Prof. Dr. Eric Bodden

2013 was an exciting year for me. It was the first full year I had with my new set of PhD students who I had hired through EC SPRIDE and through my Emmy Noether Research Group RUNSECURE. Also, 2013 was the year in which I started a cooperative professorship with Fraunhofer SIT – an exciting new challenge with the opportunity to bring academic research into industry. Last but not least it is the first year in which we actually managed to place publications at top security venues such as USENIX Security and NDSS. But let me start from the beginning.

The year started great with our paper on Join Point Interfaces getting accepted into TOSEM. This paper (for now) marks the final word on this research topic, which I had been working on with Eric Tanter and Milton Inostroza from the University of Chile for more than two years.

Just a few days later, we go the notification that our paper SPLLIFT: statically analyzing software product lines in minutes instead of years got accepted into PLDI. This is join work with Társis Tolêdo, Márcio Ribeiro, Claus Brabrand, Paulo Borba and Mira Mezini, which I am extremely proud of. Not only could we show in this paper that one can really speed up the execution of IFDS-based static analyses for product lines by several orders of magnitudes in practice, but after further investigation it even seems that our approach even lowers the theoretical complexity of the analysis problem from exponential in the number of features to linear. Expect to see a follow-up implementation on this topic.

In March we then received our Google Faculty Research Award, together with the group of Patrick McDaniel (Penn State) and Yves le Traon (University of Luxembourg). The award will allow us to build a map of how Android applications communicate with one another. The project has already lead to some much-cited publications. Our USENIX paper is on a static-analysis tool called EPICC, which is able to resolve intend-based inter-component communication in Android in most cases. In other words, the tool will tell you which app(s) a given intent-call site in a given app might call. FlowDroid has gotten at least just as much attention. FlowDroid is our static taint-analysis tool for Android. It seems to be the most precise and efficient Android taint-analysis tool out there, and most importantly it is the only one that is actually available as open source. We open sourced FlowDroid after having to learn the hard way that no other research tools were actually available. Since making FlowDroid available online it has been used and extended by multiple research groups. The FlowDroid paper, unfortunately, is still waiting to be published. Apparently, PCs at security conferences prefer papers with weak tools but big data over papers with sophisticated tools and a careful evaluation…

Another work we did manage to place at a security conference, though, namely our work on SuSi, our new machine-learning approach for inferring sources and sinks for Android taint analyses, a project headed by my PhD students Siegfried Rasthofer and Siegfried Arzt. This approach addresses the fundamental problem that no matter which taint analysis you use, it is going to be only as effective as your source and sink specifications. As we found, for all existing taint analyses these specifications are largely incomplete, and thus all those tools can be bypassed with ease. SuSi determines and even categorizes relevant sources and sinks with 95% accuracy, which solves the problem to a large extend. In practice we use SuSi in combination with FlowDroid. And just as FlowDroid also SuSi is open source.

Another project that got a lot of attention is DroidBench, our benchmark suite for testing the effectiveness of taint analyses for Android applications. DroidBench is open source, and as we hoped people have started to extend it and to pick it up for testing their security analysis tools.

Another recent and still unpublished work by my PhD student Andreas Follner is ROPocop, our new approach to defending against buffer-overflow attacks based on return-oriented programming. The approach word on X86 Windows binaries, through dynamic binary instrumentation. ROPocop applies a well tuned heuristic to detect ROP attacks with great accuracy (and no false alarms in our tests).

Also, Kevin Falzon presented a paper on Distributed Finite-State Runtime Monitoring with Aggregated Events at this year’s RV conference. Hi work is quite exciting in scenarios where one tries to implement distributive runtime monitoring with high loads. Kevin’s work evaluates to what extend one may aggregate events before submitting them to a centralized monitor such that one can speed up the overall monitoring process.

Steven Arzt further developed Reviser, an approach for automatically incrementalizing IFDS/IDE-based static analyses. As we could show, using incremental evaluation of program updates, one can often save about 80% of re-computation time. This work is currently under submission.

Last but not least, our Future-Security paper on Reducing human factors in software security architectures investigates several software security architectures including Java, .NET, JavaScript, etc. and to what extent they are prone to human error. This is join work with Ben Hermann, Johannes Lerch and Mira Mezini. The four of us are also currently working on a static analysis to detect security vulnerabilities in the Java Runtime Library. On this topic we just got awarded an Oracle Collaborative Research Grant. Thanks a lot to Michael Haupt, Cristina Cifuentes and Andrew Gross for supporting this initiative!

So much about 2013, but what’s to be expected from 2014? Well, in this summer I won an Attract Grant to establish a new research group at Fraunhofer SIT, so my first task will be to staff this group with some highly skilled people – not an easy undertaking in today’s job market. The goal of this group will be to make static analysis really work in practice, and we will go through all it takes to make this happen. We have already been targeting this goal for about a year now, and it has already yielded some very exciting research problems. So stay tuned for more. Until then I wish you all some wonderful Christmas Holidays and a happy and successful 2014!

Cross-posted from SEEBlog

FOAL: Foundations of Aspect-Oriented Languages

Paper Submission Deadline: Jan 26th, 2014

A one day workshop affiliated with MODULARITY’14 at the University of Lugano (USI), Switzerland on April 22, 2014.

THEMES AND GOALS

FOAL is a forum for research in foundations of aspect-oriented and other advanced separation of concern mechanisms. Areas of interest include but are not limited to:

• Semantics of advanced separation of concern mechanisms,
• Specification and verification for languages with such mechanisms
• Type systems,
• Static analysis,
• Theory of testing,
• Theory of composition,
• Theory of translation (compilation) and rewriting,
• Comparison of different advanced modularization and separation of concern mechanisms.

The workshop aims to foster work in foundations, including formal studies, promote the exchange of ideas, and encourage workers in the semantics and formal methods communities to consider advanced separation of concern mechanisms. All theoretical and foundational studies of this topic are welcome. Even though the workshop title contains the term “aspect-oriented”, the workshop is not limited to aspect-oriented programming languages, but welcomes topics on other advanced separation of concern mechanisms such as feature-oriented or context-oriented programming.

The goals of FOAL are to:

• Make progress on the foundations of aspect-oriented and other advanced separation of concern mechanisms.
• Exchange ideas about semantics and formal methods for aspect-oriented and other languages with advanced separation of concerns.
• Foster interest within the programming language theory and types communities in languages with advanced separation of concerns.
• Foster interest within the formal methods community in aspect-oriented programming and other advanced separation of concern mechanisms, and the problems of reasoning about them.

WORKSHOP FORMAT

The planned workshop format is primarily presentation of papers and group discussion. Talks will come in two categories: regular (25 minutes plus 5 minutes of discussion) and short (7 minutes plus 3 minutes of discussion). The short talks will allow for presentations of topics for which results are not yet available, perhaps for researchers who are seeking feedback on ideas or seek collaborations.

We also plan to ensure sufficient time for discussion of each presentation by limiting the overall number of talks.

SUBMISSIONS

Invitation to the workshop will be based on papers selected by the program committee; those wishing to attend but not having a paper to submit should contact the organizers directly to see if there is sufficient space in the workshop.

FOAL solicits regular and short papers on all areas of formal foundations of advanced separation of concern mechanisms. Submissions will be read by the program committee and designated reviewers. Papers will be selected for regular and short presentation at the workshop based on their length, scientific merit, innovation, readability, and relevance. Papers previously published or already being reviewed by another conference are not eligible. Some papers may not be selected for presentation, and some may be selected for presentation in shorter talks than their paper length would otherwise command. We will limit the length of paper presentations and the number of papers presented to make sure that there is enough time for discussion.

Additional information is available online:
http://www.eecs.ucf.edu/~leavens/FOAL/cfp-2014.shtml

IMPORTANT DATES

• Paper Submission Deadline 23:00 GMT, 26 January 2014
• Notification of Acceptance 16 February 2014
• Final Versions of Papers Due 24 February 2014
• Workshop 22 April 2014
• Call last modified Tuesday, November 19, 2013.

We are pleased to have assembled another exceptional program committee for FOAL this year:

• Eric Bodden (Program Committee Chair)
• Sven Apel — University of Passau
• Paulo Borba — Federal University of Pernambuco
• Somayeh Malakuti — University of Twente
• Cynthia Disenfeld — Technion
• Robert Dyer — Iowa State University
• Marieke Huisman — University of Twente
• Gary T. Leavens — University of Central Florida
• Hidehiko Masuhara — Tokyo Institute of Technology
• Hridesh Rajan — Iowa State University
• Guido Salvaneschi — TU Darmstadt
• Éric Tanter — University of Chile
• Nicolas Tabareau — INRIA

Cross-posted from SEEBlog

In its current edition, the German IT-experts magazine iX is featuring our Android taint-analysis tool FlowDroid.

Cross-posted from SEEBlog

(This article is only available in German. It is about the legal aspects of approaches that try to protect the privacy in mobile apps, with respect to German law).

Zusammen mit Prof. Dr. Alexander Roßnagel und Dr. Philipp Richter (beide juristische Fakultät an der Universität Kassel) haben wir einen Artikel in der DuD (Datenschutz und Datensicherheit) veröffentlicht, der technische Möglichkeiten für den Privatsphärenschutz auf mobilen Geräten auf rechtliche Aspekte hin untersucht.

Abstract:

Cross-posted from SEEBlog

(This article is only available in German. It is about the legal aspects of approaches that try to protect the privacy in mobile apps, with respect to German law).

Zusammen mit Prof. Dr. Alexander Roßnagel und Dr. Philipp Richter (beide juristische Fakultät an der Universität Kassel) haben wir einen Artikel in der DuD (Datenschutz und Datensicherheit) veröffentlicht, der technische Möglichkeiten für den Privatsphärenschutz auf mobilen Geräten auf rechtliche Aspekte hin untersucht.

Abstract:

Cross-posted from SEEBlog

Today I gave my tutorial on instrumenting Android applications at CCS. The tutorial slides are available here. Enjoy!

Cross-posted from SEEBlog

We are happy to announce that an updated version of our paper on SuSi was accepted for publication at NDSS’14! We hope to see you all there.

Cross-posted from SEEBlog

FlowDroid is our taint analysis tool to automatically scan Android applications for privacy-sensitive data leaks. While we have already shown FlowDroid to be highly precise and effective for explicit data flows through assignments and method calls, the tool now also supports the detection of leaks through control-flow dependencies. This protects against malware trying to disguise data flows through conditionals. If an app for instance does not directly send out the number 123, but sends 123-times the word “hello”, the attacker gains the same information as if the app had directly sent the value directly. The new version of FlowDroid derives that the “hello” message depends on the secret numeric value and therefore treats it as a leak as well though the data being sent does not directly contain any sensitive characters. To use this support for implicit flow, check out the develop branch on GitHub.

Cross-posted from SEEBlog

One week ago, Trustlook publised a blog post about the addJavascriptInterface Code execution Vulnerability in Android’s WebView. Accordingly to that post, we describe the attack in detail and also show Android’s changes in the OS in order to mitigate this JavaScript attack.

The usage of WebViews in Android apps is a widely-used approach because of its OS independent development of apps. If an app is developed in form of a web-GUI, it can be easily integrated in any OS-specific app, such as Android, iOS or Blackberry. For instance, Chin et al. [1] analyzed 864 different Android apps in their research, where 608  (70%) of those contained WebViews. This shows that the integration of WebViews is common in Android apps.

Last week, Trustlook published a blog post about a WebView vulnerability in Android that allows an attacker to execute arbitrary code in an application (e.g., install new application on the device) just via a drive-by attack. In this post we want to describe the attack in detail and explain Google’s mitigation against it.

The general idea of this attack is described with the following picture:

1. A benign application creates a WebView for displaying web pages.
2. These web pages are also allowed to contain JavaScript in it. Therefore the WebView enables the execution of JavaScript.

3. addJavascriptInterface(): By calling this Android API method, an object (in this case: JsInvokeClass) gets injected into the JavaScript context. This allows the Java object’s methods to be accessed from JavaScript. The second argument of that method (“Attack”) is used to expose the object in JavaScript.

4. In our example, we directly call an html code via the loadUrl() method. The URL is hard-coded here, but there are other use cases (e.g., browser) where the string is inserted by the user. The html code contains some JavaScript, which is shown in the “JavaScript”-box.
5. After 4. the user accesses the web page and the JavaScript gets executed. The JavaScript method execute() accesses the getClass() method of the JsInvokeClass (Attack.getClass()). Since JsInvokeClass is extended from Object, we can call getClass via the supplied name “Attack”. After that we are using reflections to call any Java method. In this case the getRuntime() method in order to execute any command (args). The command in the example is responsible for writing the text “THIS_IS_JUST_A_TEXT” into output.txt (sdcard). Trustlook described a different attack where an app gets built via string concatenation of the app’s binary code  that is written into a new file (apk) and gets installed afterwards. If the mobile device is in debug mode, the installation of that new app happens in the background without any user recognition. Quite sexy!

What are the countermeasures and how can a developer mitigate this attack ? Google is aware of this Problem (see API-description) that’s why they introduced the Java Annotation @JavaScriptInterface in Android 4.2. All applications declaring targetsdk >= 17 in the AndroidManifest.xml file that need the interaction between JavaScript and Java have to explicitly annotate those methods that are accessed by the JavaScript. In our case this would cause the annotation of the returnHelloWorld() method in order to call it via JavaScript:

@JavaScriptInterface
public String returnHelloWorld()

All other methods are not able to be access. This is also the reason why our example is no longer working, since the getClass() method is not annotated.

We recommend to declare the targetsdk of their application to version 17 or higher if the interaction between JavaScript an Java is necessary in an app. For older version try to avoid remote injection possibilities by loading JavaScript from remote. Store the JavaScript local in the application or simple try to avoid declaring such interfaces JS calling android API code.

Stephan Huber and Siegfried Rasthofer

[1] Chin, Erika, and David Wagner. “Bifocals: Analyzing WebView Vulnerabilities in Android apps.”

Cross-posted from SEEBlog

Today Steven Arzt and Eric Bodden are releasing a Technical Report on Reviser, our novel tool for automatically and Efficiently updating IDE-based data-flow analyses in response to incremental program changes. I think the title pretty much speaks for itself. Reviser is available as an open-source extension to Heros. Enjoy!

Cross-posted from SEEBlog