DidFail: Coverage and Precision Enhancement
• Technical Report
Publisher
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2017-TR-007Subjects
Abstract
This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps. The enhancements are new analytical functionality for content providers, file accesses, and dynamic broadcast receivers. Previously, DidFail did not analyze taint flows involving ContentProvider components; however, now it analyzes taint flows involving all four types of Android components. The latest version of DidFail tracks taint flow across file access calls more precisely than it did in prior versions of the software. DidFail was also modified to handle dynamically declared BroadcastReceiver components in a fully automated way, by integrating it with a recent version of FlowDroid and working to fix remaining un-analyzed taint flows. Finally, a new command line argument optionally disables static field analysis in order to reduce DidFail's memory usage and analysis time.
These new features make DidFail's taint tracking more precise (for files) and more comprehensive for dynamically registered BroadcastReceiver and ContentProvider components. We implemented the new features and tested them on example apps that we developed and on real-world apps
from different categories in the Google Play app store.
Cite This Technical Report
Dwivedi, K., Yin, H., Bagree, P., Tang, X., Flynn, L., Klieber, W., & Snavely, W. (2017, July 6). DidFail: Coverage and Precision Enhancement. (Technical Report CMU/SEI-2017-TR-007). Retrieved April 26, 2024, from https://insights.sei.cmu.edu/library/didfail-coverage-and-precision-enhancement/.
@techreport{dwivedi_2017,
author={Dwivedi, Karan and Yin, Hongli and Bagree, Pranav and Tang, Xiaoxiao and Flynn, Lori and Klieber, William and Snavely, William},
title={DidFail: Coverage and Precision Enhancement},
month={Jul},
year={2017},
number={CMU/SEI-2017-TR-007},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://insights.sei.cmu.edu/library/didfail-coverage-and-precision-enhancement/},
note={Accessed: 2024-Apr-26}
}
Dwivedi, Karan, Hongli Yin, Pranav Bagree, Xiaoxiao Tang, Lori Flynn, William Klieber, and William Snavely. "DidFail: Coverage and Precision Enhancement." (CMU/SEI-2017-TR-007). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, July 6, 2017. https://insights.sei.cmu.edu/library/didfail-coverage-and-precision-enhancement/.
K. Dwivedi, H. Yin, P. Bagree, X. Tang, L. Flynn, W. Klieber, and W. Snavely, "DidFail: Coverage and Precision Enhancement," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2017-TR-007, 6-Jul-2017 [Online]. Available: https://insights.sei.cmu.edu/library/didfail-coverage-and-precision-enhancement/. [Accessed: 26-Apr-2024].
Dwivedi, Karan, Hongli Yin, Pranav Bagree, Xiaoxiao Tang, Lori Flynn, William Klieber, and William Snavely. "DidFail: Coverage and Precision Enhancement." (Technical Report CMU/SEI-2017-TR-007). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 6 Jul. 2017. https://insights.sei.cmu.edu/library/didfail-coverage-and-precision-enhancement/. Accessed 26 Apr. 2024.
Dwivedi, Karan; Yin, Hongli; Bagree, Pranav; Tang, Xiaoxiao; Flynn, Lori; Klieber, William; & Snavely, William. DidFail: Coverage and Precision Enhancement. CMU/SEI-2017-TR-007. Software Engineering Institute. 2017. https://insights.sei.cmu.edu/library/didfail-coverage-and-precision-enhancement/