FOAL: Foundations of Aspect-Oriented Languages
Paper Submission Deadline: Jan 26th, 2014
A one day workshop affiliated with MODULARITY’14 at the University of Lugano (USI), Switzerland on April 22, 2014. Continue reading
Category Archives: General
FlowDroid in the news
In its current edition, the German IT-experts magazine iX is featuring our Android taint-analysis tool FlowDroid.
Schutzmaßnahmen gegen datenschutzunfreundliche Smartphone-Apps
(This article is only available in German. It is about the legal aspects of approaches that try to protect the privacy in mobile apps, with respect to German law).
Zusammen mit Prof. Dr. Alexander Roßnagel und Dr. Philipp Richter (beide juristische Fakultät an der Universität Kassel) haben wir einen Artikel in der DuD (Datenschutz und Datensicherheit) veröffentlicht, der technische Möglichkeiten für den Privatsphärenschutz auf mobilen Geräten auf rechtliche Aspekte hin untersucht.
Abstract:
Technische Möglichkeiten und rechtliche Zulässigkeit des Selbstdatenschutzes bei Apps
Privacy Enhancing Technologies, die den Umgang von Smartphone-Apps mit personenbezogenen Daten überwachen und unerwünschte Übermittlungen verhindern, können mit dem Urheberrecht in Konflikt geraden. Der Beitrag untersucht die technischen Möglichkeiten des Selbstdatenschutzes und nimmt eine erste rechtliche Bewertung vor.
Update: Der Artikel kann hier von unserer Webseite geladen werden.
FlowDroid Now Supports Implicit Flows
FlowDroid is our taint analysis tool to automatically scan Android applications for privacy-sensitive data leaks. While we have already shown FlowDroid to be highly precise and effective for explicit data flows through assignments and method calls, the tool now also supports the detection of leaks through control-flow dependencies. This protects against malware trying to disguise data flows through conditionals. If an app for instance does not directly send out the number 123, but sends 123-times the word “hello”, the attacker gains the same information as if the app had directly sent the value directly. The new version of FlowDroid derives that the “hello” message depends on the secret numeric value and therefore treats it as a leak as well though the data being sent does not directly contain any sensitive characters. To use this support for implicit flow, check out the develop branch on GitHub.
The feature can be activated using the “–implicit” option in the command-line tool or by programatically calling “Infoflow.setEnableImplicitFlows(true)”.
Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis
Today at USENIX Damien Octeau presented our joint work on a new analysis of Android Inter-Component Communication. This is joint work with Penn State University and the University of Luxembourg in the context of our Google Award on creating a map of Android inter-component communication.
We are still in the process of improving the implementation and integrating it with FlowDroid. Once this is done, we will make our tool Epicc open source. The paper is available for download, here’s the abstract:
Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. However, current techniques for identifying inter-application communication are ad hoc and do not scale to large numbers of applications. In this paper, we reduce the discovery of inter-component communication (ICC) in smartphones to an instance of the Interprocedural Distributive Environment (IDE) problem, and develop a sound static analysis technique targeted to the Android platform. We apply this analysis to 1,200 applications selected from the Play store and characterize the locations and substance of their ICC. Experiments show that full specifications for ICC can be identified for over 93% of ICC locations for the applications studied. Further the analysis scales well; analysis of each application took on average 113 seconds to complete. Epicc, the resulting tool, finds ICC vulnerabilities with far fewer false positives than the next best tool. In this way, we develop a scalable vehicle to extend current security analysis to entire collections of applications as well as the interfaces they export.
New Lecture in Fall: Automated Code Analysis for Large Software Systems (ACA)
In Fall/Winter 2013 we will be offering a new lecture on automated code analyses for large software systems. We will be discussing the most important algorithms to solve static code analysis problems efficiently and precisely, and will be presenting novel extensions of these algorithms that we have recently developed to address important real-world analysis problems like automatically detecting vulnerabilities in the Java Runtime Library (e.g. CVE_2012_4681). Continue reading
DroidBench 1.1 is released!
DroidBench 1.1 is released with new challenges:
Continue reading
Trend- und Strategiebericht: Entwicklung sicherer Software durch Security by Design
Am heutigen Donnerstag veröffentlichen die vom BMBF geförderten drei Kompetenzzentren für IT-Sicherheit CISPA, Kastel und EC SPRIDE den Trend- und Strategiebericht Entwicklung sicherer Software durch Security by Design. Der Bericht vertritt die These, dass die Entwicklung und Integration sicherer Software nach dem Prinzip Security by Design ausgestaltet werden muss und benennt entsprechende Herausforderungen für eine praxisorientierte Forschungsagenda.
Hello World!
We – the SSE-Group (Secure Software Engineering) at EC-SPRIDE Darmstadt – created a new blog that informs you about our current research.
Our research includes, but is not limited to, the following topics:
- Android Security
- Buffer Overflow Mitigation
- Timing Channel Mitigation
If you are interested in using or extending our tools, or if you have any questions in general, do not hesitate to contact us!
Let the blogging begin!