CLAPP: characterizing loops in Android applications

When performing program analysis, loops are one of the most important aspects that needs to be taken into account. In the past, many approaches have been proposed to analyze loops to perform different tasks, ranging from compiler optimizations to Worst-Case Execution Time (WCET) analysis. While these approaches are powerful, they focus on tackling very specific categories of loops and known loop patterns, such as the ones for which the number of iterations can be statically determined. In this work, we developed a static analysis framework to characterize and analyze generic loops, without relying on techniques based on pattern matching. For this work, we focus on the Android platform, and we implemented a prototype, called CLAPP, that we used to perform the first large-scale empirical study of the usage of loops in Android applications. In particular, we used our tool to analyze a total of 4,110,510 loops found in 11,823 Android applications. As part of our evaluation, we provide the detailed results of our empirical study, we show how our analysis was able to determine that the execution of 63.28% of the loops is bounded, and we discuss several interesting insights related to the performance issues and security aspects associated with loops.

[1]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[2]  Monica S. Lam,et al.  A Loop Transformation Theory and an Algorithm to Maximize Parallelism , 1991, IEEE Trans. Parallel Distributed Syst..

[3]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[4]  Reinhold Heckmann,et al.  Worst case execution time prediction by static program analysis , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[5]  Daniel Berlin High-Level Loop Optimizations for GCC , 2004 .

[6]  Jan Gustafsson,et al.  Automatic Derivation of Loop Bounds and Infeasible Paths for WCET Analysis Using Abstract Execution , 2006, 2006 27th IEEE International Real-Time Systems Symposium (RTSS'06).

[7]  Christoph Cullmann,et al.  Data-Flow Based Detection of Loop Bounds , 2007, WCET.

[8]  Jan Gustafsson,et al.  Loop Bound Analysis based on a Combination of Program Slicing, Abstract Interpretation, and Invariant Analysis , 2007, WCET.

[9]  Yu Chen,et al.  A New Algorithm for Identifying Loops in Decompilation , 2007, SAS.

[10]  Yi Yang,et al.  A GPGPU compiler for memory optimization and parallelism management , 2010, PLDI '10.

[11]  Jens Knoop,et al.  Symbolic Loop Bound Computation for WCET Analysis , 2011, Ershov Memorial Conference.

[12]  Deepak Kapur,et al.  Termination Analysis of C Programs Using Compiler Intermediate Languages , 2011, RTA.

[13]  Jürgen Giesl,et al.  Automated Detection of Non-termination and NullPointerExceptions for Java Bytecode , 2011, FoVeOOS.

[14]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[15]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[16]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[17]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[18]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[19]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[20]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[21]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[22]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[23]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[24]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[25]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[26]  Christopher Krügel,et al.  CLAPP: characterizing loops in Android applications (invited talk) , 2015, DeMobile@SIGSOFT FSE.