Model-Based Static Source Code Analysis of Java Programs with Applications to Android Security

We combine static analysis techniques with model- based deductive verification using SMT solvers to provide a framework that, given an analysis aspect of the source code, automatically generates an analyzer capable of inferring information about that aspect. The analyzer is generated by translating the collecting semantics of a program to a "marked" formula in first order logic over multiple underlying theories. The "marking" can be thought of as a set of holes or contexts corresponding to the "uninterpreted" APIs invoked in the program. Just as a program imports packages and uses methods from classes in those packages, we import the semantics of the API invocations as first order logic assertions. These assertions constitute the models used by the analyzer. Logical specification of the desired program behavior (rather its negation) is incorporated as a first order logic formula. An SMT-LIB formula solver treats the combined formula as a "constraint" and "solves" it. The "solved form" can be used to identify logical (security) errors in Java (Android) programs. Security properties of Android are represented as constraints and the analysis aims to show that these constraints are respected.

[1]  Nicolas Halbwachs,et al.  Cartesian Factoring of Polyhedra in Linear Relation Analysis , 2003, SAS.

[2]  Nicolas Halbwachs,et al.  Verification of Real-Time Systems using Linear Relation Analysis , 1997, Formal Methods Syst. Des..

[3]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[4]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[5]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[6]  S. Abdennadher,et al.  Principles of constrain systems and constraint solvers , 2006 .

[7]  Peter G. Neumann,et al.  Forum on risks to the public in computers and related systems , 1996 .

[8]  Gerard J. Holzmann,et al.  Software Analysis and Model Checking , 2002, CAV.

[9]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[10]  Sigrid Eldh Software Testing Techniques , 2007 .

[11]  Florian Martin,et al.  PAG – an efficient program analyzer generator , 1998, International Journal on Software Tools for Technology Transfer.

[12]  Weider D. Yu A software fault prevention approach in coding and root cause analysis , 1998, Bell Labs Technical Journal.

[13]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[14]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[15]  Yang Meng Tan,et al.  LCLint: a tool for using specifications to check code , 1994, SIGSOFT '94.

[16]  Rajeev Alur,et al.  Counterexample-guided predicate abstraction of hybrid systems , 2006, Theor. Comput. Sci..

[17]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[18]  Toshiaki Tanaka,et al.  Towards Formal Analysis of the Permission-Based Security Model for Android , 2009, 2009 Fifth International Conference on Wireless and Mobile Communications.

[19]  Ilene Burnstein,et al.  Practical Software Testing , 2003, Springer Professional Computing.

[20]  Paul Anderson,et al.  Tool Support for Fine-Grained Software Inspection , 2003, IEEE Softw..

[21]  Rajeev Alur,et al.  Counterexample-guided predicate abstraction of hybrid systems , 2003, Theor. Comput. Sci..

[22]  Boris Beizer,et al.  Software testing techniques (2. ed.) , 1990 .

[23]  M. Ghiassi,et al.  Dual programming approach to software testing , 2004, Software Quality Journal.