Digital Library
DidFail: Coverage and Precision Enhancement
- July 2017
- This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.
- Secure Coding
-
Publisher: CERT
CMU/SEI Report Number: CMU/SEI-2017-TR-007
-
Abstract
This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps. The enhancements are new analytical functionality for content providers, file accesses, and dynamic broadcast receivers. Previously, DidFail did not analyze taint flows involving ContentProvider components; however, now it analyzes taint flows involving all four types of Android components. The latest version of DidFail tracks taint flow across file access calls more precisely than it did in prior versions of the software. DidFail was also modified to handle dynamically declared BroadcastReceiver components in a fully automated way, by integrating it with a recent version of FlowDroid and working to fix remaining un-analyzed taint flows. Finally, a new command line argument optionally disables static field analysis in order to reduce DidFail's memory usage and analysis time.
These new features make DidFail's taint tracking more precise (for files) and more comprehensive for dynamically registered BroadcastReceiver and ContentProvider components. We implemented the new features and tested them on example apps that we developed and on real-world apps
from different categories in the Google Play app store. - Download
Cite This Report
SEI
Dwivedi, Karan; Yin, Hongli; Bagree, Pranav; Tang, Xiaoxiao; Flynn, Lori; Klieber, William; & Snavely, William. DidFail: Coverage and Precision Enhancement. CMU/SEI-2017-TR-007. Software Engineering Institute, Carnegie Mellon University. 2017. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366
IEEE
Dwivedi. Karan, Yin. Hongli, Bagree. Pranav, Tang. Xiaoxiao, Flynn. Lori, Klieber. William, and Snavely. William, "DidFail: Coverage and Precision Enhancement," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2017-TR-007, 2017. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366
APA
Dwivedi, Karan., Yin, Hongli., Bagree, Pranav., Tang, Xiaoxiao., Flynn, Lori., Klieber, William., & Snavely, William. (2017). DidFail: Coverage and Precision Enhancement (CMU/SEI-2017-TR-007). Retrieved February 16, 2019, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366
CHI
Karan Dwivedi, Hongli Yin, Pranav Bagree, Xiaoxiao Tang, Lori Flynn, William Klieber, & William Snavely. DidFail: Coverage and Precision Enhancement (CMU/SEI-2017-TR-007). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2017. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366
MLA
Dwivedi, Karan., Yin, Hongli., Bagree, Pranav., Tang, Xiaoxiao., Flynn, Lori., Klieber, William., & Snavely, William. 2017. DidFail: Coverage and Precision Enhancement (Technical Report CMU/SEI-2017-TR-007). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366
BibTex
@techreport{DwivediDidFailCoverage2017,
title={DidFail: Coverage and Precision Enhancement},
author={Karan Dwivedi and Hongli Yin and Pranav Bagree and Xiaoxiao Tang and Lori Flynn and William Klieber and William Snavely},
year={2017},
number={CMU/SEI-2017-TR-007},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=502366}
}