Write a Blog >>
ESEC/FSE 2022
Mon 14 - Fri 18 November 2022 Singapore
Wed 16 Nov 2022 11:45 - 12:00 at SRC LT 50 - Program Analysis II Chair(s): Marsha Chechik

The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However, there is no official documentation providing the complete list of permission-protected APIs and the corresponding permissions to date. Researchers have spent significant efforts extracting such API protection mapping from the Android API framework, which leverages static code analysis to determine if specific permissions are required before accessing an API. Nevertheless, none of them has attempted to analyze the protection mapping in the native library (\emph{i.e.}\xspace, code written in C and C++), an essential component of the Android framework that handles communication with the lower-level hardware, such as cameras and sensors. While the protection mapping can be utilized to detect various security vulnerabilities in Android apps, such as permission over-privilege, imprecise mapping will lead to false results in detecting such security vulnerabilities. To fill this gap, we thereby propose to construct the protection mapping involved in the native libraries of the Android framework to present a complete and accurate specification of Android API protection. We develop a prototype system, named \textsc{NatiDroid}, to facilitate the cross-language static analysis and compare its performance with two state-of-the-practice tools, termed \textsc{Axplorer} and \textsc{Arcade}. We evaluate \textsc{NatiDroid} on more than 11,000 Android apps, including system apps from custom Android ROMs and third-party apps from the Google Play. Our \textsc{NatiDroid} can identify up to 464 new API-permission mappings, in contrast to the worst-case results derived from both \textsc{Axplorer} and \textsc{Arcade}, where approximately 71% apps have at least one false positive in permission over-privilege. We have disclosed all the potential vulnerabilities detected to the stakeholders.

Wed 16 Nov

Displayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change

11:00 - 12:30
Program Analysis IIResearch Papers / Demonstrations / Ideas, Visions and Reflections at SRC LT 50
Chair(s): Marsha Chechik University of Toronto
11:00
15m
Talk
NeuDep: Neural Binary Memory Dependence Analysis
Research Papers
Kexin Pei Columbia University, Dongdong She Columbia University, Michael Wang Massachusetts Institute of Technology, Scott Geng Columbia University, Zhou Xuan Purdue University, Yaniv David Columbia University, Junfeng Yang Columbia University, Suman Jana Columbia University, Baishakhi Ray Columbia University
DOI
11:15
15m
Talk
DynaPyt: A Dynamic Analysis Framework for Python
Research Papers
Aryaz Eghbali University of Stuttgart, Michael Pradel University of Stuttgart
DOI Pre-print
11:30
15m
Talk
Language-Agnostic Dynamic Analysis of Multilingual Code: Promises, Pitfalls, and Prospects
Ideas, Visions and Reflections
Haoran Yang Washington State University, Wen Li Washington State University, Haipeng Cai Washington State University
DOI
11:45
15m
Talk
Cross-Language Android Permission Specification
Research Papers
Chaoran Li Swinburne University of Technology, Xiao Chen Monash University, Ruoxi Sun The University of Adelaide, Minhui (Jason) Xue University of Adelaide, Sheng Wen Swinburne University of Technology, Muhammad Ejaz Ahmed Data61, CSIRO, Seyit Camtepe CSIRO Data61, Yang Xiang Digital Research & Innovation Capability Platform, Swinburne University of Technology
DOI
12:00
15m
Talk
Peahen: Fast and Precise Static Deadlock Detection via Context Reduction
Research Papers
Yuandao Cai Hong Kong University of Science and Technology, Chengfeng Ye Hong Kong University of Science and Technology, Qingkai Shi Purdue University, Charles Zhang Hong Kong University of Science and Technology
DOI
12:15
7m
Talk
FIM: Fault Injection and Mutation for Simulink
Demonstrations
Ezio Bartocci TU Wien, Leonardo Mariani University of Milano-Bicocca, Dejan Nickovic Austrian Institute of Technology, Drishti Yadav Technische Universit├Ąt Wien
12:23
7m
Talk
JSIMutate: Understanding Performance Results through Mutations
Demonstrations
Thomas Laurent Lero & University College Dublin, Paolo Arcaini National Institute of Informatics , Catia Trubiani Gran Sasso Science Institute, Anthony Ventresque University College Dublin & Lero, Ireland
DOI Media Attached