Speaker: Damien Octeau, University of Wisconsin-Madison and Pennsylvania State University
Knowing how the components of Android applications interact is a prerequisite to many security analyses. However, no analysis is currently able to infer all Inter-Component Communication (ICC) precisely. Further, because Android applications are compiled from Java source into platform-specific Dalvik bytecode, existing program analysis tools cannot be used to evaluate their behavior. This talk shows how we retarget Android applications to Java bytecode in order to statically analyze them. Our Dare tool uses a new intermediate representation to enable fast and accurate retargeting. Dare further applies strong constraint solving to infer typing information and translates all 257 Android bytecode instructions using only 9 translation rules. We successfully retarget 99.99% of the 262,110 classes in a sample of 1,100 applications. Using retargeting as a first step, we develop a general model for solving interprocedural multi-valued, composite constant propagation problems. Based on this model, we develop the COAL language, which enables specification of such problems. Using COAL, we model ICC objects in Android significantly more thoroughly than the current state-of-the-art. We compute ICC values for 500 applications from the Play store. Experiments show that the ICC values we infer are substantially more precise than previous work. I will also discuss ongoing work that aims to perform inter-component analyses at a very large scale. I will additionally present future directions in static security analyses of program code, in the mobile context and beyond.
Damien Octeau is a Research Associate with a joint appointment at the Department of Computer Sciences at the University of Wisconsin-Madison and at the Department of Computer Science and Engineering at the Pennsylvania State University. His research interests include systems, mobile and software security and program analysis.
Damien got the M.Sc. and Ph.D. degrees in Computer Science and Engineering from the Pennsylvania State University in 2010 and 2014, respectively. He received his B.Sc. and Master’s degrees from Ecole Centrale de Lyon, France, in 2007 and 2010, respectively. He was awarded the Best Research Artifact Award at the 2012 International Symposium on the Foundations of Software Engineering (FSE). He also received the 2013 Penn State AT&T Graduate Fellowship.
For more information, contact Nasir Memon.
Light lunch will be served.