Reflection Analysis for Java: Uncovering More Reflective Targets Precisely

Reflection, which is widely used in practice and abused by many security exploits, poses a significant obstacle to program analysis. Reflective calls can be analyzed statically or dynamically. Static analysis is more sound but also more imprecise (by introducing many false reflective targets and thus affecting its scalability). Dynamic analysis can be precise but often miss many true reflective targets due to low code coverage.We introduce MIRROR, the first automatic reflection analysis for Java that increases significantly the code coverage of dynamic analysis while keeping false reflective targets low. In its static analysis, a novel reflection-oriented slicing technique is applied to identify a small number of small path-based slices for a reflective call so that different reflective targets are likely exercised along these different paths. This preserves the soundness of pure static reflection analysis as much as possible, improves its scalability, and reduces substantially its false positive rate. In its dynamic analysis, these slices are executed with automatically generated test cases to report the reflective targets accessed. This significantly improves the code coverage of pure dynamic analysis. We evaluate MIRROR against a state-of-the-art dynamic reflection analysis tool, TAMIFLEX, by using 10 large real-world Java applications. MIRROR detects 12.5% - 933.3% more reflective targets efficiently (in 362.8 seconds on average) without producing any false positives. These new targets enable 5 - 174949 callgraph edges to be reachable in the application code.

[1]  Jingling Xue,et al.  Efficient and precise points-to analysis: modeling the heap by merging equivalent automata , 2017, PLDI.

[2]  Jingling Xue,et al.  Self-inferencing Reflection Resolution for Java , 2014, ECOOP.

[3]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[4]  Rupak Majumdar,et al.  Path slicing , 2005, PLDI '05.

[5]  Jingling Xue,et al.  Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting , 2016, SAS.

[6]  Alexander Serebrenik,et al.  Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[7]  Jochen Hoenicke,et al.  SMTInterpol: An Interpolating SMT Solver , 2012, SPIN.

[8]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[9]  Fabio Massacci,et al.  StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications , 2015, CODASPY.

[10]  Jingling Xue,et al.  Eliminating Redundant Bounds Checks in Dynamic Buffer Overflow Detection Using Weakest Preconditions , 2016, IEEE Transactions on Reliability.

[11]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[12]  Michael Pradel,et al.  Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[13]  Mark Harman,et al.  An overview of program slicing , 2001, Softw. Focus.

[14]  Jens Palsberg,et al.  Race directed scheduling of concurrent programs , 2014, PPoPP '14.

[15]  Yannis Smaragdakis,et al.  More Sound Static Handling of Java Reflection , 2015, APLAS.

[16]  Amer Diwan,et al.  Fast online pointer analysis , 2007, TOPL.

[17]  Jingling Xue,et al.  WPBOUND: Enforcing Spatial Memory Safety Efficiently at Runtime with Weakest Preconditions , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[18]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[19]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[20]  Corina S. Pasareanu,et al.  Symbolic execution with mixed concrete-symbolic solving , 2011, ISSTA '11.

[21]  Benjamin Livshits,et al.  Reflection Analysis for Java , 2005, APLAS.

[22]  Marcelo d'Amorim,et al.  Static Analysis of Implicit Control Flow: Resolving Java Reflection and Android Intents (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[23]  Jens Palsberg,et al.  Sherlock: scalable deadlock detection for concurrent programs , 2014, SIGSOFT FSE.

[24]  Yifei Zhang,et al.  Program Tailoring: Slicing by Sequential Criteria , 2016, ECOOP.

[25]  Corina S. Pasareanu,et al.  Symbolic PathFinder: symbolic execution of Java bytecode , 2010, ASE.

[26]  Koushik Sen,et al.  MultiSE: multi-path symbolic execution using value summaries , 2015, ESEC/SIGSOFT FSE.

[27]  Jacques Klein,et al.  Static analysis of android apps: A systematic literature review , 2017, Inf. Softw. Technol..

[28]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[29]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1988, SIGP.

[30]  Yifei Zhang,et al.  Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments , 2017, CODASPY.

[31]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.

[32]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[33]  Eric Bodden,et al.  An In-Depth Study of More Than Ten Years of Java Exploitation , 2016, CCS.

[34]  James Noble,et al.  Aliasing in Object-Oriented Programming. Types, Analysis and Verification , 2013, Lecture Notes in Computer Science.

[35]  Jingling Xue,et al.  Effective Soundness-Guided Reflection Analysis , 2015, SAS.

[36]  Josep Silva,et al.  A vocabulary of program slicing-based techniques , 2012, CSUR.

[37]  Yannis Smaragdakis,et al.  Pointer Analysis , 2015, Found. Trends Program. Lang..

[38]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[39]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[40]  Matthew B. Dwyer,et al.  Optimizing monitoring of finite state properties through monitor compaction , 2013, ISSTA.

[41]  Yi Lu,et al.  Dynamic symbolic execution for polymorphism , 2017, CC.

[42]  Mark Harman,et al.  A survey of empirical results on program slicing , 2004, Adv. Comput..

[43]  Roberto Bruttomesso,et al.  The OpenSMT Solver , 2010, TACAS.

[44]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.