An In-Depth Study of More Than Ten Years of Java Exploitation

I am happy and proud to present our first CCS paper! Co-authored with Philipp Holzinger, Stefan Triller and Alexandre Bartel, we present an in-depth study of all available Java exploits we were able to find online. The exploits cover all different sorts of attack vectors and more than 15 years, they highlight important weaknesses in the Java runtime. The study explains in detail the different weaknesses the exploits exploit. The paper is available here already. Further, we will soon make available some artifacts on this website (not the exploits, though).

Thanks to Marco Pistoia for his constructive feedback and Julian Dolby for providing us with the IBM JDKs we required for our study! Thanks also to Oracle which supported us through a Collaborative Research Grant and to the DFG’s Priority Program 1496 Reliably Secure Software Systems who funded the work through its project INTERFLOW!

See you all at Vienna!

Boomerang accepted at ECOOP 2016

We are happy to announce, that a paper on our new algorithm for demand-driven context- and flow-sensitive points-to analysis, called Boomerang, has been accepted at the ECOOP 2016 conference. Download the paper here.

Boomerang is the first points-to analysis algorithm which on demand delivers in addition to computing points-to sets also the reverse information. Along with an allocation site, the analysis delivers all possible pointers in the current scope which point-to that particular allocation site. This feature is crucial for state-of-the-art clients such as taint and typestate analysis. On top of that, Boomerang enables client-driven context-resolution: The client can limit the search scope for the points-to analysis to the methods of interest.

For the evaluation we introduce PointerBench, the first benchmark suite to evaluate precision and soundness of points-to analyses. We hope for contributions to further enhance the benchmark suite and make points-to analyses comparable more easily.

Boomerang also received the artifact evaluation award.

Harvester will be presented at NDSS 2016

We are happy to announce our new publication “Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques” which will be presented at NDSS 2016. Harvester combines static and dynamic code analysis techniques to extract runtime values (e.g. URLs, SMS messages/numbers, etc.) from Android binaries. Furthermore, it can also be used for de-obfuscating Android applications. More details can be found here.

Looking forward to a great conference.

An Investigation of the Android/BadAccents Malware

BadAccents Malware

Earlier this year, we reported on the Korean threat we identified in collaboration with McAfee Mobile Research. We have now released a technical report describing in detail the Android/BadAccents malware. Furthermore, we also describe a new tapjacking attack (also reported earlier this year) the malware exploited.

The technical report also describes the fix we submitted to the Android Security Team in January this year. Until now (approximately 4 month later), the official AOSP still doesn’t include the fix, meaning likely all Android versions are still vulnerable. Unfortunately, there is no real protection-mechanism for the user against this attack. A general recommendation from our side is the installation of apps from the official app stores and the usage of anti-virus applications (many AV vendors already detect this malware family).

New paper on Reducing Human Factors in Software Security Architectures

On Wednesday I will be presenting an invited paper which I wrote together with Ben Hermann, Johannes Lerch and Mira Mezini for a special session at this year’s Future Security Conference. In this work, we give a retrospective survey about the different software security architectures that come with common current programming-language runtimes.The more we learned about these models the less it came as a surprise to us that the world is now seeing the problems and vulnerabilities that it is seeing. In retrospect it is often simple to blame “stupid developers” for including a programming mistake that leads to an exploitable vulnerability. In practice, however, this is just a too simple answer. To truly understand what causes the inclusion of such code one must understand the development history of the respective projects, the organizational structure in which development happens and also the number of constraints a developer has to keep in mind to avoid such mistakes. We argue that, at first, simpler security models are preferable because in such models mistakes are less likely to occur. The trick is then to retain a security model that is restrictive enough. We discuss object capabilities as one mechanism to support models that can be relatively expressive and maintainable at the same time.

Reducing human factors in software security architectures
In the recent past it has become clear that there are inherent problems with the security models of popular programming platforms such as Java, Android, and so forth. In this work we pinpoint sources of those problems, and explain the relative strengths and weaknesses of the security models for C/C++, Java, .NET, Android and JavaScript. As it turns out, many problems are caused by the fact that the models are so complex that they overstrain not only end-users but even expert developers. Out of this experience we argue that a new line of security models, based on object-capabilities, can help reduce the inherent complexity, preparing the ground for software that is secure by design. 

Trend- und Strategiebericht: Entwicklung sicherer Software durch Security by Design

TrendberichtAm heutigen Donnerstag veröffentlichen die vom BMBF geförderten drei Kompetenzzentren für IT-Sicherheit CISPA, Kastel und EC SPRIDE den Trend- und Strategiebericht Entwicklung sicherer Software durch Security by Design. Der Bericht vertritt die These, dass die Entwicklung und Integration sicherer Software nach dem Prinzip Security by Design ausgestaltet werden muss und benennt entsprechende Herausforderungen für eine praxisorientierte Forschungsagenda.

FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps

android-ss-1In our new technical report Highly Precise Taint Analysis for Android Applications we present our new tool FlowDroid which implements a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.

Furthermore, we also created an Android benchmark suite, DroidBench, as a testing ground for static and dynamic security tools.

This is joint work with Alexandre Bartel, Jacques Klein and Yves le Traon from the University of Luxembourg and with Damien Octeau and Patrick McDaniel from Penn State University.

Continue reading