Thu 29 Oct 2015 10:30 - 10:52 at Grand Station 1 - 5. Mobility Chair(s): Lukasz Ziarek

App stores are increasingly the preferred mechanism for distributing software, including mobile apps (Google Play), desktop apps (Mac App Store and Ubuntu Software Center), computer games (the Steam Store), and browser extensions (Chrome Web Store). The centralized nature of these stores has important implications for security. While app stores have unprecedented ability to audit apps, users now trust hosted apps, making them more vulnerable to malware that evades detection and finds its way onto the app store. Sound static explicit information flow analysis has the potential to significantly aid human auditors, but it is handicapped by high false positive rates. Instead, auditors currently rely on a combination of dynamic analysis (which is unsound) and lightweight static analysis (which cannot identify information flows) to help detect malicious behaviors. We propose a process for producing apps certified to be free of malicious explicit information flows. In practice, imprecision in the reachability analysis is a major source of false positive information flows that are difficult to understand and discharge. In our approach, the developer provides tests that specify what code is reachable, allowing the static analysis to restrict its search to tested code. The app hosted on the store is instrumented to enforce the provided specification (i.e., executing untested code terminates the app). We use abductive inference to minimize the necessary instrumentation, and then interact with the developer to ensure that the instrumentation only cuts unreachable code. We demonstrate the effectiveness of our approach in verifying a corpus of 77 Android apps—our interactive verification process successfully discharges 11 out of the 12 false positives.

Thu 29 Oct

Displayed time zone: Eastern Time (US & Canada) change

10:30 - 12:00
5. MobilityOOPSLA at Grand Station 1
Chair(s): Lukasz Ziarek State University of New York (SUNY) Buffalo
10:30
22m
Talk
Interactively Verifying Absence of Explicit Information Flows in Android Apps
OOPSLA
Osbert Bastani Stanford University, Saswat Anand Stanford University, Alex Aiken Stanford University
DOI Media Attached
10:52
22m
Talk
ShamDroid: Gracefully Degrading Functionality in the Presence of Limited Resource Access
OOPSLA
Lucas Brutschy ETH Zurich, Switzerland, Pietro Ferrara IBM Research, USA, Omer Tripp IBM Research, USA, Marco Pistoia IBM Research, USA
Pre-print Media Attached
11:15
22m
Talk
Scalable Race Detection for Android ApplicationsOOPSLA Artifact
OOPSLA
Pavol Bielik ETH Zurich, Switzerland, Veselin Raychev ETH Zurich, Switzerland, Martin Vechev ETH Zurich, Switzerland
DOI Media Attached
11:37
22m
Talk
Versatile yet Lightweight Record-and-Replay for Android
OOPSLA
Yongjian Hu University of California at Riverside, USA, Tanzirul Azim University of California at Riverside, USA, Iulian Neamtiu University of California at Riverside, USA
DOI Media Attached