ESEC/FSE 2017

2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2017), September 4–8, 2017, Paderborn, Germany

Desktop Layout

Mobile Applications
Research Papers
S1+2, Chair: Lars Grunske
Automatic Generation of Inter-Component Communication Exploits for Android Applications
Publisher's Version
Preprint
Supplementary Material
Abstract: Although a wide variety of approaches identify vulnerabilities in Android apps, none attempt to determine exploitability of those vulnerabilities. Exploitability can aid in reducing false positives of vulnerability analysis, and can help engineers triage bugs. Specifically, one of the main attack vectors of Android apps is their inter-component communication interface, where apps may receive messages called Intents. In this paper, we provide the first approach for automatically generating exploits for Android apps, called emph{LetterBomb}, relying on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. We run emph{LetterBomb} on 10,000 Android apps from Google Play, where we identify 181 exploits from 835 vulnerable apps. Compared to a state-of-the-art detection approach for three ICC-based vulnerabilities, emph{LetterBomb} obtains 33%-60% more vulnerabilities at a 6.66 to 7 times faster speed.

Time stamp: 2020-09-20T14:05:56+02:00