Call Graph Soundness in Android Static Analysis
This program is tentative and subject to change.
Static analysis is sound in theory, but an implementation may unsoundly fail to analyze all of a program’s code. Any such omission is a serious threat to the validity of the tool’s output. Our work is the first to measure the prevalence of these omissions. Previously, researchers and analysts did not know what is missed by static analysis, what sort of code is missed, or the reasons behind these omissions. To address this gap, we ran 13 static analysis tools and a dynamic analysis on 1000 Android apps. Any method in the dynamic analysis but not in a static analysis is an unsoundness.
Our findings include the following. 1) Apps built around external frameworks challenge static analyzers. On average, the 13 static analysis tools failed to capture 61% of the dynamically-executed methods. 2) A high level of precision in call graph construction is a synonym for a high level of unsoundness.; 3) No existing approach significantly improves static analysis soundness. This includes those specifically tailored for a given mechanism, such as DroidRA to address reflection. It also includes systematic approaches, such as EdgeMiner, capturing all callbacks in the Android framework systematically. 4) Modeling entry point methods challenges call graph construction which jeopardizes soundness.
This program is tentative and subject to change.
Fri 20 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 11:50 | |||
10:30 20mTalk | Total Recall? How Good Are Static Call Graphs Really? Technical Papers Dominik Helm TU Darmstadt | ATHENE - National Research Center for Applied Cybersecurity, Darmstadt, Sven Keidel TU Darmstadt, Germany, Anemone Kampkötter TU Dortmund, Johannes Düsing TU Dortmund University, Tobias Roth Technische Universität Darmstadt, Ben Hermann TU Dortmund, Mira Mezini TU Darmstadt DOI Pre-print | ||
10:50 20mTalk | Unimocg: Modular Call-Graph Algorithms for Consistent Handling of Language Features Technical Papers Dominik Helm TU Darmstadt | ATHENE - National Research Center for Applied Cybersecurity, Darmstadt, Tobias Roth Technische Universität Darmstadt, Sven Keidel TU Darmstadt, Germany, Michael Reif CQSE, Mira Mezini TU Darmstadt DOI | ||
11:10 20mTalk | Better Not Together: Staged Solving for Context-Free Language Reachability Technical Papers Chenghang Shi SKLP, Institute of Computing Technology, CAS, Haofeng Li Institute of Computing Technology,Chinese Academy of Sciences, Jie Lu SKLP, Institute of Computing Technology, CAS, Lian Li Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences; Zhongguancun Laboratory | ||
11:30 20mTalk | Call Graph Soundness in Android Static Analysis Technical Papers Jordan Samhi CISPA Helmholtz Center for Information Security, René Just University of Washington, Tegawendé F. Bissyandé University of Luxembourg, Michael D. Ernst University of Washington, Jacques Klein University of Luxembourg | ||