Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Sat 11 Jul 2020 16:05 - 16:17 at Goguryeo - A29-Code Analysis and Verification Chair(s): Elena Sherman

The assessment of information flows is an essential part of analyzing Android apps, and is frequently supported by static taint analysis. Its precision, however, can suffer from the analysis not being able to precisely determine what elements a pointer can (and cannot) point to. Recent advances in static analysis suggest that incorporating dynamic heap snapshots, taken at one point at runtime, can significantly improve general static analysis. In this paper, we investigate to what extent this also holds for taint analysis, and how various design decisions, such as when and how many snapshots are collected during execution, and how exactly they are used, impact soundness and precision. We have extended FlowDroid to incorporate heap snapshots, yielding our prototype Heapster, and evaluated it on DroidMacroBench, a novel benchmark comprising real-world Android apps that we also make available as an artifact. The results show 1. the use of heap snapshots lowers analysis time while increasing precision; 2. a very good trade-off between precision and recall is achieved by a mixed mode in which the analysis falls back to static points-to relations for objects for which no dynamic data was recorded; and 3. while a single heap snapshot (ideally taken at the end of the execution) suffices to improve performance and precision, a better trade-off can be obtained by using multiple snapshots.

Slides (HeapsNLeaks_New.pdf)3.36MiB
Preprint (ICSE20HeapDump.pdf)865KiB

Sat 11 Jul
Times are displayed in time zone: (UTC) Coordinated Universal Time change

16:05 - 17:05
A29-Code Analysis and VerificationPaper Presentations / Technical Papers / New Ideas and Emerging Results at Goguryeo
Chair(s): Elena ShermanBoise State University
Heaps'n Leaks: How Heap Snapshots Improve Android Taint AnalysisArtifact ReusableTechnicalArtifact Available
Technical Papers
Manuel BenzUniversity of Paderborn, Erik Krogh KristensenGitHub, Linghui LuoPaderborn University, Germany, Nataniel Borges Jr.CISPA Helmholtz Center for Information Security, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Andreas ZellerCISPA Helmholtz Center for Information Security
Media Attached File Attached
Verifying Object ConstructionTechnicalArtifact Available
Technical Papers
Martin KelloggUniversity of Washington, Seattle, Manli RanUniversity of California, Riverside, Manu SridharanUniversity of California Riverside, Martin SchäfAmazon Web Services, USA, Michael D. ErnstUniversity of Washington, USA
Predictive Constraint Solving and AnalysisNew Ideas and Emerging Results Distinguished Paper AwardsNIER
New Ideas and Emerging Results
Alyas AlmaawiThe University of Texas at Austin, Nima DiniUniversity of Texas at Austin, Cagdas YelenThe University of Texas at Austin, Milos GligoricThe University of Texas at Austin, Sasa MisailovicUniversity of Illinois at Urbana-Champaign, Sarfraz KhurshidUniversity of Texas at Austin, USA
When APIs are Intentionally Bypassed: An Exploratory Study of API WorkaroundsTechnical
Technical Papers
Maxime LamotheConcordia University, Weiyi ShangConcordia University
Demystify Official API Usage Directives with Crowdsourced API Misuse Scenarios, Erroneous Code Examples and PatchesTechnical
Technical Papers
Xiaoxue RenZhejiang University, Zhenchang XingAustralia National University, Jiamou SunAustralian National University, Xin XiaMonash University, Jianling SunZhejiang University