Knowing how the components of mobile applications interact is a prerequisite to many security analyses. However, no analysis can readily infer all Inter-Component Communication (ICC) precisely. Further, because Android applications are compiled from Java source into platform-specific Dalvik bytecode, existing program analysis tools cannot be used to evaluate their behavior. This talk shows how we retarget Android applications to Java bytecode using our Dare tool in order to perform static security analysis on them. We successfully retarget 99.99% of the 262,110 classes in a sample of 1,100 applications. Using retargeting as a first step, we develop a static program analysis to infer the values of ICC messages. The resulting Epicc tool can infer ICC messages in 93% of the cases in a corpus of 1,200 applications. This makes it possible to use Dare and Epicc as the basis of many different inter-component security analyses. I will also discuss how to generalize the concepts developed in Epicc to infer values of other kinds of objects for security analyses in contexts other than mobile applications. I will additionally present future directions in security analyses of program code.

Damien Octeau is a Research Associate with a joint appointment at the Department of Computer Sciences at the University of Wisconsin-Madison and at the Department of Computer Science and Engineering at the Pennsylvania State University. His research interests include systems, mobile and software security and program analysis. Damien got the M.Sc. and Ph.D. degrees in Computer Science and Engineering from the Pennsylvania State University in 2010 and 2014, respectively. He received his B.Sc. and Master’s degrees from Ecole Centrale de Lyon, France, in 2007 and 2010, respectively. He was awarded the Best Research Artifact Award at the 2012 International Symposium on the Foundations of Software Engineering (FSE). He also received the 2013 Penn State AT&T Graduate Fellowship.