HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving

We present HornDroid, a new tool for the static analysis of information flow properties in Android applications. The core idea underlying HornDroid is to use Horn clauses for soundly abstracting the semantics of Android applications and to express security properties as a set of proof obligations that are automatically discharged by an off-the-shelf SMT solver. This approach makes it possible to fine-tune the analysis in order to achieve a high degree of precision while still using off-the-shelf verification tools, thereby leveraging the recent advances in this field. As a matter of fact, HornDroid outperforms state-of-the-art Android static analysis tools on benchmarks proposed by the community. Moreover, HornDroid is the first static analysis tool for Android to come with a formal proof of soundness, which covers the core of the analysis technique: besides yielding correctness assurances, this proof allowed us to identify some critical corner-cases that affect the soundness guarantees provided by some of the previous static analysis tools for Android.

[1]  Julia Rubin,et al.  A Bayesian Approach to Privacy Enforcement in Smartphones , 2014, USENIX Security Symposium.

[2]  K. Yi,et al.  Static Analyzer for Detecting Privacy Leaks in Android Applications , 2012 .

[3]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[4]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[5]  Steffen Lortz,et al.  Cassandra: Towards a Certifying App Store for Android , 2014, SPSM@CCS.

[6]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[7]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[8]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[9]  Nikolaj Bjørner,et al.  Program Verification as Satisfiability Modulo Theories , 2013, SMT@IJCAR.

[10]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[11]  René Rydhof Hansen,et al.  Formalisation and analysis of Dalvik bytecode , 2014, Sci. Comput. Program..

[12]  Michele Bugliesi,et al.  Lintent: Towards Security Type-Checking of Android Applications , 2013, FMOODS/FORTE.

[13]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[14]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[15]  Jeffrey S. Foster,et al.  SymDroid: Symbolic Execution for Dalvik Bytecode , 2012 .

[16]  Isil Dillig,et al.  Precise reasoning for programs using containers , 2011, POPL '11.

[17]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[18]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[19]  Lujo Bauer,et al.  Run-Time Enforcement of Information-Flow Properties on Android - (Extended Abstract) , 2013, ESORICS.

[20]  Camilo Gómez-Rivas,et al.  Fragments , 2013 .

[21]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[22]  Avik Chaudhuri,et al.  Language-based security on Android , 2009, PLAS '09.

[23]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[24]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[25]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[26]  Marc Brockschmidt,et al.  CTL+FO verification as constraint solving , 2014, SPIN.

[27]  Zhemin Yang,et al.  LeakMiner: Detect Information Leakage on Android with Static Taint Analysis , 2012, 2012 Third World Congress on Software Engineering.

[28]  Artem Starostin,et al.  A framework for static detection of privacy leaks in android applications , 2012, SAC '12.

[29]  Yannis Smaragdakis,et al.  More Sound Static Handling of Java Reflection , 2015, APLAS.

[30]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[31]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.

[32]  Fernando C. Colón Osorio,et al.  “TrustDroid™”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[33]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[34]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[35]  Étienne Payet,et al.  An operational semantics for android activities , 2014, PEPM '14.