Performance-Boosting Sparsification of the IFDS Algorithm with Applications to Taint AnalysisACM SIGSOFT Distinguished Paper Award
The IFDS algorithm can be compute- and memory-intensive for some large programs, often running for a long time(more than expected) or terminating prematurely after some time and/or memory budgets have been exhausted. In the latter case, the corresponding IFDS data-flow analyses may suffer from false negatives and/or false positives. To improve this, we introduce a sparse alternative to the traditional IFDS algorithm. Instead of propagating the data-flow facts across all the program points along the program’s (interprocedural) control flow graph, we propagate every data-flow fact directly to its next possible use points along its own sparse control flow graph constructed on the fly, thus reducing significantly both the time and memory requirements incurred by the traditional IFDS algorithm. In our evaluation, we compare FLOWDROID, a taint analysis performed by using the traditional IFDS algorithm, with our sparse incarnation, SPARSEDROID, on a set of 40 Android apps selected. For the time budget (5 hours) and memory budget(220GB) allocated per app, SPARSEDROID can run every app to completion but FLOWDROID terminates prematurely for 9apps, resulting in an average speedup of 22.0x. This implies that when used as a market-level vetting tool, SPARSEDROID can finish analyzing these 40 apps in 2.13 hours (by issuing 228 leak warnings) while FLOWDROID manages to analyze only 30 apps in the same time period (by issuing only 147 leak warnings).
Tue 12 Nov
16:00 - 16:20 Talk | Performance-Boosting Sparsification of the IFDS Algorithm with Applications to Taint AnalysisACM SIGSOFT Distinguished Paper Award Dongjie HeUniversity of New South Wales; Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Haofeng LiInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Lei WangInstitute of Computing Technology, Chinese Academy of Science, Haining MengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Hengjie ZhengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Jie LiuUniversity of New South Wales, Shuangwei Huvivo AI Lab, Lian LiInstitute of Computing Technology at Chinese Academy of Sciences, China, Jingling XueUNSW Sydney | |||||||||||||||||||||||||||||||||||||||||
16:20 - 16:40 Talk | Characterizing Android App Signing Issues Haoyu WangBeijing University of Posts and Telecommunications, China, Hongxuan LiuPeking University, Xusheng XiaoCase Western Reserve University, Guozhu MengInstitute of Information Engineering, Chinese Academy of Sciences, Yao GuoPeking University | |||||||||||||||||||||||||||||||||||||||||
16:40 - 17:00 Talk | OAuthLint: An Empirical Study on OAuth Bugs in Android Applications Tamjid Al RahatUniversity of Virginia, Yu FengUniversity of California, Santa Barbara, Yuan TianUniversity of Virginia Pre-print | |||||||||||||||||||||||||||||||||||||||||
17:00 - 17:20 Talk | Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities? Link to publication DOI Pre-print Media Attached | |||||||||||||||||||||||||||||||||||||||||
17:20 - 17:30 Demonstration | SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods Goran PiskachevFraunhofer IEM, Lisa Nguyen Quang DoGoogle, Oshando JohnsonFraunhofer IEM, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM Pre-print Media Attached File Attached | |||||||||||||||||||||||||||||||||||||||||
17:30 - 17:40 Demonstration | Sip4J: Statically Inferring Access Permission Contracts for Parallelising Sequential Java Programs Ayesha SadiqMonash University, Li LiMonash University, Australia, Yuan-Fang LiMonash University, Ijaz AhmedUniversity of Lahore, Sea LingMonash University |