static resolution of implicit control flow for reflection
play

Static Resolution of Implicit Control Flow for Reflection and - PowerPoint PPT Presentation

Feb 18, 2023 •252 likes •1.05k views

Static Resolution of Implicit Control Flow for Reflection and Message-Passing Paulo Barros , Ren Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo dAmorim and Michael D. Ernst Implicit control flow Indirect method call

  1. Static Resolution of Implicit Control Flow for Reflection and Message-Passing Paulo Barros , René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo d’Amorim and Michael D. Ernst

  2. Implicit control flow •Indirect method call •Design pattern that allows coding flexibility Reflection Message-Passing (Android Intents)

  3. Problem: imprecise summaries for static analyses …a.foo(b,c);…

  4. Problem: imprecise summaries for static analyses …a.foo(b,c);… What does foo do?

  5. Problem: imprecise summaries for static analyses …a.foo(b,c);… Use method summary. What does foo do?

  6. Problem: imprecise summaries for static analyses …a.foo(b,c);… Use method summary. What does foo do? …myMethod.invoke(a,b,c);…

  7. Problem: imprecise summaries for static analyses …a.foo(b,c);… Use method summary. What does foo do? …myMethod.invoke(a,b,c);… What does invoke do?

  8. Problem: imprecise summaries for static analyses …a.foo(b,c);… Use method summary. What does foo do? …myMethod.invoke(a,b,c);… Anything! What does invoke do?

  9. Problem: imprecise summaries for static analyses …a.foo(b,c);… Use method summary. What does foo do? …myMethod.invoke(a,b,c);… Anything! What does invoke do? • Sound analysis → Imprecise

  10. Problem: imprecise summaries for static analyses …a.foo(b,c);… Use method summary. What does foo do? …myMethod.invoke(a,b,c);… Anything! What does invoke do? • Sound analysis → Imprecise • Unsound analysis → Precise but unsafe

  11. Problem: imprecise summaries for static analyses …a.foo(b,c);… Use method summary. What does foo do? …myMethod.invoke(a,b,c);… Anything! What does invoke do? • Sound analysis → Imprecise • Unsound analysis → Precise but unsafe • Goal → Soundness and high precision

  12. Android •Over 1 billion active users •Over 1.6 million apps •Analyzing apps is important •Example: Malware detection –Soundness is crucial

  13. Implicit control flow is pervasive in Android •F-Droid is a repository of Android apps •F-Droid apps –39% use reflection –69% share data through intents • Conclusion → Static analysis on Android apps must handle implicit control flow

  14. Resolving implicit control flow • Goal → Soundly resolve implicit control flows • Observation → Statically resolvable in F -Droid –93% of reflective calls –88% of sent intents • Solution → We developed type systems that model implicit control flows • Results –Improves the precision by 400x –Soundness is maintained –Low developer effort

  15. Reflection and intents in real apps

  16. Non-interference type system •Guarantees that the program does not leak sensitive data • Privacy-types: – @Secret: Sensitive-data values – @Public: Non-sensitive-data values @Public String var; @Secret @Secret String password = getPassword(); var = password; @Public ← @Secret @Public

  17. Non-interference type system •Guarantees that the program does not leak sensitive data • Privacy-types: – @Secret: Sensitive-data values – @Public: Non-sensitive-data values @Public String var; @Secret @Secret String password = getPassword(); var = password; @Public ← @Secret @Public

  18. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … }…

  19. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … }…

  20. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … }…

  21. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … }…

  22. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … }…

  23. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … }…

  24. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … }…

  25. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … @Public ← @Secret }…

  26. Use of reflection – Aarddict // Library Annotations: class Activity { // In Android SDK ≥ 11. @Public ActionBar getActionBar() {...} } class Method { @Secret Object invoke(Object obj, Object... args) {...} } Conservative annotation if (android.os.Build.VERSION.SDK_INT >= 11) { Class<?> clazz = Activity.class; Method mtd = clazz.getMethod("getActionBar"); @Public Object actionBar = mtd.invoke(this); … @Public ← @Public }…

  27. Intent payloads ComponentA ComponentB Intent

  28. Intent payloads ComponentA ComponentB Intent “name” → “Paulo” “conf” → “ASE” “id” → 198 Map format

  29. Use of intent payloads – Aarddict class LookupWord extends Activity { void translateWord( @Public String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} // Library Annotations class Intent { @Secret String getStringExtra(String key) {...} } class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = getIntent(); @Public String sentence = i.getStringExtra("sentence"); … }…}

  30. Use of intent payloads – Aarddict class LookupWord extends Activity { void translateWord( @Public String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} // Library Annotations class Intent { @Secret String Conservative getStringExtra(String key) {...} annotation } class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = getIntent(); @Public String sentence = i.getStringExtra("sentence"); … }…}

  31. Use of intent payloads – Aarddict class LookupWord extends Activity { void translateWord( @Public String sentence) { Intent i = new Intent(this, WordTranslator.class); i.putExtra("sentence", sentence); startActivity(i); }…} // Library Annotations class Intent { @Secret String Conservative getStringExtra(String key) {...} annotation } class WordTranslator extends Activity { void onCreate(Bundle savedInstanceState) Intent i = getIntent(); @Public String sentence = i.getStringExtra("sentence"); … }…}

Recommend

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 2 Control Flow The flow of control is the sequence of instruction executions

541 views • 21 slides
CPSC 213 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 Introduction to Computer

CPSC 213 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 Introduction to Computer

Reading Companion CPSC 213 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d Static Control Flow 1 2 Control Flow Loops (S5-loop) The flow of control is In Java public class Foo {

514 views • 6 slides
Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science

Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science

Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science Privacy Old problem (secrecy, confidentiality) : prevent programs from leaking data Untrusted, downloaded code: more important Standard

891 views • 23 slides
JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99) Presented by Daryl Zuniga Overview Information-flow: what and why JFlow: Intro JFlow: How it works JFlow: Characteristics and limitations

810 views • 53 slides
1 Control-Flow Profiles Code Motion Using Control Flow Profiles Commonly gather two types of

1 Control-Flow Profiles Code Motion Using Control Flow Profiles Commonly gather two types of

Profile-Guided Optimizations Motivation for Profiling Recall Limitations of static analysis Instruction scheduling Compilers can analyze possible paths but must behave conservatively List scheduling Frequency information

339 views • 5 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Motivation It may involve Minor changes in the main source Requires static linking We

Motivation It may involve Minor changes in the main source Requires static linking We

1 July 2012 Plugins: Outline 1/61 Outline Workshop on Essential Abstractions in GCC GCC Control Flow and Plugins Motivation GCC Resource Center Plugins in GCC (www.cse.iitb.ac.in/grc) GCC Control Flow Department of Computer

639 views • 24 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
CPSC 213 Condition Codes - Loops 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d

CPSC 213 Condition Codes - Loops 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d

Readings for Next 2 Lectures Textbook CPSC 213 Condition Codes - Loops 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d Static Control Flow 1 2 Control Flow Loops (S5-loop) The flow of control is In Java public class

214 views • 6 slides
The implicit complexity content of Quasi-interpretations G. Bonfante, J-Y Marion and J-Y Moyen

The implicit complexity content of Quasi-interpretations G. Bonfante, J-Y Marion and J-Y Moyen

The implicit complexity content of Quasi-interpretations G. Bonfante, J-Y Marion and J-Y Moyen Ecole des Mines - INPL - Loria Appsem 04/04 p.1/21 Motivations Control program resources: time, memory, stack size. Static analysis

965 views • 42 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay Mumbai, India FOSSEE Team (FOSSEE IITB) Control flow 1 / 32 Outline Control flow 1 Basic Conditional flow Control flow 2 Basic Looping

560 views • 37 slides
Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J. Mckernan , J.F .Whidborne , G.Papadakis Cranfield University, U.K. Kings College, London, U.K. Optimal Control of

572 views • 22 slides
Static name control for FreshML Franc ois Pottier Franc ois Pottier Static name control

Static name control for FreshML Franc ois Pottier Franc ois Pottier Static name control

Introduction What do we prove and how? Example: NBE Example: ANF Example: -expansion Future work Appendix 1 Static name control for FreshML Franc ois Pottier Franc ois Pottier Static name control for FreshML Introduction What do

714 views • 48 slides

More recommend