-
Unifying Pointer Analyses for Polyglot Inter-operations through Summary Specialization
Authors:
Jyoti Prakash,
Abhishek Tiwari,
Christian Hammer
Abstract:
Modular analysis of polyglot applications is challenging because heap object flows across language boundaries must be resolved. The state-of-the-art analyses for polyglot applications have two fundamental limitations. First, they assume explicit boundaries between the host and the guest language to determine inter-language dataflows. Second, they rely on specific analyses of the host and guest lan…
▽ More
Modular analysis of polyglot applications is challenging because heap object flows across language boundaries must be resolved. The state-of-the-art analyses for polyglot applications have two fundamental limitations. First, they assume explicit boundaries between the host and the guest language to determine inter-language dataflows. Second, they rely on specific analyses of the host and guest languages. The former assumption is impractical concerning recent advancements in polyglot programming techniques, while the latter disregards advances in pointer analysis of the underlying languages. In this work, we propose to extend existing pointer analyses with a novel summary specialization technique so that points-to set across language boundaries can be unified. Our novel technique leverages various combinations of host and guest analyses with minor modifications. We demonstrate the efficacy and generalizability of our approach by evaluating it with two polyglot language models: Java-C communication via Android's NDK and Java-Python communication in GraalVM.
△ Less
Submitted 5 May, 2023;
originally announced May 2023.
-
The role of baryons in self-interacting dark matter mergers
Authors:
Moritz S. Fischer,
Nils-Henrik Durke,
Katharina Hollingshausen,
Claudius Hammer,
Marcus Brüggen,
Klaus Dolag
Abstract:
Mergers of galaxy clusters are promising probes of dark matter (DM) physics. For example, an offset between the DM component and the galaxy distribution can constrain DM self-interactions. We investigate the role of the intracluster medium (ICM) and its influence on DM-galaxy offsets in self-interacting dark matter models. To this end, we employ Smoothed Particle Hydrodynamics + N-body simulations…
▽ More
Mergers of galaxy clusters are promising probes of dark matter (DM) physics. For example, an offset between the DM component and the galaxy distribution can constrain DM self-interactions. We investigate the role of the intracluster medium (ICM) and its influence on DM-galaxy offsets in self-interacting dark matter models. To this end, we employ Smoothed Particle Hydrodynamics + N-body simulations to study idealized setups of equal- and unequal-mass mergers with head-on collisions. Our simulations show that the ICM hardly affects the offsets arising shortly after the first pericentre passage compared to DM-only simulations. But later on, e.g. at the first apocentre, the offsets can be amplified by the presence of the ICM. Furthermore, we find that cross-sections small enough not to be excluded by measurements of the core sizes of relaxed galaxy clusters have a chance to produce observable offsets. We found that different DM models affect the DM distribution and also the galaxy and ICM distribution, including its temperature. Potentially, the position of the shock fronts, combined with the brightest cluster galaxies, provides further clues to the properties of DM. Overall our results demonstrate that mergers of galaxy clusters at stages about the first apocentre passage could be more interesting in terms of DM physics than those shortly after the first pericentre passage. This may motivate further studies of mergers at later evolutionary stages.
△ Less
Submitted 4 July, 2023; v1 submitted 15 February, 2023;
originally announced February 2023.
-
Our fingerprints don't fade from the Apps we touch: Fingerprinting the Android WebView
Authors:
Abhishek Tiwari,
Jyoti Prakash,
Alimerdan Rahimov,
Christian Hammer
Abstract:
Numerous studies demonstrated that browser fingerprinting is detrimental to users' security and privacy. However, little is known about the effects of browser fingerprinting on Android hybrid apps -- where a stripped-down Chromium browser is integrated into an app. These apps expand the attack surface by employing two-way communication between native apps and the web. This paper studies the impact…
▽ More
Numerous studies demonstrated that browser fingerprinting is detrimental to users' security and privacy. However, little is known about the effects of browser fingerprinting on Android hybrid apps -- where a stripped-down Chromium browser is integrated into an app. These apps expand the attack surface by employing two-way communication between native apps and the web. This paper studies the impact of browser fingerprinting on these embedded browsers. To this end, we instrument the Android framework to record and extract information leveraged for fingerprinting. We study over 20,000 apps, including the most popular apps from the Google play store. We exemplify security flaws and severe information leaks in popular apps like Instagram. Our study reveals that fingerprints in hybrid apps potentially contain account-specific and device-specific information that identifies users across multiple devices uniquely. Besides, our results show that the hybrid app browser does not always adhere to standard browser-specific privacy policies.
△ Less
Submitted 3 August, 2022;
originally announced August 2022.
-
A Large Scale Analysis of Android-Web Hybridization
Authors:
Abhishek Tiwari,
Jyoti Prakash,
Sascha Gross,
Christian Hammer
Abstract:
Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in a WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces of the Android and JavaScript world might also incur severe security threats: Potentially untruste…
▽ More
Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in a WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces of the Android and JavaScript world might also incur severe security threats: Potentially untrusted webpages and their JavaScript might interfere with the Android environment and its access to native features. No general analysis is currently available to assess the implications of such hybrid apps bridging the two worlds. To understand the semantics and effects of hybrid apps, we perform a large-scale study on the usage of the hybridization APIs in the wild. We analyze and categorize the parameters to hybridization APIs for 7,500 randomly selected and the 196 most popular applications from the Google Playstore as well as 1000 malware samples. Our results advance the general understanding of hybrid applications, as well as implications for potential program analyses, and the current security situation: We discovered thousands of flows of sensitive data from Android to JavaScript, the vast majority of which could flow to potentially untrustworthy code. Our analysis identified numerous web pages embedding vulnerabilities, which we exemplarily exploited. Additionally, we discovered a multitude of applications in which potentially untrusted JavaScript code may interfere with (trusted) Android objects, both in benign and malign applications.
△ Less
Submitted 4 August, 2020; v1 submitted 4 August, 2020;
originally announced August 2020.
-
PointEval: On the Impact of Pointer Analysis Frameworks
Authors:
Jyoti Prakash,
Abhishek Tiwari,
Christian Hammer
Abstract:
Pointer analysis is a foundational analysis leveraged by various static analyses. Therefore, it gathered wide attention in research for decades. Some pointer analysis frameworks are based on succinct declarative specifications. However, these tools are heterogeneous in terms of the underlying intermediate representation (IR), heap abstraction, and programming methodology. This situation complicate…
▽ More
Pointer analysis is a foundational analysis leveraged by various static analyses. Therefore, it gathered wide attention in research for decades. Some pointer analysis frameworks are based on succinct declarative specifications. However, these tools are heterogeneous in terms of the underlying intermediate representation (IR), heap abstraction, and programming methodology. This situation complicates a fair comparison of these frameworks and thus hinders further research. Consequently, the literature lacks an evaluation of the strengths and weaknesses of these tools.
In this work, we evaluate two major frameworks for pointer analysis, WALA and Doop, on the DaCapo set of benchmarks. We compare the pointer analyses available in Wala and Doop, and conclude that---even though based on a declarative specification---Doop provides a better pointer analysis than Wala in terms of precision and scalability. We also compare the two IRs used in Doop, i.e., Jimple from the Soot framework and IR from the Wala framework. Our evaluation shows that in the majority of the benchmarks Soot's IR gives a more precise and scalable pointer analysis. Finally, we propose a micro-benchmark \emph{PointerBench}, for which we manually validate the points-to statistics to evaluate the results of these tools.
△ Less
Submitted 1 December, 2019;
originally announced December 2019.
-
IIFA: Modular Inter-app Intent Information Flow Analysis of Android Applications
Authors:
Abhishek Tiwari,
Sascha Groß,
Christian Hammer
Abstract:
Android apps cooperate through message passing via intents. However, when apps do not have identical sets of privileges inter-app communication (IAC) can accidentally or maliciously be misused, e.g., to leak sensitive information contrary to users expectations. Recent research considered static program analysis to detect dangerous data leaks due to inter-component communication (ICC) or IAC, but s…
▽ More
Android apps cooperate through message passing via intents. However, when apps do not have identical sets of privileges inter-app communication (IAC) can accidentally or maliciously be misused, e.g., to leak sensitive information contrary to users expectations. Recent research considered static program analysis to detect dangerous data leaks due to inter-component communication (ICC) or IAC, but suffers from shortcomings with respect to precision, soundness, and scalability. To solve these issues we propose a novel approach for static ICC/IAC analysis. We perform a fixed-point iteration of ICC/IAC summary information to precisely resolve intent communication with more than two apps involved. We integrate these results with information flows generated by a baseline (i.e. not considering intents) information flow analysis, and resolve if sensitive data is flowing (transitively) through components/apps in order to be ultimately leaked. Our main contribution is the first fully automatic sound and precise ICC/IAC information flow analysis that is scalable for realistic apps due to modularity, avoiding combinatorial explosion: Our approach determines communicating apps using short summaries rather than inlining intent calls, which often requires simultaneously analyzing all tuples of apps. We evaluated our tool IIFA in terms of scalability, precision, and recall. Using benchmarks we establish that precision and recall of our algorithm are considerably better than prominent state-of-the-art analyses for IAC. But foremost, applied to the 90 most popular applications from the Google Playstore, IIFA demonstrated its scalability to a large corpus of real-world apps. IIFA reports 62 problematic ICC-/IAC-related information flows via two or more apps/components.
△ Less
Submitted 13 December, 2018;
originally announced December 2018.
-
WebPol: Fine-grained Information Flow Policies for Web Browsers
Authors:
Abhishek Bichhawat,
Vineet Rajani,
**ank Jain,
Deepak Garg,
Christian Hammer
Abstract:
In the standard web browser programming model, third-party scripts included in an application execute with the same privilege as the application's own code. This leaves the application's confidential data vulnerable to theft and leakage by malicious code and inadvertent bugs in the third-party scripts. Security mechanisms in modern browsers (the same-origin policy, cross-origin resource sharing an…
▽ More
In the standard web browser programming model, third-party scripts included in an application execute with the same privilege as the application's own code. This leaves the application's confidential data vulnerable to theft and leakage by malicious code and inadvertent bugs in the third-party scripts. Security mechanisms in modern browsers (the same-origin policy, cross-origin resource sharing and content security policies) are too coarse to suit this programming model. All these mechanisms (and their extensions) describe whether or not a script can access certain data, whereas the meaningful requirement is to allow untrusted scripts access to confidential data that they need and to prevent the scripts from leaking data on the side. Motivated by this gap, we propose WebPol, a policy mechanism that allows a website developer to include fine-grained policies on confidential application data in the familiar syntax of the JavaScript programming language. The policies can be associated with any webpage element, and specify what aspects of the element can be accessed by which third-party domains. A script can access data that the policy allows it to, but it cannot pass the data (or data derived from it) to other scripts or remote hosts in contravention of the policy. To specify the policies, we expose a small set of new native APIs in JavaScript. Our policies can be enforced using any of the numerous existing proposals for information flow tracking in web browsers. We have integrated our policies into one such proposal that we use to evaluate performance overheads and to test our examples.
△ Less
Submitted 26 June, 2017; v1 submitted 21 June, 2017;
originally announced June 2017.
-
Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis
Authors:
Abhishek Bichhawat,
Vineet Rajani,
Deepak Garg,
Christian Hammer
Abstract:
Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Alth…
▽ More
Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Although sound, this method is restrictive, e.g., it terminates the program even if the upgraded variable is never used subsequently. To counter this, Austin and Flanagan introduced the permissive-upgrade check, which allows a variable upgrade due to control dependence, but marks the variable "partially-leaked". The program is stopped later if it tries to use the partially-leaked variable. Permissive-upgrade handles the dead-variable assignment problem and remains sound. However, Austin and Flanagan develop permissive-upgrade only for a two-point (low-high) security lattice and indicate a generalization to pointwise products of such lattices. In this paper, we develop a non-trivial and non-obvious generalization of permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a suitable notion of partial leaks that is both sound and permissive and in develo** a suitable definition of memory equivalence that allows an inductive proof of soundness.
△ Less
Submitted 16 June, 2015; v1 submitted 12 June, 2015;
originally announced June 2015.
-
Information Flow Control in WebKit's JavaScript Bytecode
Authors:
Abhishek Bichhawat,
Vineet Rajani,
Deepak Garg,
Christian Hammer
Abstract:
Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this paper, we develop, formalize and implement a dynamic IFC mechanism for the JavaScript engine of a production Web browser (specifically, Safari's WebKit engine).…
▽ More
Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this paper, we develop, formalize and implement a dynamic IFC mechanism for the JavaScript engine of a production Web browser (specifically, Safari's WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and hence leverages years of industrial effort on optimizing both the source to bytecode compiler and the bytecode interpreter. We track both explicit and implicit flows and observe only moderate overhead. Working with bytecode results in new challenges including the extensive use of unstructured control flow in bytecode (which complicates lowering of program context taints), unstructured exceptions (which complicate the matter further) and the need to make IFC analysis permissive. We explain how we address these challenges, formally model the JavaScript bytecode semantics and our instrumentation, prove the standard property of termination-insensitive non-interference, and present experimental results on an optimized prototype.
△ Less
Submitted 21 January, 2014; v1 submitted 17 January, 2014;
originally announced January 2014.
-
Density of states and supercurrent in diffusive SNS junctions: role of nonideal interfaces and spin-flip scattering
Authors:
J. C. Hammer,
J. C. Cuevas,
F. S. Bergeret,
W. Belzig
Abstract:
We present a theoretical study of the density of states and supercurrent in diffusive superconductor-normal metal-superconductor (SNS) junctions. In particular, we study the influence on these two equilibrium properties of both an arbitrary transparency of the SN interfaces and the presence of spin-flip scattering in the normal wire. We show that the minigap that is present in the spectrum of th…
▽ More
We present a theoretical study of the density of states and supercurrent in diffusive superconductor-normal metal-superconductor (SNS) junctions. In particular, we study the influence on these two equilibrium properties of both an arbitrary transparency of the SN interfaces and the presence of spin-flip scattering in the normal wire. We show that the minigap that is present in the spectrum of the diffusive wire is very sensitive to the interface transmission. More mportantly, we show that at arbitrary transparency the minigap replaces the Thouless energy as the relevant energy scale for the proximity effect, determining for instance the temperature dependence of the critical current. We also study in detail how the critical current is suppressed by the effect of spin-flip scattering, which can be due to either magnetic impurities or, under certain circumstances, to an external magnetic field. Our analysis based on the quasiclassical theory of diffusive superconductors can be very valuable to establish quantitative comparisons between experiment and theory.
△ Less
Submitted 18 April, 2007;
originally announced April 2007.