DroidSecTester: Towards context-driven modelling and detection of Android application vulnerabilities ; DroidSecTester: Vers une modélisation contextuelle et une détection des vulnérabilités dans les applications Android
In: 2023 IEEE 34th International Symposium on Software Reliability Engineering Workshops (ISSREW) ; https://hal.science/hal-04402402, 2023
Konferenz
Zugriff:
International audience ; In the dynamic Android application security landscape, traditional vulnerability assessment faces challenges posed by the increasing complexity of execution environments. These environments encompass a diverse array of contextual factors that influence application behavior, highlighting the imperative for adaptive testing. Current security analysis techniques for Android apps often struggle to capture the intricate interplay between static and dynamic contexts, impeding precise vulnerability detection. This constraint becomes more evident as execution environments diversify.To address these limitations, this paper introduces DroidSecTester, a novel toolchain for testing Android application security by focusing on context-driven vulnerability modeling. Our innovation lies in developing three Domain Specific Languages (DSLs): Context Definition Language (CDL), Context-Driven Modelling Language (CDML), and Vulnerability Pattern (VPat) for Model-Based Security Testing (MBST). Collectively, these DSLs provide a framework for security assessment by embracing both static and dynamic contexts intrinsic to smartphone environments.Our work resulted in VPatChecker, a tool designed to identify vulnerabilities and generate abstract exploits. Merging application and context models with a vulnerability pattern library — dynamic and expandable to accommodate new Common Vulnerability and Exposure (CVE) entries — the tool offers limitless extensibility. We evaluated the tool on the GHERA benchmark and found that at least 38% of the vulnerabilities in the benchmark can be modelled and detected. This work underscores the pivotal role of context in Android security testing and presents a solution for vulnerability identification through the integration of MBST and DSLs
Titel: |
DroidSecTester: Towards context-driven modelling and detection of Android application vulnerabilities ; DroidSecTester: Vers une modélisation contextuelle et une détection des vulnérabilités dans les applications Android
|
---|---|
Autor/in / Beteiligte Person: | Baheux, Ivan ; Aktouf, Oum-El-Kheir ; Tebib, Mohammed El Amin ; Graa, Mariem ; Andre, Pascal ; Ledru, Yves ; Laboratoire de Conception et d'Intégration des Systèmes (LCIS) ; Université Grenoble Alpes (UGA)-Institut polytechnique de Grenoble - Grenoble Institute of Technology (Grenoble INP ) ; Université Grenoble Alpes (UGA)-Université Grenoble Alpes (UGA) ; Laboratoire des Sciences du Numérique de Nantes (LS2N) ; Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique) ; Institut Mines-Télécom Paris (IMT)-Institut Mines-Télécom Paris (IMT)-NANTES UNIVERSITÉ - École Centrale de Nantes (Nantes Univ - ECN) ; Nantes Université (Nantes Univ)-Nantes Université (Nantes Univ)-Nantes université - UFR des Sciences et des Techniques (Nantes univ - UFR ST) ; Nantes Université - pôle Sciences et technologie ; Nantes Université (Nantes Univ)-Nantes Université (Nantes Univ)-Nantes Université - pôle Sciences et technologie ; Nantes Université (Nantes Univ) ; Laboratoire d'Informatique de Grenoble (LIG) ; Centre National de la Recherche Scientifique (CNRS)-Université Grenoble Alpes (UGA)-Institut polytechnique de Grenoble - Grenoble Institute of Technology (Grenoble INP ) ; Université Grenoble Alpes (UGA) ; IEEE |
Link: | |
Zeitschrift: | 2023 IEEE 34th International Symposium on Software Reliability Engineering Workshops (ISSREW) ; https://hal.science/hal-04402402, 2023 |
Veröffentlichung: | HAL CCSD ; IEEE, 2023 |
Medientyp: | Konferenz |
DOI: | 10.1109/ISSREW60843.2023.00063 |
Schlagwort: |
|
Sonstiges: |
|