Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Modeling Concurrent Behaviors as Words Kapitel lesen Erstes Kapitel lesen

2019 | OriginalPaper | Buchkapitel

Static Detection of Event-Driven Races in HTML5-Based Mobile Apps

verfasst von : Phi Tuong Lau

Erschienen in: Verification and Evaluation of Computer and Communication Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

HTML5-based mobile apps are developed using standard web technologies such as HTML5, CSS, JavaScript, so they may also face with event-based races as web apps. The races in such mobile apps can be caused by various sources of asynchronous events, especially, middlware framework events. For example, PhoneGap framework supports the lifecycle events for signaling states of an app like Android’s lifecycle and the resource access events for interacting with the platform resources such as contact, SMS, etc. When those events fire, it may generate nondeterministic execution orders of corresponding event handlers. Those nondeterminisms may raise data races among them.
In this paper, we introduce event-based races in HTML5-based mobile apps. Moreover, we propose a semi-automated approach combining static data flow analysis with manual code inspection for race detection. To evaluate it, we ran our proposed approach on a dataset of 1,926 HTML5-based mobile apps for detecting event-based races. Eventually, it scanned out totally 18 vulnerable apps. We manually inspected such vulnerable apps and discovered out 21 true races.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Non-Standard Zeno-Free Simulation Semantics for Hybrid Dynamical Systems
Nächstes Kapitel Analysing Security Protocols Using Scenario Based Simulation
Literatur
1.
Hong, S, Park, Y., Kim, M.: Detecting concurrency errors in client-side JavaScript web applications. In: Proceedings of Software Testing, Verification and Validation (ICST), pp. 61–70 (2014)
2.
Adamsen, C.Q., Møller, A., Karim, R., Sridharan, M., Tip, F., Sen, K.: Repairing event race errors by controlling nondeterminism. In: Proceedings of the 39th International Conference on Software Engineering (ICSE), pp. 289–299 (2017)
3.
Adamsen, C.Q., Møller, A., Alimadadi, S., Tip, F.: Practical AJAX race detection for JavaScript web applications. In: Proceedings of the 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), pp. 38–48 (2018)
4.
Adamsen, C.Q., Møller, A., Tip, F.: Practical initialization race detection for JavaScript web applications (OOPLAS). In: Proceedings of the ACM on Programming Languages, p. 66 (2017)CrossRef
5.
Adamsen, C.Q., Møller, A., Raychev, V., Dimitrov, D., Vechev, M.: Stateless model checking of event-driven applications. In: ACM SIGPLAN Notices, vol. 50, no. 10, pp. 57–73 (2015)
6.
Madsen, M., Tip, F., Lhoták, O.: Static analysis of event-driven Node.js JavaScript applications. In: ACM SIGPLAN Notices, vol. 50, no. 10, pp. 505–519 (2015)CrossRef
7.
Wang, J., et al.: A comprehensive study on real world concurrency bugs in Node.js. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 520–531 (2017)
8.
Raychev, V., Vechev, M., Sridharan, M.: Effective race detection for event-driven programs. In: ACM SIGPLAN Notices, vol. 48, no. 10, pp. 151–166 (2013)CrossRef
9.
Zhang, L, Wang, C.: RClassify: classifying race conditions in web applications via deterministic replay. In: Proceedings of the 39th International Conference on Software Engineering (ICSE), pp. 278–288 (2017)
10.
Alimadadi, S., Sequeira, S., Mesbah, A., Pattabiraman, K.: Understanding JavaScript event-based interactions. In: Proceedings of the 36th International Conference on Software Engineering (ICSE), pp. 367–377 (2014)
11.
Alimadadi, S, Mesbah, A., Pattabiraman, K.: Understanding asynchronous interactions in full-stack JavaScript. In: Proceedings of the 38th International Conference on Software Engineering (ICSE), pp. 1169–1180 (2016)
12.
Alimadadi, S., Zhong, D., Madsen, M., Tip, F.: Finding broken promises in asynchronous JavaScript programs. In: Proceedings of the ACM on Programming Languages (OOPSLA) (2018)
13.
Patra, J., Dixit, P.N., Pradel, M.: ConflictJS: finding and understanding conflicts between JavaScript libraries. In: Proceedings of the 40th International Conference on Software Engineering (ICSE), pp. 741–751 (2018)
14.
Gallaba, L., Mesbah, A., Beschastnikh, I.: Don’t call us, we’ll call you: characterizing callbacks in JavaScript. In: Proceedings of Empirical Software Engineering and Measurement (ESEM), pp. 1–10 (2015)
15.
Hu, Y., Neamtiu, I., Alavi, A.: Automatically verifying and reproducing event-based races in Android apps. In: Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA), pp. 377–388 (2016)
16.
Hu, Y., Neamtiu, I.: Static detection of event-based races in Android apps. In: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 257–270 (2018)
17.
Bielik, P., Raychev, V., Vechev, M.: Scalable race detection for Android applications. In: ACM SIGPLAN Notices, vol. 50, no. 10, pp. 332–348 (2015)CrossRef
18.
Hsiao, C.H., et al.: Race detection for event-driven mobile applications. In: ACM SIGPLAN Notices, vol. 49, no. 6, pp. 326–336 (2014)CrossRef
19.
Fan, L., et al.: Efficiently manifesting asynchronous programming errors in Android apps. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE), pp. 486–497 (2018)
20.
Tang, H., Wu, G., Wei, J., Zhong, H.: Generating test cases to expose concurrency bugs in android applications. In: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 648–653 (2016)
21.
Murthy, D.R., Pradel, M.: Change-aware dynamic program analysis for JavaScript. In: Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 127–137 (2018)
22.
Alimadadi, S., Mesbah, A., Pattabiraman, K.: Hybrid DOM-sensitive change impact analysis for JavaScript. In: LIPIcs-Leibniz International Proceedings in Informatics (2015)
23.
Sung, C., Kusano, M., Sinha, N., Wang, C.: Static DOM event dependency analysis for testing web applications. In: Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 447–459 (2016)
24.
Flanagan, C., Freund, S.N.: FastTrack: efficient and precise dynamic race detection. In: ACM SIGPLAN Notices, vol. 44, no. 6, pp. 121–133 (2009)CrossRef
25.
Berger, E.D., Yang, T., Liu, T., Novark, G.: Grace: safe multithreaded programming for C/C++. In: ACM SIGPLAN Notices, vol. 44, no. 10, pp. 81–96 (2009)CrossRef
26.
Lu, K., Zhou, X., Bergan, T., Wang, X.: Efficient deterministic multithreading without global barriers. In: ACM SIGPLAN Notices, vol. 49, no. 8, pp. 287–300 (2014)CrossRef
27.
Lau, P.T.: Scan code injection flaws in HTML5-based mobile applications. In: Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 81–88 (2018)
28.
Yang, G., Huang, J., Gu, G., Mendoza, A.: Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications. In: IEEE Symposium on Security and Privacy (SP), pp. 742–755 (2018)
29.
Jin, X., et al.: Code injection attacks on HTML5-based mobile apps: characterization, detection, mitigation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 66–77 (2014)
30.
Yang, G., Huang, J., Gu, G.: Automated generation of event-oriented exploits in android hybrid apps. In: Network and Distributed System Security Symposium (NDSS) (2018)
31.
Yang, G., Huang, J., Gu, G., Mendoza, A.: Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications. In: Proceedings of Symposium on Security and Privacy (SP), pp. 742–755 (2018)
32.
Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin based access control in hybrid web/mobile application frameworks. In: Network and Distributed System Security Symposium (NDSS) (2014)
33.
Rizzo, C., Cavallaro, L., Kinder, J.: BabelView: evaluating the impact of code injection attacks in mobile webviews. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 25–46 (2018)CrossRef
34.
Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: Hybridguard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: Security and Privacy Workshops (SPW), pp. 147–156 (2017)
35.
Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in android. In: Information Security, pp. 309–318 (2015)
36.
Hu, J., Wei, L., Liu, Y., Heung, S.C., Huang, H.: A tale of two cities: how WebView induces bugs to Android applications. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE), pp. 702–713 (2018)
37.
Lau, P.T.: Event-based remote attacks in HTML5-based mobile apps. In: Proceedings of the 2nd International Workshop on Information and Operational Technology Security Systems (IOSec) (2019, in press)
38.
39.
40.
41.
42.
43.
44.
Metadaten
Titel
Static Detection of Event-Driven Races in HTML5-Based Mobile Apps
verfasst von
Phi Tuong Lau
Copyright-Jahr
2019
Buch
Verification and Evaluation of Computer and Communication Systems

Print ISBN: 978-3-030-35091-8

Electronic ISBN: 978-3-030-35092-5

Copyright-Jahr: 2019

DOI
https://doi.org/10.1007/978-3-030-35092-5_3

Premium Partner

    Bildnachweise