Combining Static Code Analysis and Machine Learning for Automatic Detection of Security Vulnerabilities in Mobile Apps

Combining Static Code Analysis and Machine Learning for Automatic Detection of Security Vulnerabilities in Mobile Apps

Marco Pistoia (IBM Corporation, USA), Omer Tripp (IBM T. J. Watson Research Center, USA) and David Lubensky (IBM T. J. Watson Research Center, USA)
Copyright: © 2017 |Pages: 27
DOI: 10.4018/978-1-5225-0945-5.ch004
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Mobile devices have revolutionized many aspects of our lives. Without realizing it, we often run on them programs that access and transmit private information over the network. Integrity concerns arise when mobile applications use untrusted data as input to security-sensitive computations. Program-analysis tools for integrity and confidentiality enforcement have become a necessity. Static-analysis tools are particularly attractive because they do not require installing and executing the program, and have the potential of never missing any vulnerability. Nevertheless, such tools often have high false-positive rates. In order to reduce the number of false positives, static analysis has to be very precise, but this is in conflict with the analysis' performance and scalability, requiring a more refined model of the application. This chapter proposes Phoenix, a novel solution that combines static analysis with machine learning to identify programs exhibiting suspicious operations. This approach has been widely applied to mobile applications obtaining impressive results.
Chapter Preview
Top

Static Program Analysis

This section presents the static program analysis component of Phoenix. It first presents an overview of the problem and a motivating example, and then goes into the details of the static-analysis engine, that is modular and allows for analysis of frameworks.

Complete Chapter List

Search this Book:
Reset