Reducing False Positives in Statically Detecting Mobile App and Platform Level

减少静态检测移动应用程序和平台级别的误报

• 批准号: 549598-2020
• 负责人: Nagappan, Meiyappan
• 金额: $ 10.93万
• 依托单位: University of Waterloo
• 依托单位国家: 加拿大
• 项目类别: Alliance Grants
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=721156
• 关键词: Reducing; False; Positives; Statically; Detecting

Mobile apps on the Android platform are used by billions of people. One requirement is to provide a secure experience for them. One way to ensure security is by analyzing the source code of the apps and the platform they execute on for security issues. Analyzing one without the other can cause issues since both data and control flow back and forth between them. We are going to use a combination of mining software repositories, machine learning, program slicing, frequent itemset mining, and call graph analysis among many different static analysis approaches to narrow down the potential security issues. At the end of the static analysis phase, we will have identified the type of vulnerability and wherein the source code of either the app and/or the platform the vulnerability is present. At this point, we will use model-based testing to see if that line(s) of code can be executed with an appropriate input. With such testing, we will not only be able to reduce the number of false positives, but also provide the developers with an appropriate test case where the vulnerability could be exploited. The final outcome of the project is to provide developers with the tools to make the end-user experience more secure.

Android平台上的移动的应用程序被数十亿人使用。一个要求是为他们提供安全的体验。确保安全性的一种方法是分析应用程序的源代码以及它们执行的平台的安全问题。分析一个而不分析另一个可能会导致问题，因为数据和控制都在它们之间来回流动。我们将结合使用挖掘软件存储库、机器学习、程序切片、频繁项集挖掘和调用图分析等多种不同的静态分析方法来缩小潜在的安全问题。在静态分析阶段结束时，我们将确定漏洞的类型以及存在漏洞的应用程序和/或平台的源代码。在这一点上，我们将使用基于模型的测试来查看代码行是否可以通过适当的输入执行。通过这样的测试，我们不仅能够减少误报的数量，而且还为开发人员提供了一个适当的测试案例，可以利用漏洞。该项目的最终成果是为开发人员提供工具，使最终用户体验更加安全。