Call Graph Soundness in Android Static Analysis
Static analysis is sound in theory, but an implementation may unsoundly fail to analyze all of a program's code. Any such omission is a serious threat to the validity of the tool's output. Our work is the first to measure the prevalence of these omissions. Previously, researchers and analysts did not know what is missed by static analysis, what sort of code is missed, or the reasons behind these omissions. To address this gap, we ran 13static analysis tools and a dynamic analysis on 1000 Android apps. Any method in the dynamic analysis but not in a static analysis is an unsoundness.
Our findings include the following. (1) Apps built around external frameworks challenge static analyzers. On average, the 13 static analysis tools failed to capture 61% of the dynamically-executed methods. (2) A high level of precision in call graph construction is a synonym for a high level of unsoundness. (3) No existing approach significantly improves static analysis soundness. This includes those specifically tailored for a given mechanism, such as DroidRA to address reflection. It also includes systematic approaches, such as EdgeMiner, capturing all callbacks in the Android framework systematically. (4) Modeling entry point methods challenges call graph construction which jeopardizes soundness.
Fri 20 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 11:50 | Call Graphs and Static AnalysisTechnical Papers at EI 9 Hlawka Chair(s): Julia Rubin The University of British Columbia | ||
10:30 20mTalk | Unimocg: Modular Call-Graph Algorithms for Consistent Handling of Language Features Technical Papers Dominik Helm University of Duisburg-Essen; TU Darmstadt; National Research Center for Applied Cybersecurity ATHENE, Tobias Roth TU Darmstadt; National Research Center for Applied Cybersecurity ATHENE, Sven Keidel TU Darmstadt, Michael Reif CQSE, Mira Mezini TU Darmstadt; hessian.AI; National Research Center for Applied Cybersecurity ATHENE DOI Pre-print | ||
10:50 20mTalk | Total Recall? How Good Are Static Call Graphs Really? Technical Papers Dominik Helm University of Duisburg-Essen; TU Darmstadt; National Research Center for Applied Cybersecurity ATHENE, Sven Keidel TU Darmstadt, Anemone Kampkötter TU Dortmund, Johannes Düsing TU Dortmund, Tobias Roth TU Darmstadt; National Research Center for Applied Cybersecurity ATHENE, Ben Hermann TU Dortmund, Mira Mezini TU Darmstadt; hessian.AI; National Research Center for Applied Cybersecurity ATHENE DOI Pre-print | ||
11:10 20mTalk | Call Graph Soundness in Android Static Analysis Technical Papers Jordan Samhi CISPA Helmholtz Center for Information Security, René Just University of Washington, Tegawendé F. Bissyandé University of Luxembourg, Michael D. Ernst University of Washington, Jacques Klein University of Luxembourg Link to publication DOI Pre-print | ||
11:30 20mTalk | Synthesis of Sound and Precise Storage Cost Bounds via Unsound Resource Analysis and Max-SMT Technical Papers Elvira Albert Complutense University of Madrid, Jesús Correas Complutense University of Madrid, Pablo Gordillo Complutense University of Madrid, Guillermo Román-Díez Universidad Politécnica de Madrid, Albert Rubio Complutense University of Madrid DOI | ||