nach oben

Software Quality Journal

Erschienen in:

05.05.2020

Towards supporting software assurance assessments by detecting security patterns

verfasst von: Michaela Bunke, Karsten Sohr

Erschienen in: Software Quality Journal | Ausgabe 4/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Today, many tools exist that attempt to find possible vulnerabilities in Android applications, e.g., FlowDroid, Fortify, or AppScan. However, all these tools aim to detect vulnerabilities or (sometimes) tainted flows and present the reviewer detected possible issues of an analyzed Android application. None of these tools supports the identification of implemented security features in code, although this aspect is also relevant to developers as well as reviewers. To address this open problem, we present a program comprehension approach based on connected object process graphs (COPGs) containing interacting objects described by security patterns in this paper. The feasibility of our approach is evaluated qualitatively with 25 security-critical Android applications from Google Play with almost 7 million lines of code. We currently support 17 security pattern variants with about 199 correctly detected pattern instances in the apps. We also define a benchmark of non-trivial, security-critical Android apps, which can also be used for other security analysis tasks based on the static analysis framework Soot. With this benchmark, our analysis yields a precision of 99% and a recall of 80%. Finally, we discussed our approach and the developed tool with six software security experts from the SAFECode organization to obtain additional feedback.

Vorheriger Artikel Editor’s note

Nächster Artikel ER2C SDMLC: enterprise release risk-centric systems development and maintenance life cycle

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

In fact, it depends on the LineNumberTable attribute having been inserted by the compiler, which actually occurs.

Alvi, A.K., & Zulkernine, M. (2017). Security pattern detection using ordered matrix matching. In International Conference on Software Security and Assurance (pp. 38–43).

Ampatzoglou, A., Charalampidou, S., & Stamelos, I. (2013). Research state of the art on GoF design patterns: as mapping study. Journal of Systems and Software, 86(7), 1945–1964.CrossRef

Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., & McDaniel, P. (2014). Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proc. of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14 (pp. 259–269). New York: ACM.

Balebako, R., Marsh, A., Lin, J., Hong, J.I., & Cranor, L.F. (2014). The privacy and security behaviors of smartphone app developers. In Proceeding of the Workshop on Usable Security.

Balzarotti, D., Banks, G., Cova, M., Felmetsger, V., Kemmerer, R.A., Robertson, W., Valeur, F., & Vigna, G. (2010). An experience in testing the security of real-world electronic voting systems. IEEE Computer Society Transactions on Software Engineering, 36(4), 453–473.CrossRef

Bayrisches Landesamt für Datenschutz/Düsseldorfer Kreis. (2014). Orientierungshilfe zu den datenschutzanforderungen an app-entwickler und app-anbieter. http://www.lda.bayern.de/lda/datenschutzaufsicht/lda_daten/Orientierungshilfe_Apps_2014.pdf. Accessed: (07.05.2018).

Belk, M., Coles, M., Goldschmidt, C., Howard, M., Randolph, K., Saario, M., Sondhi, R., Tarandach, I., Vähä-Sipilä, A., & Yonchev, Y. (2011). Fundamental practices for secure software development 2nd edition. Tech. rep., SAFECode. https://www.safecode.org/wp-content/uploads/2014/09/SAFECode_Dev_Practices0211.pdf.

Blakley, B., & Heath, C. (2004). Members of The Open Group Security Forum: Security Design Patterns. The Open Group. www.opengroup.org/onlinepubs/9299969899/toc.pdf. Accessed: (07.05.2018).

Bodden, E. (2017). Droidbench – benchmarks. https://blogs.uni-paderborn.de/sse/tools/droidbench/. Accessed: (07.05.2018).

Bunke, M. (2014). On the description of software security patterns. In Proc. of the European Conference on Pattern Languages of Programs (pp. 34:1–34:10).

Bunke, M. (2015). Software-security patterns: degree of maturity. In Proc. of the European Conference on Pattern Languages of Programs (pp. 42:1–42:17).

Bunke, M., & Sohr, K. (2011). An architecture-centric approach to detecting security patterns in software. In Proc. of the International Symposium on Engineering Secure Software and Systems, lecture notes in computer science, (Vol. 6542 pp. 156–166): Springer.

Bunke, M., Koschke, R., & Sohr, K. (2012). Organizing security patterns related to security and pattern recognition requirements. International Journal On Advances in Security, 5(1&2), 46–67.

Chess, B., & McGraw, G. (2004). Static analysis for security. IEEE Security and Privacy, 2, 76–79.CrossRef

Chin, E., Felt, A.P., Greenwood, K., & Wagner, D. (2011). Analyzing inter-application communication in Android. In Proceedings of the International Conference on Mobile Systems, Applications, and Services, MobiSys ’11 (pp. 239–252). New York: ACM.

Coats, M. (2013). Owasp framework security project. http://michael-coates.blogspot.de/2013/09/owasp-framework-security-project.html. Accessed: (07.05.2018).

Cui, X., Wang, J., Hui, L.C.K., Xie, Z., Zeng, T., & Yiu, S.M. (2015). Wechecker: efficient and precise detection of privilege escalation vulnerabilities in Android apps. In Proceedings of the ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec ’15 (pp. 25:1–25:12). New York: ACM.

Dong, J., Zhao, Y., & Peng, T. (2007). Architecture and design pattern discovery techniques - a review. In Proc. of the International Conference on Software Engineering Research and Practice (pp. 621–627).

Dong, J., Zhao, Y., & Peng, T. (2009). A review of design pattern mining techniques. International Journal of Software Engineering and Knowledge Engineering, 19(6), 823–855.CrossRef

Edmundson, A., Holtkamp, B., Rivera, E., Finifter, M., Mettler, A., & Wagner, D. (2013). An empirical study on the effectiveness of security code review. In Jürjens, J., Livshits, B., & Scandariato, R. (Eds.) Engineering Secure Software and Systems, lecture notes in computer science, (Vol. 7781 pp. 197–212). Berlin: Springer.

Egele, M., Brumley, D., Fratantonio, Y., & Kruegel, C. (2013). An empirical study of cryptographic misuse in Android applications. In Proc. of the Conference on Computer and Communications Security, CCS ’13 (pp. 73–84). New York: ACM.

Eisenbarth, T., Koschke, R., & Vogel, G. (2002). Static trace extraction. In Working Conference on Reverse Engineering: IEEE Computer Society Press.

Eisenbarth, T., Koschke, R., & Vogel, G. (2005). Static object trace extraction for programs with pointers. Journal of Systems and Software, 77(3), 263–284.CrossRef

Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., & Sheth, A.N. (2010). Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of the USENIX Conference on Operating Systems Design and Implementation, OSDI’10 (pp. 393–407). Berkeley: USENIX Association.

Enck, W., Octeau, D., McDaniel, P., & Chaudhuri, S. (2011). A study of Android application security. In Proceedings of the USENIX Conference on Security, SEC’11 (pp. 21–21). Berkeley: USENIX Association.

European Network and Information Security Agency (ENISA). (2011). Smartphone secure development guidelines for app developers. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/smartphone-secure-development-guidelines/at_download/fullReport. Accessed: (07.05.2018).

Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., & Smith, M. (2012). Why Eve and Mallory love Android: an analysis of Android SSL (in)security. In Proc. of the Conference on Computer and Communications Security, CCS ’12 (pp. 50–61). New York: ACM.

Google Inc. (2017). Guice. https://github.com/google/guice. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2015). Security tips. http://developer.Android.com/training/articles/security-tips.html. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2016). Managing projects overview. http://developer.Android.com/tools/projects/index.html. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2017). Android development. http://developer.Android.com/index.html. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2017a). Application. https://developer.Android.com/reference/Android/app/Application.html. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2017b). Intents and intent filters. https://developer.Android.com/guide/components/intents-filters.html. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2017c). Managing projects overview. https://developer.Android.com/reference/Android/os/AsyncTask.html. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2017d). Run apps on the Android emulator. https://developer.Android.com/studio/run/emulator.html. Accessed: (07.05.2018).

Google Inc., & Open Handset Alliance. (2018). Fragments. https://developer.Android.com/guide/components/fragments.html. Accessed: (07.05.2018).

Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., & Rinard, M.C. (2015). Information flow analysis of Android applications in droidsafe. In Proc. of the Annual Network and Distributed System Security Symposium.

Gravino, C., Risi, M., Scanniello, G., & Tortora, G. (2012). Do professional developers benefit from design pattern documentation? A replication in the context of source code comprehension. In France, R.B., Kazmeier, J., Breu, R., & Atkinson, C. (Eds.) Model driven engineering languages and systems, lecture notes in computer science, (Vol. 7590 pp. 185–201). Berlin: Springer.

Hafiz, M. (2005). Security patterns and evolution of MTA architecture. In Proc. of the ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (pp. 142–143).

Hafiz, M., Johnson, R.E., & Af, R. (2004). The security architecture of qmail. In Proc. of the Conference on Pattern Languages of Programs (pp. 1–9).

Heaps, H.S. (1978). Information retrieval: computational and theoretical aspects. Orlando: Academic Press, Inc.MATH

Horwitz, S., Reps, T., & Binkley, D. (1990). Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems, 12 (1), 26–60.CrossRef

Huang, J., Zhang, X., Tan, L., Wang, P., & Liang, B. (2014). Asdroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction. In Proc. of the International Conference on Software Engineering, ICSE 2014 (pp. 1036–1046). New York: ACM.

ifAsec, mediaTest digital, TÜV Trust IT, & Bundesamt für Sicherheit in der Informationstechnik (BSI). (2014). Guidelines - sichere apps. https://it-gipfel.ifasec.de/wp-content/uploads/2014/09/Richtlinie_Sichere_Apps_v1.5.pdf. Accessed: (07.05.2018).

Information Commissionier’s Office (ICO.) (2013). Privacy in mobile apps - guidance for app developers. http://ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/Data_Protection/Detailed_specialist_guides/privacy-in-mobile-apps-dp-guidance.pdf. Accessed: (07.05.2018).

Janssen, K.U. (2018). Android annotations wiki. https://github.com/excilys/Androidannotations/wiki. Accessed: (07.05.2018).

Kitchenham, B., Pickard, L., & Pfleeger, S.L. (1995). Case studies for method and tool evaluation. IEEE Softw, 12(4), 52–62.CrossRef

Klieber, W., Flynn, L., Bhosale, A., Jia, L., & Bauer, L. (2014). Android taint flow analysis for app sets. In Proceedings of the ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, SOAP ’14 (pp. 1–6). New York: ACM.

Kramer, C., & Prechelt, L. (1996). Design recovery by automated search for structural design patterns in object-oriented software. In Proc. of the Working Conference on Reverse Engineering (p. 208). Washington, DC: IEEE Computer Society.

Krishnan, P., Hafner, S., & Zeiser, A. (2011). Applying security assurance techniques to a mobile phone application: an initial approach. In Proceeding of International Conference on Software Testing, Verification and Validation Workshops (pp. 545–552).

Laverdiere, M., Mourad, A., Hanna, A., & Debbabi, M. (2006). Security design patterns: survey and evaluation. IEEE Canadian Conference on Electrical and Computer Engineering, 1605–1608.

Lhotak, O., Smaragdakis, Y., & Sridharan, M. (2013). Pointer analysis (Dagstuhl Seminar 13162). Dagstuhl Reports, 3(4), 91–113.

Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., & McDaniel, P. (2015). IccTA: detecting inter-component privacy leaks in Android apps. In Proc. of the International Conference on Software Engineering, ICSE ’15 (pp. 280–291). Piscataway: IEEE Press.

Li, L., Bissyandé, T.F., Papadakis, M., Rasthofer, S., Bartel, A., Octeau, D., Klein, J., & Traon, L. (2017). Static analysis of Android apps: a systematic literature review. Information and Software Technology, 88(Supplement C), 67–95.CrossRef

Livshits, B. (2017). Stanford SecuriBench Micro. https://suif.stanford.edu/livshits/work/securibench-micro/download.html. Accessed: (07.05.2018).

Lu, L., Li, Z., Wu, Z., Lee, W., & Jiang, G. (2012). Chex: statically vetting Android apps for component hijacking vulnerabilities. In Proc. of the Conference on Computer and Communications Security, CCS ’12 (pp. 229–240). New York: ACM.

McGraw, G. (2006). Software security: building security in. Addison-Wesley.

McGraw, G. (2008). Automated code review tools for security. Computer, 41 (12), 108–111.CrossRef

Microsoft Corporation. (2005). At a glance: security code review. http://msdn.microsoft.com/en-us/library/ff649921.aspx. Accessed: (07.05.2018).

Mirzaei, N., Bagheri, H., Mahmood, R., & Malek, S. (2015). Sig-droid: automated system input generation for Android applications. In Proceedings of the IEEE International Symposium on Software Reliability Engineering (pp. 461–471).

Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., & Le Traon, Y. (2013). Effective inter-component communication mapping in Android with epicc: an essential step towards holistic security analysis. In Proc. of the USENIX Security Symposium, SEC’13 (pp. 543–558). Berkeley: USENIX Association.

Oracle inc. (2015). Java security documentation. http://docs.oracle.com/javase/8/docs/technotes/guides/security/. Accessed: (07.05.2018).

Quante, J. (2008). Do dynamic object process graphs support program understanding? - A controlled experiment. In Proc. of the International Conference on Program Comprehension (pp. 73–82).

Quante, J. (2009). Dynamic object process graphs. PhD dissertation, University of Bremen, Bremen.

Quante, J., & Koschke, R. (2007). Dynamic protocol recovery. In Proc. of the Working Conference on Reverse Engineering (pp. 219–228).

Quante, J., & Koschke, R. (2008). Dynamic object process graphs. Journal of Systems and Software, 81(4), 481–501.CrossRef

Rasool, G., & Streitferdt, D. (2011). A survey on design pattern recovery techniques. International Journal of Computer Science Issues, 8(2), 251–260.

Ravitch, T., Creswick, E.R., Tomb, A., Foltzer, A., Elliott, T., & Casburn, L. (2014). Multi-app security analysis with fuse: statically detecting Android app collusion. In Proceedings of the Program Protection and Reverse Engineering Workshop, PPREW-4 (pp. 4:1–4:10). New York: ACM.

Roehm, T., Tiarks, R., Koschke, R., & Maalej, W. (2012). How do professional developers comprehend software?. In Proc. of the International Conference on Software Engineering, ICSE ’12 (pp. 255–265).

SAFECode members. (2017). Security patterns in source code. Telephone conference on 29/09/2017.

Scholz, B., & Koschke, R. (2011). Object-based dynamic protocol recovery for multi-threading programs. In Proc. of the Working Conference on Reverse Engineering (pp. 251–260).

Schumacher, M., Fernandez, E.B., Hybertson, D., & Buschmann, F. (2005). Security patterns: integrating security and systems engineering. Wiley.

Shen, F., Vishnubhotla, N., Todarka, C., Arora, M., Dhandapani, B., Lehner, E.J., Ko, S.Y., & Ziarek, L. (2014). Information flows as a permission mechanism. In Proc. of the Automated Software Engineering, ASE ’14 (pp. 515–526). New York: ACM.

Skylot. (2016). jadx - dex to java decompiler. https://github.com/skylot/jadx. Accessed: (07.05.2018).

Software Assurance Forum for Excellence in Code (SAFECode). (2017). Safecode. www.safecode.org. Accessed: (07.05.2018).

Soot - A Java optimization framework. (2018). Using geometric encoding based context sensitive points to analysis (geomPTA) https://github.com/Sable/soot/wiki/Using-Geometric-Encoding-based-Context-Sensitive-Points-to-Analysis-%28geomPTA%29. Accessed: (07.05.2018).

Soot-list Mailing-List. (2012). [soot-list] spark and aliasing analysis. https://mailman.cs.mcgill.ca/pipermail/soot-list/2012-May/004315.html. Accessed: (07.05.2018).

Soot-list Mailing-List. (2015). [soot-list] problem of mapping runnable object to its caller method. https://mailman.cs.mcgill.ca/pipermail/soot-list/2015-February/007757.html. Accessed: (07.05.2018).

Sridharan, M., Fink, S.J., & Bodik, R. (2007). Thin slicing. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07 (pp. 112–122).

Steel, C., Nagappan, R., & Lai, R. (2005). Core security patterns: best practices and strategies for J2EE(TM), Web services, and identity management. Prentice Hall International.

Sufatrio, C.T.W., Tan, D.J.J., & Thing, V.L.L. (2015). Accurate specification for robust detection of malicious behavior in mobile environments, (pp. 355–375). Cham: Springer International Publishing.

The Apache Software Foundation. (2017). Apache Cordova^TM. https://cordova.apache.org. Accessed: (07.05.2018).

The MITRE Corporation. (2013). Using automated static analysis tools for code reviews. http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-automated-static-analysis-tools-for. Accessed: (07.05.2018).

Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L., Lam, P., & Sundaresan, V. (1999). Soot - a Java bytecode optimization framework. In Proc. of Conference of the Centre for Advanced Studies on Collaborative Research (p. 13): IBM Press.

Vallée-Rai, R., Gagnon, E., Hendren, L., Lam, P., Pominville, P., & Sundaresan, V. (2000). Optimizing java bytecode using the soot framework: is it feasible?. In Compiler Construction, lecture notes in computer science, (Vol. 1781 pp. 18–34). Berlin: Springer.

VanHilst, M., & Fernandez, E.B. (2007). Reverse engineering to detect security patterns in code. In Proc. of the International Workshop on Software Patterns and Quality (pp. 25–30): Information Processing Society of Japan.

Wei, F., Roy, S., & Ou, X. (2014). Robby: amAndroid: a precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proc. of the Conference on Computer and Communications Security, CCS ’14 (pp. 1329–1341). New York: ACM.

Weiser, M. (1981). Program slicing. In Proc. of the International Conference on Software Engineering, ICSE ’81 (pp. 439–449). Piscataway: IEEE Press.

Wheeler, D.A. (2012). Sloccount. http://www.dwheeler.com/sloccount/. Accessed: (07.05.2018).

Yang, S., Yan, D., Wu, H., Wang, Y., & Rountev, A. (2015a). Static control-flow analysis of user-driven callbacks in Android applications. In Proc. of the International Conference on Software Engineering, (Vol. 1 pp. 89–99).

Yang, S., Zhang, H., Wu, H., Wang, Y., Yan, D., & Rountev, A. (2015b). Static window transition graphs for Android (t). In Proc. of the Automated Software Engineering (pp. 658–668).

Yoder, J., & Barcalow, J. (1997). Architectural patterns for enabling application security. In Proc. of the Conference on Pattern Languages of Programs (pp. 1–31). Monticello.

Zhou, Y., & Jiang, X. (2012). Android malware genome project. http://www.malgenomeproject.org. Accessed: (07.05.2018).

Titel: Towards supporting software assurance assessments by detecting security patterns
verfasst von: Michaela Bunke
Karsten Sohr
Publikationsdatum: 05.05.2020
Verlag: Springer US
Erschienen in: Software Quality Journal / Ausgabe 4/2020
Print ISSN: 0963-9314
Elektronische ISSN: 1573-1367
DOI: https://doi.org/10.1007/s11219-019-09492-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 4/2020

A public unified bug dataset for java and its assessment regarding metrics and bug prediction

Predicting technical debt from commit contents: reproduction and extension with automated feature selection

ER2C SDMLC: enterprise release risk-centric systems development and maintenance life cycle

Characteristics that affect preference of decision models for asset selection: an industrial questionnaire survey

An empirical study on predictability of software maintainability using imbalanced data

The effect of Bellwether analysis on software vulnerability severity prediction models