DidFail: Coverage and Precision Enhancement

July 2017 • Technical Report

Karan Dwivedi (No Affiliation), Hongli Yin (No Affiliation), Pranav Bagree (No Affiliation), Xiaoxiao Tang (No Affiliation), Lori Flynn, William Klieber, William Snavely

This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.

Publisher:

CERT

CMU/SEI Report Number

CMU/SEI-2017-TR-007

Subjects

Secure CodingSecure Coding

Abstract

This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps. The enhancements are new analytical functionality for content providers, file accesses, and dynamic broadcast receivers. Previously, DidFail did not analyze taint flows involving ContentProvider components; however, now it analyzes taint flows involving all four types of Android components. The latest version of DidFail tracks taint flow across file access calls more precisely than it did in prior versions of the software. DidFail was also modified to handle dynamically declared BroadcastReceiver components in a fully automated way, by integrating it with a recent version of FlowDroid and working to fix remaining un-analyzed taint flows. Finally, a new command line argument optionally disables static field analysis in order to reduce DidFail's memory usage and analysis time.
These new features make DidFail's taint tracking more precise (for files) and more comprehensive for dynamically registered BroadcastReceiver and ContentProvider components. We implemented the new features and tested them on example apps that we developed and on real-world apps
from different categories in the Google Play app store.

Download PDF

Cite This Report

SEI

Dwivedi, Karan; Yin, Hongli; Bagree, Pranav; Tang, Xiaoxiao; Flynn, Lori; Klieber, William; & Snavely, William. DidFail: Coverage and Precision Enhancement. CMU/SEI-2017-TR-007. Software Engineering Institute, Carnegie Mellon University. 2017. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366

IEEE

Dwivedi. Karan, Yin. Hongli, Bagree. Pranav, Tang. Xiaoxiao, Flynn. Lori, Klieber. William, and Snavely. William, "DidFail: Coverage and Precision Enhancement," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2017-TR-007, 2017. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366

APA

Dwivedi, Karan., Yin, Hongli., Bagree, Pranav., Tang, Xiaoxiao., Flynn, Lori., Klieber, William., & Snavely, William. (2017). DidFail: Coverage and Precision Enhancement (CMU/SEI-2017-TR-007). Retrieved June 05, 2020, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366

CHI

Karan Dwivedi, Hongli Yin, Pranav Bagree, Xiaoxiao Tang, Lori Flynn, William Klieber, & William Snavely. DidFail: Coverage and Precision Enhancement (CMU/SEI-2017-TR-007). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2017. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366

MLA

Dwivedi, Karan., Yin, Hongli., Bagree, Pranav., Tang, Xiaoxiao., Flynn, Lori., Klieber, William., & Snavely, William. 2017. DidFail: Coverage and Precision Enhancement (Technical Report CMU/SEI-2017-TR-007). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366

BibTex

@techreport{DwivediDidFailCoverage2017,
title={DidFail: Coverage and Precision Enhancement},
author={Karan Dwivedi and Hongli Yin and Pranav Bagree and Xiaoxiao Tang and Lori Flynn and William Klieber and William Snavely},
year={2017},
number={CMU/SEI-2017-TR-007},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366} }

Ask a question about this Technical Report

Software Engineering Institute