Detecting information flow by mutating input data

Bjorn Mathis, Vitalii Avdiienko, Ezekiel O. Soremekun, Marcel Böhme, Andreas Zeller

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

8 Citations (Scopus)


Analyzing information flow is central in assessing the security of applications. However, static and dynamic analyses of information flow are easily challenged by non-available or obscure code. We present a lightweight mutation-based analysis that systematically mutates dynamic values returned by sensitive sources to assess whether the mutation changes the values passed to sensitive sinks. If so, we found a flow between source and sink. In contrast to existing techniques, mutation-based flow analysis does not attempt to identify the specific path of the flow and is thus resilient to obfuscation. In its evaluation, our MUTAFLOW prototype for Android programs showed that mutation-based flow analysis is a lightweight yet effective complement to existing tools. Compared to the popular FlowDroid static analysis tool, MutaFlow requires less than 10% of source code lines but has similar accuracy; on 20 tested real-world apps, it is able to detect 75 flows that FlowDroid misses.

Original languageEnglish
Title of host publicationProceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering
EditorsGrigore Rosu, Massimiliano Di Penta, Tien N. Nguyen
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Number of pages11
ISBN (Electronic)9781538626849
ISBN (Print)9781538639764
Publication statusPublished - 2017
Externally publishedYes
EventAutomated Software Engineering Conference 2017 - Urbana-Champaign, United States of America
Duration: 30 Oct 20173 Nov 2017
Conference number: 32nd (Automated Software Engineering (ANSE 2017) ) (Proceedings)


ConferenceAutomated Software Engineering Conference 2017
Abbreviated titleASE 2017
CountryUnited States of America
Internet address

Cite this