Please enable JavaScript.
Coggle requires JavaScript to display documents.
IT Sicherheit - 6. Statische Analyse (Static Analysis (Why? (simple to run…
IT Sicherheit - 6. Statische Analyse
Software
Software has Defects
Poor Authentication
Old Android Versions
Imroper Error Handling
Capability Leakage
Insecure Crypto
Web-based Vulnerabilities
Software can be Malicous
Unauthorized Payments
Remote Control
Ransomware
Clickjacking
Eavesdropping
Blackmailing
Sensitive Data Leakage
Advertisement
Targeted Advertisment
Gender
Parental Status
Age
Income
Browsing Habits
App Usage
Location
Advertisment Librarys
Many apps contain libraries that leak informations
Static Analysis
Why?
simple to run in production
no execution environment needed
can be fully automated
No code coverage problem
can inspect internal software state
inspect all cases, all paths, all states
Find Issues during development
common tasks
Data Flow Analysis
Callgraph analysis
type state analysis
tackles an undecidable problem
Soundness - Precision - Performance
Trade-Offs
Do not load dependencies
improve performance
reduce precision
always over-approximate when unsure
can even be totlly sound
precision degrades
always under approximate when unsure
leads to false negatrives
false positives reduced
apply maximum precision reasoning
reduce performance
reduces false positives
Soot
can be used fpr finding security vulnerabilities using static analysis
There is neither a perfect static analyzer nor a perfect dynamic analyzer
Dynamic Analysis
Call Graphs
Different callgraph algorithms have different trade-offs for performance and precision