Epicc: Effective and precise ICC analysis

Motivation

Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. For example, information may flow between components in an unsafe manner. A component in an application may retrieve a user's location data or contacts. It may subsequently send the sensitive private information to a component in another application. The receiving component may then leak the sensitive information to the network, to an untrusted third party.

However, current techniques for identifying inter-component communication (ICC) are ad hoc and do not scale to large numbers of applications. That is why we developed an approach to statically study ICC that is both precise and highly scalable. Further, it is defined using formalisms already widely studied by the program analysis community.

Formalizing ICC analysis

We reduce the discovery of ICC to an instance of the Interprocedural Distributive Environment (IDE) data flow problem. This approach is very accurate, conservatively keeping track of multiple execution branches. It is path-sensitive, flow-sensitive, inter-procedural and context-sensitive. Our implementation of this approach is called Epicc (Effective and Precise ICC). It scales well, taking on average less than two minutes per application in a large scale study of 1,200 applications. Epicc uses Java classes as input, which can be generated from Android bytecode using our Dare retargeting tool.

Our tool is built on top of Soot and uses the Heros IDE solver. This allows us to leverage many analyses that are part of Soot (aliasing analysis, call graph construction, etc.) and to obtain solutions to IDE data flow problem efficiently. Combined with our formally-defined IDE reduction, this enables us to obtain precise results when applying Epicc to vulnerability detection. Epicc is indeed more precise than previously released ICC tools. Further, other tools related to ICC have looked at vulnerabilities of component entry points and exit points, whereas Epicc seeks to effectively connect components that may communicate with each other.

In order to enable other researchers to apply our ICC analysis to a variety of problems, we make it available for download. Please see our installation page for instructions on how to install and use it.

This research was supported by the National Science Foundation Grants No. CNS-1228700, CNS-0905447, CNS-1064944 and CNS-0643907 and by a Google Faculty Award.

Contact

Please contact Damien Octeau for questions about Epicc.