impact on real Java code.Keywords-Java; Reflection; Static Analysis; Systematic Literature Review; Empirical Study I. I Static analysis techniques are applied to support the efficiency and quality of software engineering tasks. Be it for understanding, validating, or refactoring source code, pragmatic static analysis tools exist to reduce error-prone manual labor and to increase the comprehension of complex software artefacts.Static analysis of object-oriented code is an exciting, ongoing and challenging research area, made especially challenging by dynamic language features (a.k.a. reflection). The Java Reflection API allows programmers to dynamically inspect and interact with otherwise static language concepts such as classes, fields and methods, e.g., to dynamically instantiate objects, set fields and invoke methods. These dynamic language features are useful, but their usage also wreaks havoc on the accuracy of static analysis results. This is due to the undecidability of resolving dynamic names and dynamic types.Until 2005, the analysis of code which uses the Reflection API was considered to be out of bounds for static analysis, and handled via user annotations or dynamic analysis; handling reflection would inherently be either unsound (due to unverified assumptions) or highly inaccurate (due to over-approximation) and render the contemporary static analysis tools impractical. Then, in 2005 Livshits et al. [1] published an analysis of how reflection was used in six large Java projects...

show abstract

Section: B Documenting Properties Of Static Analysis Toolsmentioning

confidence: 99%

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

Landman

Serebrenik

Vinju

2017

2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…In the callback onCreate at line 5, the app sets an object of type CList as the event listener for the click event of the button b1. It also invokes the API method lm.initLoader at line 12 to load data, where this API call uses the class L (lines [17][18][19][20][21][22] to create a loader. Figure 1b shows the CCFA we constructed for Figure 1a.…”

Section: What Is a Ccfamentioning

confidence: 99%

Specifying Callback Control Flow of Mobile Apps Using Finite Automata

Perez

2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Given the event-driven and framework-based architecture of Android apps, finding the ordering of callbacks executed by the framework remains a problem that affects every tool that requires inter-callback reasoning. Previous work has focused on the ordering of callbacks related to the Android components and GUI events. But the execution of callbacks can also come from direct calls of the framework (API calls). This paper defines a novel program representation, called Callback Control Flow Automata (CCFA), that specifies the control flow of callbacks invoked via a variety of sources. We present an analysis to automatically construct CCFAs by combining two callback control flow representations developed from the previous research, namely, Window Transition Graphs (WTGs) and Predicate Callback Summaries (PCSs). To demonstrate the usefulness of our representation, we integrated CCFAs into two client analyses: a taint analysis using FLOWDROID, and a value-flow analysis that computes source and sink pairs of a program. Our evaluation shows that we can compute CCFAs efficiently and that CCFAs improved the callback coverages over WTGs. As a result of using CCFAs, we obtained 33 more true positive security leaks than FLOWDROID over a total of 55 apps we have run. With a low false positive rate, we found that 22.76% of source-sink pairs we computed are located in different callbacks and that 31 out of 55 apps contain source-sink pairs spreading across components. Thus, callback control flow graphs and inter-callback analysis are indeed important. Although this paper mainly uses Android, we believe that CCFAs can be useful for modeling control flow of callbacks for other event-driven, framework-based systems.

show abstract

“…There has been considerable work on improving analysis precision for framework-based applications by using the information in configuration files, particularly for Android applications [Arzt et al 2014;Blackshear et al 2015]. The Frameworks for Frameworks system by Sridharan et al [2011] generalizes these efforts, providing a framework for writing framework models.…”

Section: Related Workmentioning

confidence: 99%

Concerto: a framework for combined concrete and abstract interpretation

Toman

Grossman

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

interpretation promises sound but computable static summarization of program behavior. However, modern software engineering practices pose significant challenges to this vision, specifically the extensive use of frameworks and complex libraries. Frameworks heavily use reflection, metaprogramming, and multiple layers of abstraction, all of which confound even state-of-the-art abstract interpreters. Sound but conservative analysis of frameworks is impractically imprecise, and unsoundly ignoring reflection and metaprogramming is untenable given the prevalence of these features. Manually modeling framework behaviors offers excellent precision, at the cost of immense effort by the tool designer.To overcome the above difficulties, we present Concerto, a system for analyzing framework-based applications by soundly combining concrete and abstract interpretation. Concerto analyzes framework implementations using concrete interpretation, and application code using abstract interpretation. This technique is possible in practice as framework implementations typically follow a single path of execution when provided a concrete, application-specific configuration file which is often available at analysis time. Concerto exploits this configuration information to precisely resolve reflection and other metaprogramming idioms during concrete execution. In contrast, application code may have infinitely many paths of execution, so Concerto switches to abstract interpretation to analyze application code. Concerto is an analysis framework, and can be instantiated with any abstract interpretation that satisfies a small set of preconditions. In addition, unlike manual modeling, Concerto is not specialized to any specific framework implementation. We have formalized our approach and proved several important properties including soundness and termination. In addition, we have implemented an initial proof of concept prototype of Concerto for a subset of Java, and found that our combined interpretation significantly improves analysis precision and performance.Concerto: A Framework for Combined Concrete and Abstract Interpretation 43:3 a concrete, application-specific configuration file. Statically executable refers to a program fragment that: a) can be completely and deterministically evaluated at analysis time, and b) will yield the same program state after evaluation at both runtime and analysis time; the init method is an example of statically executable code. Conversely, application code contains unbounded control-flow paths. As a result, a one-size-fits-all approach to program analysis is unwise for framework-based applications.We present Concerto, a system for soundly combining mostly-concrete interpretation, an extension to concrete interpretation we introduce and formalize in this paper, and abstract interpretation. By combining these two techniques, Concerto leverages the strengths of both approaches while avoiding their weaknesses. Concerto analyzes framework implementations using mostly-concrete interpretation, and application cod...

show abstract

Droidel: a general approach to Android framework modeling

Cited by 24 publications

References 19 publications

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

Specifying Callback Control Flow of Mobile Apps Using Finite Automata

Concerto: a framework for combined concrete and abstract interpretation

Contact Info

Product

Resources

About