Static Resolution of Implicit Control Flow for Reflection and Message-Passing Paulo Barros, René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo.

Slides:

Advertisements

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Advertisements

ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.

Names and Bindings.

1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

Interprocedural analysis © Marcelo d’Amorim 2010.

CSE341: Programming Languages Lecture 26 Subtyping for OOP Dan Grossman Fall 2011.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

The Structure of the GNAT Compiler. A target-independent Ada95 front-end for GCC Ada components C components SyntaxSemExpandgigiGCC AST Annotated AST.

1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.

Bootstrapping Privacy Compliance in Big Data System Shayak Sen, Saikat Guha et al Carnegie Mellon University Microsoft Research Presenter: Cheng Li.

May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.

Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.

Taming the Wildcards: Combining Definition- and Use-Site Variance – Altidor John Altidor Taming the Wildcards: Combining Definition- and Use-Site Variance.

A Formal Model of Modularity in Aspect-Oriented Programming Jonathan Aldrich : Objects and Aspects Carnegie Mellon University.

Procedure Optimizations and Interprocedural Analysis Chapter 15, 19 Mooly Sagiv.

Deep Typechecking and Refactoring Zachary Tatlock, Chris Tucker, David Shuffleton, Ranjit Jhala, Sorin Lerner 1 University of California, San Diego.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco.

Inference and Checking of Object Ownership Wei Huang 1, Werner Dietl 2, Ana Milanova 1, Michael D. Ernst 2 1 Rensselaer Polytechnic Institute 2 University.

March 12, ICE 1341 – Programming Languages (Lecture #6) In-Young Ko Programming Languages (ICE 1341) Lecture #6 Programming Languages (ICE 1341)

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

ROBERT BOCCHINO, ET AL. UNIVERSAL PARALLEL COMPUTING RESEARCH CENTER UNIVERSITY OF ILLINOIS A Type and Effect System for Deterministic Parallel Java *Based.

Self Type Constructors Atsushi Igarashi Kyoto University Joint work with Chieri Saito 1.

Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.

Chameleon Automatic Selection of Collections Ohad Shacham Martin VechevEran Yahav Tel Aviv University IBM T.J. Watson Research Center Presented by: Yingyi.

User-defined type checkers for error detection and prevention in Java Michael D. Ernst MIT Computer Science & AI Lab

Exploiting Code Search Engines to Improve Programmer Productivity and Quality Suresh Thummalapenta Advisor: Dr. Tao Xie Department of Computer Science.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Using Types to Analyze and Optimize Object-Oriented Programs By: Amer Diwan Presented By: Jess Martin, Noah Wallace, and Will von Rosenberg.

Profiling Field Initialisation in Java Stephen Nelson, David J. Pearce & James Noble Victoria University of Wellington New Zealand.

CS 343 presentation Concrete Type Inference Department of Computer Science Stanford University.

Recommending Adaptive Changes for Framework Evolution Barthélémy Dagenais and Martin P. Robillard ICSE08 Dec 4 th, 2008 Presented by EJ Park.

Type soundness In a more formal way. Proving Soundness of Type Systems Goal of a sound type system: –if the program type checks, then it never “crashes”

Zach Tatlock / Winter 2016 CSE 331 Software Design and Implementation Lecture 13 Generics 1.

ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1.

M1G Introduction to Programming 2 2. Creating Classes: Game and Player.

Verification Presentation to SystemVerilog Basic Committee Peter Flake Nov 15, 2002.

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

Tracking Bad Apples: Reporting the Origin of Null & Undefined Value Errors Michael D. Bond UT Austin Nicholas Nethercote National ICT Australia Stephen.

The Ins and Outs of Gradual Type Inference Avik Chaudhuri Basil Hosmer Adobe Systems Aseem Rastogi Stony Brook University.

Communicating with Databases String based queries are prevalent:  JPA, Hibernate, TopLink JAVADB Strings 1.

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

More Security and Programming Language Work on SmartPhones

Javarifier: inference of reference immutability

Ravi Mangal Mayur Naik Hongseok Yang

Lightweight Verification of Array Indexing

Communicating with Databases

자바 언어를 위한 정적 분석 (Static Analyses for Java) ‘99 한국정보과학회 가을학술발표회 튜토리얼

Recursive Procedures and Scopes

Presentation transcript:

Static Resolution of Implicit Control Flow for Reflection and Message-Passing Paulo Barros, René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo d’Amorim and Michael D. Ernst

Implicit control flow Indirect method call Design pattern that allows coding flexibility Reflection Message-Passing (Android Intents)

…a.foo(b,c);… Problem: imprecise summaries for static analyses

…a.foo(b,c);… Problem: imprecise summaries for static analyses What does foo do?

…a.foo(b,c);… Problem: imprecise summaries for static analyses What does foo do? Use method summary.

…a.foo(b,c);… …myMethod.invoke(a,b,c);… Problem: imprecise summaries for static analyses What does foo do? Use method summary.

…a.foo(b,c);… …myMethod.invoke(a,b,c);… Problem: imprecise summaries for static analyses What does foo do? Use method summary. What does invoke do?

…a.foo(b,c);… …myMethod.invoke(a,b,c);… Problem: imprecise summaries for static analyses What does foo do? Use method summary. What does invoke do? Anything!

…a.foo(b,c);… …myMethod.invoke(a,b,c);… Sound analysis → Imprecise Problem: imprecise summaries for static analyses What does foo do? What does invoke do? Use method summary. Anything!

…a.foo(b,c);… …myMethod.invoke(a,b,c);… Sound analysis → Imprecise Unsound analysis → Precise but unsafe Problem: imprecise summaries for static analyses What does foo do? What does invoke do? Use method summary. Anything!

…a.foo(b,c);… …myMethod.invoke(a,b,c);… Sound analysis → Imprecise Unsound analysis → Precise but unsafe Goal → Soundness and high precision Problem: imprecise summaries for static analyses What does foo do? What does invoke do? Use method summary. Anything!

Over 1 billion active users Over 1.6 million apps Analyzing apps is important Example: Malware detection –Soundness is crucial Android

Implicit control flow is pervasive in Android F-Droid is a repository of Android apps F-Droid apps –39% use reflection –69% share data through intents Conclusion → Static analysis on Android apps must handle implicit control flow

Resolving implicit control flow Goal → Soundly resolve implicit control flows Observation → Statically resolvable in F-Droid –93% of reflective calls –88% of sent intents Solution → We developed type systems that model implicit control flows Results –Improves the precision by 400x –Soundness is maintained –Low developer effort

Reflection and intents in real apps

Non-interference type system Guarantees that the program does not leak sensitive data Privacy-types: Sensitive-data values Non-sensitive-data String String password = getPassword(); var @Public

Non-interference type system Guarantees that the program does not leak sensitive data Privacy-types: Sensitive-data values Non-sensitive-data String String password = getPassword(); var @Public

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} }

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative annotation

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative annotation

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative annotation

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative annotation

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative annotation

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative annotation

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative

Use of reflection – Aarddict if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… // Library Annotations: class Activity { // In Android SDK ≥ ActionBar getActionBar() {...} } class Method Object invoke(Object obj, Object... args) {...} } Conservative

Intent payloads ComponentA ComponentB Intent

Intent payloads ComponentA ComponentB Intent “name” → “Paulo” “conf” → “ASE” “id” → 198 Map format

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative annotation

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative annotation

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative annotation

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative annotation

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative annotation

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative annotation

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative annotation

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative

class LookupWord extends Activity { void String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = String sentence = i.getStringExtra("sentence"); … }…} // Library Annotations class Intent String getStringExtra(String key) {...} } Use of intent payloads – Aarddict Conservative

Reflection Analysis

Reflection resolution if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }…

Reflection resolution if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… The type of clazz is inferred to represent Activity

Reflection resolution if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… The type of mtd is inferred to represent Activity.getActionBar()

Reflection resolution if (android.os.Build.VERSION.SDK_INT >= 11) { Class clazz = Activity.class; Method mtd = Object actionBar = mtd.invoke(this); … }… *Conceptual replacement Activity.getActionBar()

Reflection type system Refines the Java type system Indicates an exact class Indicates an upper bound of a class

Indicates an exact class Indicates an upper bound of a class Reflection type system Refines the Java type system

Indicates a method Reflection type system Refines the Java type system

Constant value analysis Constant folding Constant propagation Multiple values, not just one Evaluate side-effect-free methods Infer and track length of arrays Implemented as a type system and dataflow analysis

Constant value inference void restrictFileAccess(String path) { String fileUtilsClassName = "android.os.FileUtils"; Class clazz = Class.forName(fileUtilsClassName); Method mtd = clazz.getMethod("setPermissions", String.class, int.class); mtd.invoke(null, path, 0700); }

void restrictFileAccess(String path) { String fileUtilsClassName = "android.os.FileUtils"; Class clazz = Class.forName(fileUtilsClassName); Method mtd = clazz.getMethod("setPermissions", String.class, int.class); mtd.invoke(null, path, 0700); Constant value inference

void restrictFileAccess(String path) { String fileUtilsClassName = "android.os.FileUtils"; Class clazz = Class.forName(fileUtilsClassName); Method mtd = clazz.getMethod("setPermissions", String.class, int.class); mtd.invoke(null, path, 0700); Inference –C.class –Class.forName(arg) –ClassLoader.loadClass(arg) Constant value inference

void restrictFileAccess(String path) { String fileUtilsClassName = "android.os.FileUtils"; Class clazz = Class.forName(fileUtilsClassName); Method mtd = clazz.getMethod("setPermissions", String.class, int.class); mtd.invoke(null, path, 0700); Inference –Class.getMethod(String n, Class pT) –Class.getConstructor(String n, Class pT) Constant value inference

void restrictFileAccess(String path) { String fileUtilsClassName = "android.os.FileUtils"; Class clazz = Class.forName(fileUtilsClassName); Method mtd = clazz.getMethod("setPermissions", String.class, int.class); mtd.invoke(null, path, 0700); } *Conceptual Constant value inference

Reflection resolver Procedure summary is narrowed based on the Reflection type system Program remains unchanged Downstream analysis remains unchanged

Message-passing analysis (Android Intents)

Intent analysis Intents present two challenges to static analyses: –Control flow Component Communication Pattern (CCP) [D. Octeau et al. USENIX ’13] –Data flow analysis Intent type system Intent i = buildIntent(); i.putExtra("key",getPass()); startActivity(i); Intent i = getIntent(); int val = i.getIntExtra("key"); sendToEverybody(val); ComponentA ComponentB

Intent analysis Intents present two challenges to static analyses: –Control flow Component Communication Pattern (CCP) [D. Octeau et al. USENIX ’13] –Data flow analysis Intent type system Intent i = buildIntent(); i.putExtra("key",getPass()); startActivity(i); Intent i = getIntent(); int val = i.getIntExtra("key"); sendToEverybody(val); ComponentA ComponentB Who sent this message? Who receives this message?

Intent analysis Intents present two challenges to static analyses: –Control flow Component Communication Pattern (CCP) [D. Octeau et al. USENIX ’13] –Data flow analysis Intent type system Intent i = buildIntent(); i.putExtra("key",getPass()); startActivity(i); Intent i = getIntent(); int val = i.getIntExtra("key"); sendToEverybody(val); ComponentA ComponentB Who sent this message? Who receives this message?

Intent analysis Intents present two challenges to static analyses: –Control flow Component Communication Pattern (CCP) [D. Octeau et al. USENIX ’13] –Data flow analysis Intent type system Intent i = buildIntent(); i.putExtra("key",getPass()); startActivity(i); Intent i = getIntent(); int val = i.getIntExtra("key"); sendToEverybody(val); ComponentA ComponentB

Intent analysis Intents present two challenges to static analyses: –Control flow Component Communication Pattern (CCP) [D. Octeau et al. USENIX ’13] –Data flow analysis Intent type system Intent i = buildIntent(); i.putExtra("key",getPass()); startActivity(i); Intent i = getIntent(); int val = i.getIntExtra("key"); sendToEverybody(val); ComponentA ComponentB Our contribution

Intent type system Syntax 1 " → t 1,..., "K n " → t n ) Intent i = …; Semantics –(C1): Keys accessed in i must be a subset of T’s keys –(C2): ∀ k ∈ domain(T). i.get*Extra(k) : t [k] Intent i = int e1 = i.getIntExtra("k"); // Legal i.getIntExtra("otherKey"); // Violates int e3 = i.getIntExtra("k"); // @C T

Intent type system Syntax 1 " → t 1,..., "K n " → t n ) Intent i = …; Semantics –(C1): Keys accessed in i must be a subset of T’s keys –(C2): ∀ k ∈ domain(T). i.get*Extra(k) : t [k] Intent i = int e1 = i.getIntExtra("k"); // Legal i.getIntExtra("otherKey"); // Violates int e3 = i.getIntExtra("k"); // @C T

Intent type system inference i:T Calls i.putExtra(key, value) always refine the type of i, except when: –i has aliases or –The declared type of i has key in its domain and T[key] is a subtype of the refined type Intent i = new int secret = …; i.putExtra("akey", secret); // i now has

Revisiting example Aarddict class LookupWord extends Activity { void String sentence) Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); } … } class WordTranslator extends Activity { void onCreate(Bundle Intent i = String sentence = i.getStringExtra("sentence"); … } … }

Evaluation

Research questions 1.How much do our reflection and intent analyses improve the precision of a downstream analysis? 2.What is the annotation overhead for programmers?

Experimental setup 10 F-Droid apps –Each contain uses of reflection and intents –Average complexity → 5.3K LOC Downstream analysis –Information Flow Checker (IFC) Metrics –Recall → 100% –Precision # Real Flows / # Flows Reported –Programmer overhead → Number of annotations

Precision Average precision: 0.24% 53% 100%

Precision Average precision: 0.24% 53% 100% RR by itself never helps, because every app uses intents

Precision Average precision: 0.24% 53% 100% INT and RR are complementary

Precision Average precision: 0.24% 53% 100% RR by itself never helps, because every app uses intents INT and RR are complementary

Annotation overhead 2% extra annotations 10 Android AppsLOCReflection and Intent uses # of annotations IFCREF+INT Total52, ,58398 For REF+INT → One annotation every ~2K LOC

Related work Reflection – sound, but limited: –M. S. Tschantz and M. D. Ernst, OOPSLA’15 – Livshits et al., APLAS ’05 –M. Tatsubori et al., PPL’04 Reflection – unsound: – Y. Li et al., ECOOP’14 – Bodden et al., ICSE’11 Intents – unsound: – L. Li et al., ICSE’15

Conclusion Two sound analyses for implicit control flows –Reflection –Message-Passing High precision for Android apps –Resolved 93% of reflective calls –Resolved 88% of sent intents Can be integrated with any downstream analysis Improved precision by 400x Implementations are available

Paulo Barros -

Uses of reflection in Android apps 35 F-droid apps were evaluated (10+25) –Total of 142 reflective invocations 81% to provide backward compatibility 6% to access non-public/hidden methods 13% are for other cases (duck-typing)

Reflection type inference rules

Intent type system rules Type inference rules

Type inference evaluation Inference used on reflective calls –52% required intra-procedural inference –41% required inter-procedural inference –7% cannot be resolved by any static analysis Inference used on send intent calls –67% required intra-procedural inference –21% required inter-procedural inference –12% required a better aliasing analysis

Annotation burden Annotations are required for two reasons –The downstream analysis is a modular analysis –Express facts that no static analysis can infer The average time to add an annotation was one minute