Improving Static and Dynamic Vulnerability Analysis using Values and Dataflows

An increasing amount of sensitive information is processed and stored in computer systems, particularly on mobile phones and cloud-based web services. While modern mobile operating systems such as Android employ techniques to protect the user data on the system level, millions of Android applications have access to this sensitive information, such as photos, chats, e-mails, and calendars. Vulnerabilities in these applications can lead to a data breach or impact the integrity of the data. Due to the massive amount of applications available in modern application stores, performing manual security tests on all of them is impractical. While fully automatic vulnerability scanners exist, they are usually prone to false positives, which affects their usability. Furthermore, existing scanners often miss vulnerabilities, particularly when more advanced techniques such as reflective calls and intercomponent communication are involved. In this dissertation, we propose a static and dynamic framework to improve the precision and recall of our vulnerability scanner VUSC, which supports scanning Android and Java web applications. VUSC uses value analyses to resolve reflective and intercomponent communication calls to obtain a more complete call graph. Furthermore, VUSC requires value analyses to find concrete vulnerabilities such as insecure URL protocols (e.g. HTTP), insecure cryptographic algorithms (e.g., MD5) as well as hardcoded cryptographic keys. Therefore, we propose a novel approach called ValDroid to extract precise values statically. In order to compute values, ValDroid performs static program slicing to obtain paths and simulates the statements of this path using library models. Unlike existing static approaches, it handles loops as separate block entities, ensuring that the semantics of the original loop are preserved. This technique ensures that sliced paths are semantically equivalent to paths in the original program, which leads to more precise results. We demonstrate that ValDroid performs better than comparable approaches on the JSA value benchmark suite. However, the JSA value benchmark suite lacks some challenges regarding loops and arrays. As such, we propose a value benchmark suite called ValBench. Then, we show that ValDroid performs better on ValBench than its competitors. Furthermore, we demonstrate that ValDroid achieves higher precision and recall than other approaches on our dataset of real-world applications. Finally, we show how ValDroid improves VUSC’s scanning ability on popular Java-based vulnerability benchmark suites and real-world applications.