Filters








201 Hits in 5.2 sec

Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation [article]

Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, Denys Poshyvanyk
2018 arXiv   pre-print
This paper proposes the Mutation-based soundness evaluation (μSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix, flaws, by leveraging the well-founded  ...  As the result of an in-depth analysis of one of the major tools, we discover 13 undocumented flaws. More importantly, we discover that all 13 flaws propagate to tools that inherit the flawed tool.  ...  We thank the FlowDroid developers, as well as the developers of the other tools we evaluate in this paper, for making their tools available to the community, providing us with the necessary information  ... 
arXiv:1806.09761v2 fatcat:2qfojo6c7veavmrgwliulbui5i

Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques

Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, Denys Poshyvanyk
2021 ACM Transactions on Privacy and Security  
This article describes the Mutation-Based Soundness Evaluation (μSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws, by leveraging the well-founded  ...  In a study conducted previously, we used μSE to discover 13 previously undocumented flaws in FlowDroid, one of the most prominent data leak detectors for Android apps.  ...  ACKNOWLEDGMENTS We thank the developers of the evaluated tools for making their tools available to the community, and for being open to suggestions.  ... 
doi:10.1145/3439802 fatcat:jij564rmn5akhdpqdk5pzdempi

Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques [article]

Amit Seal Ami, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, Adwait Nadkarni
2021 arXiv   pre-print
Hence, several academic and commercial static analysis tools have been developed for detecting and mitigating crypto-API misuse.  ...  Using MASC, we evaluate nine major crypto-detectors and discover 19 unique, undocumented flaws that severely impact the ability of crypto-detectors to discover misuses in practice.  ...  ACKNOWLEDGMENT We thank the developers of the evaluated tools for making their tools available to the community, and for being open to discussion, suggestions, and improvements.  ... 
arXiv:2107.07065v4 fatcat:dae4vcxftjhftpiafpuur7vr4a

Penetration frameworks and development issues in secure mobile application development: A Systematic Literature Review

Ikram ul Haq, Tamim Ahmed Khan
2021 IEEE Access  
Analysis for discovering vulnerable behavior and flaws in SUT (5) Exploitation for establishing unauthorized access (6) Post Exploitation for covering the tracks (7) Reporting for the customer with suggestions  ...  Security flaws emerge from time to time in various android versions such as Fakeid, mRST and Hijacking etc. developers often do not have knowledge of such security flaws which result in a vulnerable application  ... 
doi:10.1109/access.2021.3088229 fatcat:w44fgk2rlrc3lir7iiitbejune

Towards a Principled Approach for Dynamic Analysis of Android's Middleware [article]

Oliver Schranz, Sebastian Weisgerber, Erik Derr, Michael Backes, Sven Bugiel
2021 arXiv   pre-print
While static analysis builds on established tools, dynamic testing approaches lack a common foundation, which prevents the community from comparing, reproducing, or even re-using existing results from  ...  The Android middleware, in particular the so-called systemserver, is a crucial and central component to Android's security and robustness.  ...  Given its central role in the Android software stack, the increasing amount of discovered problems emphasizes the need for thorough testing of the systemserver's robustness and security.  ... 
arXiv:2110.05619v1 fatcat:lcjhtpglzfcfhdp37entdnmrca

A systematic literature review of software vulnerability detection

2022 European journal of computer science and information technology  
Using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) flowchart, a total of 55 studies published in the selected journals and conference proceeding of IEEE and ACM from  ...  The selected articles were grouped into 7 categories across various vulnerability detection evaluation criteria such as neural network – 5 papers, machine learning – 11 papers, static and dynamic analysis  ...  Chernis and Verma (2018) used static analysis to trap significant percentage of flaws from functions in C source code.  ... 
doi:10.37745/ejcsit/vol10.no1.pp23-37 fatcat:acnfjmfturfotebqftksvmxuqm

A Mutation Framework for Evaluating Security Analysis tools in IoT Applications [article]

Manar H. Alalfi, Sajeda Parveen, Bara Nazzal
2021 arXiv   pre-print
To ensure information security, we require better security analysis tools for IoT applications.  ...  With the growing and widespread use of Internet of Things (IoT) in our daily life, its security is becoming more crucial.  ...  [41] presented the Mutation-based soundness evaluation (µSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws and that by leveraging the well-founded  ... 
arXiv:2110.05562v1 fatcat:g7epw34mvjb25dasqhzbk4chve

ThreadSafe: Static Analysis for Java Concurrency

Robert Atkey, Donald Sannella
2015 Electronic Communications of the EASST  
ThreadSafe is a commercial static analysis tool that focuses on detection of Java concurrency defects.  ...  ThreadSafe's bug-finding capabilities and its look and feel are presented through examples of bugs found in the codebases of two widely-used open source projects.  ...  We provide a comparison below between THREADSAFE and the non-commercial FindBugs tool [Fin15], the most widely-used static analysis tool for Java.  ... 
doi:10.14279/tuj.eceasst.72.1025 dblp:journals/eceasst/AtkeyS15 fatcat:azvpqwcagzbyjgzefll76yvqwi

Research on Third-Party Libraries in AndroidApps: A Taxonomy and Systematic LiteratureReview [article]

Xian Zhan, Tianming Liu, Lingling Fan, Li Li, Sen Chen, Xiapu Luo, Yang Liu
2021 arXiv   pre-print
Although there are already many studies for characterizing third-party libraries, including automated detection, security and privacy analysis of TPLs, TPL attributes analysis, etc., what strikes us odd  ...  Third-party libraries (TPLs) have been widely used in mobile apps, which play an essential part in the entire Android ecosystem. However, TPL is a double-edged sword.  ...  Static analysis can help us understand some TPL structure and code features, which is usually used in TPL identification and security analysis.  ... 
arXiv:2108.03787v1 fatcat:jnj4kvlkuzg3hbgy4pl5wpvle4

Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS

Luke Deshotels, Costin Carabas, Jordan Beichler, Razvan Deaconescu, William Enck
2020 2020 IEEE Symposium on Security and Privacy (SP)  
In this paper, we present the Kobold framework to study NSXPC-based system services using a combination of static and dynamic analysis.  ...  Using Kobold, we discovered multiple NSXPC services with confused deputy vulnerabilities and daemon crashes.  ...  ACKNOWLEDGMENTS We thank David Wu and Iulia Mandȃ for their assistance.  ... 
doi:10.1109/sp40000.2020.00023 dblp:conf/sp/DeshotelsCBDE20 fatcat:d5ktavl3cnhxlfwavvrcs5xury

Mystique

Guozhu Meng, Yinxing Xue, Chandramohan Mahinthan, Annamalai Narayanan, Yang Liu, Jie Zhang, Tieming Chen
2016 Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security - ASIA CCS '16  
In this paper, we first propose a meta model for Android malware to capture the common attack features and evasion features in the malware.  ...  Thus, it is desired to conduct a systematic investigation and evaluation of anti-malware solutions and tools based on different attacks and evasion techniques.  ...  However, static analysis in ICCTA still has some flaws. It cannot track the data flow across persistent storage, such as file, SQLite or shared preferences.  ... 
doi:10.1145/2897845.2897856 dblp:conf/ccs/MengXCN0ZC16 fatcat:ssubdviipffe3k5lc7ue2evzu4

Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device

Dong Wang, Xiaosong Zhang, Jiang Ming, Ting Chen, Chao Wang, Weina Niu
2018 Wireless Communications and Mobile Computing  
We present in this paper an attack on Short Message Service (SMS for short) authentication code which aims at gaining the control of IoT devices without firmware analysis.  ...  In our research, we have implemented a prototype tool, called SACIntruder, to enable performing such brute-force attack test on IoT devices automatically.  ...  While prior works on IoT focused on cryptographic protocols analysis [4] [5] [6] , limited work has studied on security vulnerabilities of implementation.  ... 
doi:10.1155/2018/7849065 fatcat:rbr4x46oqngajo2vmsdx7sgtfy

The rise of obfuscated Android malware and impacts on detection methods

Wael F. Elsersy, Ali Feizollah, Nor Badrul Anuar
2022 PeerJ Computer Science  
The concern of encountering difficulties in malware reverse engineering motivates researchers to secure the source code of benign Android applications using evasion techniques.  ...  This study reviews the state-of-the-art evasion tools and techniques.  ...  We are aiming to discover the gap in this area of research. We also review the different evasion test benches and tools that researchers and commercial enterprises use to secure their codes.  ... 
doi:10.7717/peerj-cs.907 pmid:35494876 pmcid:PMC9044361 fatcat:cpbfkiw4bvd3rjx7a3f7ckictu

When Program Analysis Meets Bytecode Search: Targeted and Efficient Inter-procedural Analysis of Modern Android Apps in BackDroid [article]

Daoyuan Wu and Debin Gao and Robert H. Deng and Rocky K. C. Chang
2020 arXiv   pre-print
Widely-used Android static program analysis tools, e.g., Amandroid and FlowDroid, perform the whole-app inter-procedural analysis that is comprehensive but fundamentally difficult to handle modern (large  ...  Such search-based inter-procedural analysis, however, is challenging due to Java polymorphism, callbacks, asynchronous flows, static initializers, and inter-component communication in Android apps.  ...  Specifically, it used systematic mutation to discover flaws, e.g., missing callbacks and incorrect modeling of asynchronous methods, in all of those four tools. In our evaluation of Amandroid in Sec.  ... 
arXiv:2005.11527v1 fatcat:xd2ytszspvdu7nrwpdikw4ng3q

Software Vulnerability Classification based on Machine Learning Algorithm

Markad Ashok Vitthalrao
2020 International Journal of Advanced Trends in Computer Science and Engineering  
For instance, combine static and dynamic XSS detection analysis with Security flaws of SQL injection in PHP applications.  ...  The inability to control external defects can, therefore, expose a flaw within the system Mutation Based Analysis Acquisition of appropriate tests, as mentioned before Data is a subject for complex analysis  ... 
doi:10.30534/ijatcse/2020/358942020 fatcat:w754fnqulngznci5qyqfgwhzh4
« Previous Showing results 1 — 15 out of 201 results