| |
| | On-the-fly Android Static Analysis with Applications in Vulnerability Discovery
| 
| WU Daoyuan PhD Candidate
School of Information Systems
Singapore Management University
|
Research Area
Dissertation Committee Chairman Committee Members External Member - Rocky K. C. CHANG, Associate Professor, The Hong Kong Polytechnic University
|
| |
Date
May 22, 2019 (Wednesday) |
Time
2.00pm - 3.00pm |
Venue
Meeting Room 4.4, Level 4,
School of Information Systems Singapore Management University
80 Stamford Road
Singapore 178902 |
We look forward to seeing you at this research seminar.
|
|
|
| | About The Talk Static analysis is a common program analysis technique extensively used in the software security field. Widely-used static analysis tools for Android, e.g., Amandroid and FlowDroid, perform the whole-app analysis which is comprehensive yet at the cost of huge overheads. In this dissertation, we make a first attempt to explore a novel on-demand analysis that creatively leverages bytecode search to guide inter-procedural analysis on the fly or just in time, and develop such on-the-fly analysis into a tool, called BackDroid, for Android apps. We further explore how the core technique of on-the-fly static analysis in BackDroid can enable different vulnerability studies on Android and their respective new findings. To this end, we select three vulnerability analysis problems on Android as three representatives, since they require different extents of BackDroid customization in their methodology. First, we explore how BackDroid can be applied to detect crypto and SSL/TLS misconfigurations in modern Android apps, and compare it with the state-of-the-art Amandroid tool. Second, we explore how an enhanced version of BackDroid and on-device crowdsourcing can facilitate a systematic security study of open ports in Android apps. Third, we explore how a lightweight version of BackDroid with SDK conditional statement checking can benefit a SDK-API inconsistency study that involves the control-flow analysis of multiple sink APIs. With all these works, this dissertation shows that on-the-fly Android static analysis guided by bytecode search can efficiently and effectively analyze the security of modern apps. | | | Speaker Biography Daoyuan WU is a PhD candidate in Cybersecurity at School of Information Systems, Singapore Management University. He is advised by Associate Professor Debin Gao and AXA Chair Professor Robert H. Deng. In his PhD study, he proposes novel program analysis and on-device crowdsourcing techniques for Android security research. |
|
