Modelgen: mining explicit information flow specifications from concrete executions

Clapp, Lazaro; Anand, Sandeep; Aiken, Alex

doi:10.1145/2771783.2771810

Cited by 19 publications

(26 citation statements)

References 52 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Pre-computed summaries to solve other types of program analysis problems have been defined. Clapp et al [13] mine information flow specifications for the Android API methods. Their specifications identify how values from the app can be tainted in the Android API methods.…”

Section: Discussionmentioning

confidence: 99%

Generating Predicate Callback Summaries for the Android Framework

Perez

2017

2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft)

View full text Add to dashboard Cite

Abstract-One of the challenges of analyzing, testing and debugging Android apps is that the potential execution orders of callbacks are missing from the apps' source code. However, bugs, vulnerabilities and refactoring transformations have been found to be related to callback sequences. Existing work on control flow analysis of Android apps have mainly focused on analyzing GUI events. GUI events, although being a key part of determining control flow of Android apps, do not offer a complete picture. Our observation is that orthogonal to GUI events, the Android API calls also play an important role in determining the order of callbacks. In the past, such control flow information has been modeled manually. This paper presents a complementary solution of constructing program paths for Android apps. We proposed a specification technique, called Predicate Callback Summary (PCS), that represents the callback control flow information (including callback sequences as well as the conditions under which the callbacks are invoked) in Android API methods and developed static analysis techniques to automatically compute and apply such summaries to construct apps' callback sequences. Our experiments show that by applying PCSs, we are able to construct Android apps' control flow graphs, including inter-callback relations, and also to detect infeasible paths involving multiple callbacks. Such control flow information can help program analysis and testing tools to report more precise results. Our detailed experimental data is available at: goo.gl/NBPrKs

show abstract

Section: Discussionmentioning

confidence: 99%

Generating Predicate Callback Summaries for the Android Framework

Perez

2017

2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft)

View full text Add to dashboard Cite

show abstract

“…EdgeMiner [6] ran backward data-flow analysis over the Android source code to find implicit flows. Modelgen [9] infers a model in terms of information flows, to support taint analysis. To learn behaviors of the target framework, it inputs concrete executions generated by Droidrecord, similarly to our logging using Redexer [18].…”

Section: Related Workmentioning

confidence: 99%

Synthesizing framework models for symbolic execution

Jeon

Qiu

Fetter-Degges

et al. 2016

Proceedings of the 38th International Conference on Software Engineering

View full text Add to dashboard Cite

Symbolic execution is a powerful program analysis technique, but it is difficult to apply to programs built using frameworks such as Swing and Android, because the framework code itself is hard to symbolically execute. The standard solution is to manually create a framework model that can be symbolically executed, but developing and maintaining a model is difficult and error-prone. In this paper, we present Pasket, a new system that takes a first step toward automatically generating Java framework models to support symbolic execution. Pasket's focus is on creating models by instantiating design patterns. Pasket takes as input class, method, and type information from the framework API, together with tutorial programs that exercise the framework. From these artifacts and Pasket's internal knowledge of design patterns, Pasket synthesizes a framework model whose behavior on the tutorial programs matches that of the original framework. We evaluated Pasket by synthesizing models for subsets of Swing and Android. Our results show that the models derived by Pasket are sufficient to allow us to use off-the-shelf symbolic execution tools to analyze Java programs that rely on frameworks.

show abstract

“…To address these issues, approaches have been proposed for automatically inferring specifications for library code, both based on dynamic analysis [3,8,30,35,36] and on static analysis [4,12,24,26,32,39]. In particular, tools have been designed to infer properties of missing code, including taint flow properties [13], function models [18,19], and callback control flow [20]. While these approaches are incomplete, and may not infer sound specifications, current static analyses used in production already rely on user-provided specifications [14], and as we will show, tools that automatically infer specifications can outperform human analysts.…”

Section: Introductionmentioning

confidence: 99%

Active learning of points-to specifications

Bastani

Sharma

Aiken

et al. 2018

Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

When analyzing programs, large libraries pose significant challenges to static points-to analysis. A popular solution is to have a human analyst provide points-to specifications that summarize relevant behaviors of library code, which can substantially improve precision and handle missing code such as native code. We propose Atlas, a tool that automatically infers points-to specifications. Atlas synthesizes unit tests that exercise the library code, and then infers points-to specifications based on observations from these executions. Atlas automatically infers specifications for the Java standard library, and produces better results for a client static information flow analysis on a benchmark of 46 Android apps compared to using existing handwritten specifications.

show abstract

Modelgen: mining explicit information flow specifications from concrete executions

Cited by 19 publications

References 52 publications

Generating Predicate Callback Summaries for the Android Framework

Generating Predicate Callback Summaries for the Android Framework

Synthesizing framework models for symbolic execution

Active learning of points-to specifications

Contact Info

Product

Resources

About