Detecting information flow by mutating input data

Bjorn Mathis; Vitalii Avdiienko; Ezekiel O. Soremekun; Marcel Böhme; Andreas Zeller

doi:10.1109/ASE.2017.8115639

Detecting information flow by mutating input data

Bjorn Mathis, Vitalii Avdiienko, Ezekiel O. Soremekun, Marcel Böhme, Andreas Zeller

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

28 Citations (Scopus)

Abstract

Analyzing information flow is central in assessing the security of applications. However, static and dynamic analyses of information flow are easily challenged by non-available or obscure code. We present a lightweight mutation-based analysis that systematically mutates dynamic values returned by sensitive sources to assess whether the mutation changes the values passed to sensitive sinks. If so, we found a flow between source and sink. In contrast to existing techniques, mutation-based flow analysis does not attempt to identify the specific path of the flow and is thus resilient to obfuscation. In its evaluation, our MUTAFLOW prototype for Android programs showed that mutation-based flow analysis is a lightweight yet effective complement to existing tools. Compared to the popular FlowDroid static analysis tool, MutaFlow requires less than 10% of source code lines but has similar accuracy; on 20 tested real-world apps, it is able to detect 75 flows that FlowDroid misses.

Original language	English
Title of host publication	Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering
Editors	Grigore Rosu, Massimiliano Di Penta, Tien N. Nguyen
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	263-273
Number of pages	11
ISBN (Electronic)	9781538626849
ISBN (Print)	9781538639764
DOIs	https://doi.org/10.1109/ASE.2017.8115639
Publication status	Published - 2017
Externally published	Yes
Event	Automated Software Engineering Conference 2017 - Urbana-Champaign, United States of America Duration: 30 Oct 2017 → 3 Nov 2017 Conference number: 32nd http://ase-conferences.org/ase/past/ase2017/ (Automated Software Engineering (ANSE 2017) ) https://dl.acm.org/doi/proceedings/10.5555/3155562 (Proceedings)

Conference

Conference	Automated Software Engineering Conference 2017
Abbreviated title	ASE 2017
Country/Territory	United States of America
City	Urbana-Champaign
Period	30/10/17 → 3/11/17
Internet address	http://ase-conferences.org/ase/past/ase2017/ (Automated Software Engineering (ANSE 2017) ) https://dl.acm.org/doi/proceedings/10.5555/3155562 (Proceedings)

Access to Document

10.1109/ASE.2017.8115639

Cite this

Mathis, B., Avdiienko, V., Soremekun, E. O., Böhme, M., & Zeller, A. (2017). Detecting information flow by mutating input data. In G. Rosu, M. Di Penta, & T. N. Nguyen (Eds.), Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (pp. 263-273). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ASE.2017.8115639

Mathis, Bjorn ; Avdiienko, Vitalii ; Soremekun, Ezekiel O. et al. / Detecting information flow by mutating input data. Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. editor / Grigore Rosu ; Massimiliano Di Penta ; Tien N. Nguyen. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2017. pp. 263-273

@inproceedings{ad97b5fa02704c8d8b7e724ecedc1259,

title = "Detecting information flow by mutating input data",

abstract = "Analyzing information flow is central in assessing the security of applications. However, static and dynamic analyses of information flow are easily challenged by non-available or obscure code. We present a lightweight mutation-based analysis that systematically mutates dynamic values returned by sensitive sources to assess whether the mutation changes the values passed to sensitive sinks. If so, we found a flow between source and sink. In contrast to existing techniques, mutation-based flow analysis does not attempt to identify the specific path of the flow and is thus resilient to obfuscation. In its evaluation, our MUTAFLOW prototype for Android programs showed that mutation-based flow analysis is a lightweight yet effective complement to existing tools. Compared to the popular FlowDroid static analysis tool, MutaFlow requires less than 10% of source code lines but has similar accuracy; on 20 tested real-world apps, it is able to detect 75 flows that FlowDroid misses.",

author = "Bjorn Mathis and Vitalii Avdiienko and Soremekun, {Ezekiel O.} and Marcel B{\"o}hme and Andreas Zeller",

year = "2017",

doi = "10.1109/ASE.2017.8115639",

language = "English",

isbn = "9781538639764",

pages = "263--273",

editor = "Rosu, {Grigore } and {Di Penta}, {Massimiliano } and {N. Nguyen}, {Tien }",

booktitle = "Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

note = "Automated Software Engineering Conference 2017, ASE 2017 ; Conference date: 30-10-2017 Through 03-11-2017",

url = "http://ase-conferences.org/ase/past/ase2017/, https://dl.acm.org/doi/proceedings/10.5555/3155562",

}

Mathis, B, Avdiienko, V, Soremekun, EO, Böhme, M & Zeller, A 2017, Detecting information flow by mutating input data. in G Rosu, M Di Penta & T N. Nguyen (eds), Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 263-273, Automated Software Engineering Conference 2017, Urbana-Champaign, Illinois, United States of America, 30/10/17. https://doi.org/10.1109/ASE.2017.8115639

Detecting information flow by mutating input data. / Mathis, Bjorn; Avdiienko, Vitalii; Soremekun, Ezekiel O. et al.
Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. ed. / Grigore Rosu; Massimiliano Di Penta; Tien N. Nguyen. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2017. p. 263-273.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Detecting information flow by mutating input data

AU - Mathis, Bjorn

AU - Avdiienko, Vitalii

AU - Soremekun, Ezekiel O.

AU - Böhme, Marcel

AU - Zeller, Andreas

N1 - Conference code: 32nd

PY - 2017

Y1 - 2017

N2 - Analyzing information flow is central in assessing the security of applications. However, static and dynamic analyses of information flow are easily challenged by non-available or obscure code. We present a lightweight mutation-based analysis that systematically mutates dynamic values returned by sensitive sources to assess whether the mutation changes the values passed to sensitive sinks. If so, we found a flow between source and sink. In contrast to existing techniques, mutation-based flow analysis does not attempt to identify the specific path of the flow and is thus resilient to obfuscation. In its evaluation, our MUTAFLOW prototype for Android programs showed that mutation-based flow analysis is a lightweight yet effective complement to existing tools. Compared to the popular FlowDroid static analysis tool, MutaFlow requires less than 10% of source code lines but has similar accuracy; on 20 tested real-world apps, it is able to detect 75 flows that FlowDroid misses.

AB - Analyzing information flow is central in assessing the security of applications. However, static and dynamic analyses of information flow are easily challenged by non-available or obscure code. We present a lightweight mutation-based analysis that systematically mutates dynamic values returned by sensitive sources to assess whether the mutation changes the values passed to sensitive sinks. If so, we found a flow between source and sink. In contrast to existing techniques, mutation-based flow analysis does not attempt to identify the specific path of the flow and is thus resilient to obfuscation. In its evaluation, our MUTAFLOW prototype for Android programs showed that mutation-based flow analysis is a lightweight yet effective complement to existing tools. Compared to the popular FlowDroid static analysis tool, MutaFlow requires less than 10% of source code lines but has similar accuracy; on 20 tested real-world apps, it is able to detect 75 flows that FlowDroid misses.

UR - http://www.scopus.com/inward/record.url?scp=85041438664&partnerID=8YFLogxK

U2 - 10.1109/ASE.2017.8115639

DO - 10.1109/ASE.2017.8115639

M3 - Conference Paper

AN - SCOPUS:85041438664

SN - 9781538639764

SP - 263

EP - 273

BT - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

A2 - Rosu, Grigore

A2 - Di Penta, Massimiliano

A2 - N. Nguyen, Tien

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - Automated Software Engineering Conference 2017

Y2 - 30 October 2017 through 3 November 2017

ER -

Detecting information flow by mutating input data

Abstract

Conference

Access to Document

Other files and links

Cite this