One week ago, Trustlook publised a blog post about the addJavascriptInterface Code execution Vulnerability in Android’s WebView. Accordingly to that post, we describe the attack in detail and also show Android’s changes in the OS in order to mitigate this JavaScript attack.
New paper on automatically updating analysis results
Today Steven Arzt and Eric Bodden are releasing a Technical Report on Reviser, our novel tool for automatically and Efficiently updating IDE-based data-flow analyses in response to incremental program changes. I think the title pretty much speaks for itself. Reviser is available as an open-source extension to Heros. Enjoy!
New paper on Reducing Human Factors in Software Security Architectures
On Wednesday I will be presenting an invited paper which I wrote together with Ben Hermann, Johannes Lerch and Mira Mezini for a special session at this year’s Future Security Conference. In this work, we give a retrospective survey about the different software security architectures that come with common current programming-language runtimes.The more we learned about these models the less it came as a surprise to us that the world is now seeing the problems and vulnerabilities that it is seeing. In retrospect it is often simple to blame “stupid developers” for including a programming mistake that leads to an exploitable vulnerability. In practice, however, this is just a too simple answer. To truly understand what causes the inclusion of such code one must understand the development history of the respective projects, the organizational structure in which development happens and also the number of constraints a developer has to keep in mind to avoid such mistakes. We argue that, at first, simpler security models are preferable because in such models mistakes are less likely to occur. The trick is then to retain a security model that is restrictive enough. We discuss object capabilities as one mechanism to support models that can be relatively expressive and maintainable at the same time.
Reducing human factors in software security architectures
In the recent past it has become clear that there are inherent problems with the security models of popular programming platforms such as Java, Android, and so forth. In this work we pinpoint sources of those problems, and explain the relative strengths and weaknesses of the security models for C/C++, Java, .NET, Android and JavaScript. As it turns out, many problems are caused by the fact that the models are so complex that they overstrain not only end-users but even expert developers. Out of this experience we argue that a new line of security models, based on object-capabilities, can help reduce the inherent complexity, preparing the ground for software that is secure by design.
Google changes rules for Push Advertisement; Ads annoy users as SSE group shows
As Golem and Heise are writing today, Google has updated its rules for advertisement in Android Apps. Earlier this year, researchers from the SSE group and from Fraunhofer SIT have found that almost one third of the top apps in Google’s Play store use advertising services that in many instances violate the store’s content policy. The result is annoying for users, as these apps will plague them with very intrusive forms of advertisement that can be very hard to eliminate even for expert users. Early on, we have shared these results with Google. The change by Google now obligates app developers to ensure that the ad frameworks they include in their app do not use any ad services violating Google’s policy.
Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis
Today at USENIX Damien Octeau presented our joint work on a new analysis of Android Inter-Component Communication. This is joint work with Penn State University and the University of Luxembourg in the context of our Google Award on creating a map of Android inter-component communication.
We are still in the process of improving the implementation and integrating it with FlowDroid. Once this is done, we will make our tool Epicc open source. The paper is available for download, here’s the abstract:
Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. However, current techniques for identifying inter-application communication are ad hoc and do not scale to large numbers of applications. In this paper, we reduce the discovery of inter-component communication (ICC) in smartphones to an instance of the Interprocedural Distributive Environment (IDE) problem, and develop a sound static analysis technique targeted to the Android platform. We apply this analysis to 1,200 applications selected from the Play store and characterize the locations and substance of their ICC. Experiments show that full specifications for ICC can be identified for over 93% of ICC locations for the applications studied. Further the analysis scales well; analysis of each application took on average 113 seconds to complete. Epicc, the resulting tool, finds ICC vulnerabilities with far fewer false positives than the next best tool. In this way, we develop a scalable vehicle to extend current security analysis to entire collections of applications as well as the interfaces they export.
CCS 2013: Tutorial on Android instrumentation
At CCS 2013, we will be giving a tutorial on instrumenting Android apps to enhance their security. You are most welcome to attend! From the abstract:
Novel types of malware on mobile devices have raised researchers interest in implementing static and dynamic techniques for detecting and mitigating malicious behavior of mobile applications. In this hands-on tutorial we will demonstrate and explain different techniques for instrumenting Android applications using the Aspect Bench Compiler (abc) and the program analysis and transformation tool Soot. Through high-level abstractions such as AspectJ aspects and Tracematches, abc supports a declarative style of instrumentation that lends itself to the rapid prototyping of at least simple instrumentation schemes. Soot supports instrumentation in an imperative style, which requires more work but allows more fine-grained control. Both abc and Soot are inter operable, as they instrument the same intermediate program representation. Furthermore, as we show, both can be easily integrated with static program analyses that can be used to specialize instrumentation schemes based on additional information extracted from the static structure of the instrumented app.
In September, Steven Arzt and Siegfried Rasthofer will be giving a similar tutorial at RV 2013.
Looking for Research Assistant in the Field of Secure Software Engineering
We are currently looking to fill a number of positions for Research Assistants in the field of Secure Software Engineering (German version here). These are PhD and PostDoc positions at Fraunhofer SIT where we are looking into developing a novel framework for automated security code analyses. If you are experienced in this area we definitely encourage you to apply!
New Lecture in Fall: Automated Code Analysis for Large Software Systems (ACA)
In Fall/Winter 2013 we will be offering a new lecture on automated code analyses for large software systems. We will be discussing the most important algorithms to solve static code analysis problems efficiently and precisely, and will be presenting novel extensions of these algorithms that we have recently developed to address important real-world analysis problems like automatically detecting vulnerabilities in the Java Runtime Library (e.g. CVE_2012_4681). Continue reading
Master Thesis on FlowDroid now available
Christian Fritz has just submitted his Master Thesis on FlowDroid. It gives many additional details not mentioned in our earlier Tech Report. You can check it out here:
FlowDroid: A Precise and Scalable Data Flow Analysis for Android (Christian Fritz), Master thesis, TU Darmstadt, July 2013.
Responsible Disclosure: Darmstadt Researchers Discover Security Vulnerability in AppGuard Pro
Stephan Huber (Fraunhofer SIT Darmstadt) and Siegfried Rasthofer (TU Darmstadt) discovered a security vulnerability in versions 2.0.0 – 2.0.5 of the security tool AppGuard Pro. A few weeks ago, we informed the vendor Backes SRT who has now fixed the vulnerability in the latest release. The vulnerability gives malicious apps full control of all settings in the AppGuard Pro application. The vulnerability not only allows such apps to bypass any and all of the tool’s security measures, on top of that the malicious apps can even misuse AppGuard Pro to convince the user into perceiving the malicious app as harmless. Users should download the update as soon as possible.