Reducing False Positives in Statically Detecting Mobile App and Platform Level

减少静态检测移动应用程序和平台级别的误报

• 批准号: 549598-2020
• 负责人: Nagappan, MeiyappanMN
• 金额: $ 10.93万
• 依托单位: University of Waterloo
• 依托单位国家: 加拿大
• 项目类别: Alliance Grants
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=750156
• 关键词: Reducing; False; Positives; Statically; Detecting

Mobile apps on the Android platform are used by billions of people. One requirement is to provide a secure experience for them. One way to ensure security is by analyzing the source code of the apps and the platform they execute on for security issues. Analyzing one without the other can cause issues since both data and control flow back and forth between them. We are going to use a combination of mining software repositories, machine learning, program slicing, frequent itemset mining, and call graph analysis among many different static analysis approaches to narrow down the potential security issues. At the end of the static analysis phase, we will have identified the type of vulnerability and wherein the source code of either the app and/or the platform the vulnerability is present. At this point, we will use model-based testing to see if that line(s) of code can be executed with an appropriate input. With such testing, we will not only be able to reduce the number of false positives, but also provide the developers with an appropriate test case where the vulnerability could be exploited. The final outcome of the project is to provide developers with the tools to make the end-user experience more secure.

Android平台上的移动应用程序被数十亿人使用。一个要求是为它们提供安全的体验。确保安全的一种方法是分析应用程序的源代码及其执行平台的安全问题。分析其中一个而不分析另一个可能会导致问题，因为数据和控制在它们之间来回流动。我们将在许多不同的静态分析方法中结合使用挖掘软件存储库、机器学习、程序切片、频繁项集挖掘和调用图分析来缩小潜在的安全问题。在静态分析阶段结束时，我们将确定漏洞的类型，以及存在漏洞的应用程序和/或平台的源代码。此时，我们将使用基于模型的测试来查看这行代码是否可以用适当的输入执行。有了这样的测试，我们不仅可以减少误报的数量，而且还可以为开发人员提供一个适当的测试用例，在这个用例中可以利用漏洞。该项目的最终结果是为开发人员提供使最终用户体验更加安全的工具。