Automatic generation of inter-component communication exploits for android applications

Joshua Garcia; Mahmoud Hammad; Negar Ghorbani; Sam Malek

doi:10.1145/3106237.3106286

Automatic generation of inter-component communication exploits for android applications

Joshua Garcia
, Mahmoud Hammad
, Negar Ghorbani
, Sam Malek

University of California

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

36 Scopus citations

Abstract

Although a wide variety of approaches identify vulnerabilities in Android apps, none attempt to determine exploitability of those vulnerabilities. Exploitability can aid in reducing false positives of vulnerability analysis, and can help engineers triage bugs. Specifically, one of the main attack vectors of Android apps is their inter-component communication interface, where apps may receive messages called Intents. In this paper, we provide the first approach for automatically generating exploits for Android apps, called LetterBomb, relying on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. We run LetterBomb on 10, 000 Android apps from Google Play, where we identify 181 exploits from 835 vulnerable apps. Compared to a state-of-the-art detection approach for three ICC-based vulnerabilities, LetterBomb obtains 33%-60% more vulnerabilities at a 6.66 to 7 times faster speed.

Original language	English
Title of host publication	ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering
Editors	Andrea Zisman, Eric Bodden, Wilhelm Schafer, Arie van Deursen
Publisher	Association for Computing Machinery
Pages	661-671
Number of pages	11
ISBN (Electronic)	9781450351058
DOIs	https://doi.org/10.1145/3106237.3106286
State	Published - 21 Aug 2017
Externally published	Yes
Event	11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017 - Paderborn, Germany Duration: 4 Sep 2017 → 8 Sep 2017

Publication series

Name	Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering
Volume	Part F130154

Conference

Conference	11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017
Country/Territory	Germany
City	Paderborn
Period	4/09/17 → 8/09/17

Keywords

Android
Exploit
Test generation
Test oracle
Vulnerability

Access to Document

10.1145/3106237.3106286

Cite this

Garcia, J., Hammad, M., Ghorbani, N., & Malek, S. (2017). Automatic generation of inter-component communication exploits for android applications. In A. Zisman, E. Bodden, W. Schafer, & A. van Deursen (Eds.), ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (pp. 661-671). (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering; Vol. Part F130154). Association for Computing Machinery. https://doi.org/10.1145/3106237.3106286

Garcia, Joshua ; Hammad, Mahmoud ; Ghorbani, Negar et al. / Automatic generation of inter-component communication exploits for android applications. ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. editor / Andrea Zisman ; Eric Bodden ; Wilhelm Schafer ; Arie van Deursen. Association for Computing Machinery, 2017. pp. 661-671 (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering).

@inproceedings{5bf7063a84a949209c858c1d31a80fe9,

title = "Automatic generation of inter-component communication exploits for android applications",

abstract = "Although a wide variety of approaches identify vulnerabilities in Android apps, none attempt to determine exploitability of those vulnerabilities. Exploitability can aid in reducing false positives of vulnerability analysis, and can help engineers triage bugs. Specifically, one of the main attack vectors of Android apps is their inter-component communication interface, where apps may receive messages called Intents. In this paper, we provide the first approach for automatically generating exploits for Android apps, called LetterBomb, relying on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. We run LetterBomb on 10, 000 Android apps from Google Play, where we identify 181 exploits from 835 vulnerable apps. Compared to a state-of-the-art detection approach for three ICC-based vulnerabilities, LetterBomb obtains 33\%-60\% more vulnerabilities at a 6.66 to 7 times faster speed.",

keywords = "Android, Exploit, Test generation, Test oracle, Vulnerability",

author = "Joshua Garcia and Mahmoud Hammad and Negar Ghorbani and Sam Malek",

note = "Publisher Copyright: {\textcopyright} 2017 Association for Computing Machinery.; 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017 ; Conference date: 04-09-2017 Through 08-09-2017",

year = "2017",

month = aug,

day = "21",

doi = "10.1145/3106237.3106286",

language = "English",

series = "Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering",

publisher = "Association for Computing Machinery",

pages = "661--671",

editor = "Andrea Zisman and Eric Bodden and Wilhelm Schafer and \{van Deursen\}, Arie",

booktitle = "ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering",

address = "United States",

}

Garcia, J, Hammad, M, Ghorbani, N & Malek, S 2017, Automatic generation of inter-component communication exploits for android applications. in A Zisman, E Bodden, W Schafer & A van Deursen (eds), ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering, vol. Part F130154, Association for Computing Machinery, pp. 661-671, 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017, Paderborn, Germany, 4/09/17. https://doi.org/10.1145/3106237.3106286

Automatic generation of inter-component communication exploits for android applications. / Garcia, Joshua; Hammad, Mahmoud; Ghorbani, Negar et al.
ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ed. / Andrea Zisman; Eric Bodden; Wilhelm Schafer; Arie van Deursen. Association for Computing Machinery, 2017. p. 661-671 (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering; Vol. Part F130154).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automatic generation of inter-component communication exploits for android applications

AU - Garcia, Joshua

AU - Hammad, Mahmoud

AU - Ghorbani, Negar

AU - Malek, Sam

PY - 2017/8/21

Y1 - 2017/8/21

N2 - Although a wide variety of approaches identify vulnerabilities in Android apps, none attempt to determine exploitability of those vulnerabilities. Exploitability can aid in reducing false positives of vulnerability analysis, and can help engineers triage bugs. Specifically, one of the main attack vectors of Android apps is their inter-component communication interface, where apps may receive messages called Intents. In this paper, we provide the first approach for automatically generating exploits for Android apps, called LetterBomb, relying on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. We run LetterBomb on 10, 000 Android apps from Google Play, where we identify 181 exploits from 835 vulnerable apps. Compared to a state-of-the-art detection approach for three ICC-based vulnerabilities, LetterBomb obtains 33%-60% more vulnerabilities at a 6.66 to 7 times faster speed.

AB - Although a wide variety of approaches identify vulnerabilities in Android apps, none attempt to determine exploitability of those vulnerabilities. Exploitability can aid in reducing false positives of vulnerability analysis, and can help engineers triage bugs. Specifically, one of the main attack vectors of Android apps is their inter-component communication interface, where apps may receive messages called Intents. In this paper, we provide the first approach for automatically generating exploits for Android apps, called LetterBomb, relying on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. We run LetterBomb on 10, 000 Android apps from Google Play, where we identify 181 exploits from 835 vulnerable apps. Compared to a state-of-the-art detection approach for three ICC-based vulnerabilities, LetterBomb obtains 33%-60% more vulnerabilities at a 6.66 to 7 times faster speed.

KW - Android

KW - Exploit

KW - Test generation

KW - Test oracle

KW - Vulnerability

UR - https://www.scopus.com/pages/publications/85030777770

U2 - 10.1145/3106237.3106286

DO - 10.1145/3106237.3106286

M3 - Conference contribution

AN - SCOPUS:85030777770

T3 - Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering

SP - 661

EP - 671

BT - ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

A2 - Zisman, Andrea

A2 - Bodden, Eric

A2 - Schafer, Wilhelm

A2 - van Deursen, Arie

PB - Association for Computing Machinery

T2 - 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017

Y2 - 4 September 2017 through 8 September 2017

ER -

Garcia J, Hammad M, Ghorbani N, Malek S. Automatic generation of inter-component communication exploits for android applications. In Zisman A, Bodden E, Schafer W, van Deursen A, editors, ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Association for Computing Machinery. 2017. p. 661-671. (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering). doi: 10.1145/3106237.3106286

Automatic generation of inter-component communication exploits for android applications

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this