Analyzing information flow is central in assessing
the security of applications. However, static and dynamic analyses
of information flow are easily challenged by non-available or
obscure code. We present a lightweight mutation-based analysis
that systematically mutates dynamic values returned by sensitive
sources to assess whether the mutation changes the values passed
to sensitive sinks. If so, we found a flow between source and sink.
In contrast to existing techniques, mutation-based flow analysis
does not attempt to identify the specific path of the flow and is
thus resilient to obfuscation.
In its evaluation, our MUTAFLOW prototype for Android programs showed that mutation-based flow analysis is a lightweight
yet effective complement to existing tools. Compared to the
popular FLOWDROID static analysis tool, MUTAFLOW requires
less than 10% of source code lines but has similar accuracy;
on 20 tested real-world apps, it is able to detect 75 flows that FLOWDROID misses.
History
Preferred Citation
Björn Mathis, Vitalii Avdiienko, Ezekiel Soremekun, Marcel Böhme and Andreas Zeller. Detecting Information Flow by Mutating Input data. In: Software Engineering (SE). 2018.
Primary Research Area
Reliable Security Guarantees
Name of Conference
Software Engineering (SE)
Legacy Posted Date
2018-02-15
Open Access Type
Hybrid
BibTeX
@inproceedings{cispa_all_1452,
title = "Detecting Information Flow by Mutating Input data",
author = "Mathis, Björn and Avdiienko, Vitalii and Soremekun, Ezekiel and Böhme, Marcel and Zeller, Andreas",
booktitle="{Software Engineering (SE)}",
year="2018",
}