Why vulnerability analysis for Android needs to change fundamentally
Abstract: Since the early days of Android, static and dynamic program analysis has been used to identify vulnerabilities in closed-source apps. Many publications have added Android-specific techniques and models, e.g., for Android’s inter-component communication plugin-style concept of app execution. At the same time, research on basic techniques such as data flow analysis has progressed, e.g., to increase efficiency or reduce false positives. We have been contributing to this research for 10 years with popular tools such as FlowDroid. Experience gained from our own commercial code scanner and the challenges we face, however, bring us back to the fundamentals of how we do program analysis. The properties to check are defined by humans, while the scan engine lacks understanding of the problem at hand. This leaves us with static analyses that are incomplete, give results that are often unaligned with the high-level mental model of security officers, and that are bound by the expertise of their developers. In this talk, we look at early work into really making scanners understand.
Bio: Dr. Steven Arzt is the head of the Secure Software Engineering department at the Fraunhofer Institute for Secure Information Technology and the coordinator of the research area on software security in the National Research Center for Applied Cybersecurity ATHENE in Germany. His research interests cover a broad range of topics in software and system security including automatic program analysis, risk and threat analysis, and secure architectures. Steven has published more than 40 papers, many in leading security and software engineering conferences such as ICSE, ESEC/FSE, NDSS, ESORICS, and SANER, but also industrial conferences such DEF CON, OWASP AppSec, and Hack In The Box. He serves as reviewer for journals and conferences such as TSE, TOSEM, TOPLAS, IJIS, ESORICS, and MobileSoft. With his team, he conducts security analyses and consulting for renowned companies and the government. Further, Steven is responsible for the VUSC commercial code scanner and the popular FlowDroid open-source data flow tracker.