學術產出-學位論文
文章檢視/開啟
書目匯出
-
題名 使用字串分析揭露iOS執行檔之動態載入類別
Uncovering dynamically loaded classes of iOS executables with static string analysis作者 林君翰
Lin, Jun Han貢獻者 郁方
林君翰
Lin, Jun Han關鍵詞 字串分析
行動應用程式
動態載入類別
String analysis
Mobile App
Dynamically loaded classes日期 2017 上傳時間 31-七月-2017 10:59:10 (UTC+8) 摘要 當今已有數以百萬計的行動應用程序在 Apple 的 App Store 中發布,並在iOS設備下載量超過150億次。為了保護iOS用戶免於惡意應用程式的傷害,Apple 對於上架之App 有相對嚴格的審查政策。通過審查的App才能在App Store中發布。在本文中,我們提出基於iOS可執行檔的靜態字串分析技術用於檢驗App可能動態載入之類別 。為了檢查動態載入之類別是否符合Apple之規範,必須要能確定動態加載函數之可能字串參數值 。我們方法的第一步是使用現有工具擷取 iOS可執行檔的組合語言。然後自組合語言中建立整個程式的控制流程圖(CFGs) 。接著,在控制流程圖上識別動態加載類別的函數,並且對於該函數的每個參數,我們構造一個字串相依圖,用以顯示流向字串參數值的所有構成成分以及構成方式 。最後,我們對這些可能流向參數的字串進行字串分析,以確定這些參數值所有的可能值集合。透過把這些可能值與特徵值(從Apple 審查政策建構而來,例如私有/敏感性API),我們能夠檢測到App潛在違背Apple政策之情形。我們分析了1300多種目前上架於App Store的App,並檢查他們是否違反蘋果關於使用私有API的政策以及廣告識別碼(IDFA)政策。我們的工具提取了超過37000這些App的字符相依圖,分析結果顯示208個App透過字串操作構組合出對應的API名稱並且有潛在的IDFA違規濫用之可能。我們的分析還發現了372個可以使用字串構建私有類名稱的應用程序和236個可以使用路徑字符串加載私有框架的App,這些App可能違反Apple 禁止使用私有API使用政策。
Millions of mobile apps have been published in Apple`s AppStore with more than 15 billion downloads by iOS devices. In order to protect iOS users from malicious apps, Apple has strict policies which are used to eliminate apps before they can be published in the AppStore. In this paper we present a string analysis technique for iOS executables for statically checking policies that are related to dynamically loaded classes. In order to check that an app conforms to such a policy, it is necessary to determine the possible string values for the class name parameters of the functions that dynamically load classes. The first step of our approach is to construct the assembly for iOS executables using existing tools. We then extract flow information from the assembly code and construct control flow graphs (CFGs) of functions. We identify functions that dynamically load classes, and for each parameter that corresponds to a dynamically loaded class, we construct a dependency graph that shows the set of values that flow to that parameter. Finally, we conduct string analysis on these dependency graphs to determine all potential string values that these parameters can take, which identifies the set of dynamically loaded classes. Taking the intersection of these values with patterns that characterize Apple`s app policies (such as private/sensitive APIs), we are able to detect potential policy violations. We analyzed more than 1300 popular apps from Apple`s AppStore and checked them against Apple`s policy about the use of private APIs and the identifier for Advertising (IDFA). Our tool extracted more than 37000 string dependency graphs from these applications and our analysis reported 208 apps that compose the corresponding API with strings and have potential IDFA violations. Our analysis also found 372 apps that could have compose the private class name with string and 236 apps that could have load the private framework with path string; and could violate the private API usage policy.參考文獻 [1] “Number of apps available in leading app stores as of july 2015,” http://www.statista. com/statistics/276623/number-of-apps-available-in-leading-app-stores, (Visited on 01/04/2016).[2] “G data mobile malware report threat report: Q3/2015,” https:// public.gdatasoftware.com/Presse/Publikationen/Malware Reports/G DATA MobileMWR Q3 2015 EN.pdf, (Visited on 01/04/2016).[3] “Mcafee labs threats report november 2015,” http://www.mcafee.com/us/resources/ reports/rp-quarterly-threats-nov-2015.pdf, (Visited on 01/04/2016).[4] “Path,” https://itunes.apple.com/us/app/path/id403639508?mt=8, (Visited on 01/04/2016).[5] “Path app under fire for unauthorized address book upload,” http://appleinsider. com/articles/12/02/07/path app under fire for unauthorized address book upload. html, (Visited on 01/04/2016).[6] “Mobilead2013,” http://www.emarketer.com/Article/ Driven-by-Facebook-Google-Mobile-Ad-Market-Soars-10537-2013/1010690, (Vis- ited on 01/04/2016).[7] “Gartner says mobile advertising spending will reach $18 billion in 2014,” http:// www.gartner.com/newsroom/id/2653121, (Visited on 01/04/2016).[8] J. Gui, S. Mcilroy, M. Nagappan, and W. G. J. Halfond, “Truth in advertising: The hidden cost of mobile ads for software developers,” in 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1, 2015, pp. 100–110.[9] Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu, “iris: Vetting private api abuse in ios applications,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 44–56.[10] F. Yu, Y.-C. Lee, S. Tai, and W.-S. Tang, “Appbeach: Characterizing app behaviors via static binary analysis,” in Proceedings of the 2013 IEEE Second International Conference on Mobile Services. IEEE Computer Society, 2013, p. 86.[11] Z. R. Fang, S. W. Huang, and F. Yu, “Appreco: Behavior-aware recommendation for ios mobile applications,” in 2016 IEEE International Conference on Web Services (ICWS), June 2016, pp. 492–499.[12] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth, “Taintdroid: an information-flow tracking system for real- time privacy monitoring on smartphones,” ACM Transactions on Computer Systems (TOCS), vol. 32, no. 2, p. 5, 2014.[13] J. Huang, X. Zhang, L. Tan, P. Wang, and B. Liang, “Asdroid: detecting stealthy behaviors in android applications by user interface and program behavior contradic- tion,” in 36th International Conference on Software Engineering, Hyderabad, India - May 31 - June 07, 2014, 2014, pp. 1036–1046.[14] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. McDaniel, “Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps,” in ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, Edinburgh, United Kingdom - June 09 - 11, 2014, 2014, p. 29.[15] L. Li, T. F. Bissyand ́e, D. Octeau, and J. Klein, “Droidra: taming reflection to support whole-program analysis of android apps,” in Proceedings of the 25th Inter- national Symposium on Software Testing and Analysis. ACM, 2016, pp. 318–329.[16] P. d. B. SILVA FILHO, “Static analysis of implicit control flow: resolving java re- flection and android intents,” 2016.[17] DroidBench, “Droidbench benchmarks,” https://github.com/ secure-software-engineering/DroidBench.[18] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, ser. SPSM ’11, 2011, pp. 3–14.[19] C. Mann and A. Starostin, “A framework for static detection of privacy leaks in android applications,” in Proceedings of the 27th Annual ACM Symposium on Applied Computing. ACM, 2012, pp. 1457–1462.[20] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets,” in Proceedings of the 19th Annual Network & Distributed System Security Symposium, ser. NDSS’12, 2012.[21] D. Babi ́c, D. Reynaud, and D. Song, “Malware analysis with tree automata in- ference,” in Proceedings of the 23rd International Conference on Computer Aided Verification, ser. CAV’11, 2011, pp. 116–131.[22] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “Pios: Detecting privacy leaks in ios applications.” in NDSS, 2011, pp. 177–183.[23] N. Nethercote and J. Seward, “Valgrind: a framework for heavyweight dynamic binary instrumentation,” in ACM Sigplan notices, vol. 42, no. 6. ACM, 2007, pp. 89–100.[24] T. Bao, J. Burket, M. Woo, R. Turner, and D. Brumley, “Byteweight: Learning to recognize functions in binary code,” in Proceedings of the 23rd USENIX Conference on Security Symposium, ser. SEC’14. USENIX Association, 2014, pp. 845–860.[25] X. Meng and B. P. Miller, “Binary code is not easy,” in Proceedings of the 25th International Symposium on Software Testing and Analysis, ser. ISSTA 2016. ACM, 2016, pp. 24–35.[26] T. Reinbacher and J. Brauer, “Precise control flow reconstruction using boolean logic,” in Proceedings of the Ninth ACM International Conference on Embedded Soft- ware, ser. EMSOFT ’11. ACM, 2011, pp. 117–126.[27] D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz, “BAP: A binary analysis platform,” in Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 2011, pp. 463–469.[28] Hex-Rays, “IDAPro,” https://www.hex-rays.com/products/ida.[29] Dynist, “Dynist: Tools for binary instrumentation, analysis, and modification,” https://github.com/dyninst.[30] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. New- some, P. Poosankam, and P. Saxena, “Bitblaze: A new approach to computer security via binary analysis,” in Proceedings of the 4th International Conference on Informa- tion Systems Security, ser. ICISS ’08, 2008, pp. 1–25.[31] A. S. Christensen, A. Møller, and M. I. Schwartzbach, “Precise analysis of string expressions,” in Proc. 10th International Static Analysis Symposium (SAS), ser. LNCS, vol. 2694. Springer-Verlag, June 2003, pp. 1–18, available from http://www.brics.dk/JSA/.[32] C. Gould, Z. Su, and P. Devanbu, “Static checking of dynamically generated queries in database applications,” in Software Engineering, 2004. ICSE 2004. Proceedings. 26th International Conference on. IEEE, 2004, pp. 645–654.[33] Y. Minamide, “Static approximation of dynamically generated web pages,” in Pro- ceedings of the 14th international conference on World Wide Web. ACM, 2005, pp. 432–441.[34] G. Wassermann and Z. Su, “Sound and precise analysis of web applications for in- jection vulnerabilities,” in ACM Sigplan Notices, vol. 42, no. 6. ACM, 2007, pp. 32–41.[35] ——, “Static detection of cross-site scripting vulnerabilities,” in Proceedings of the 30th International Conference on Software Engineering, ser. ICSE ’08. New York, NY, USA: ACM, 2008, pp. 171–180. [Online]. Available: http://doi.acm.org/10.1145/1368088.1368112[36] P. A. Abdulla, M. F. Atig, Y.-F. Chen, L. Hol ́ık, A. Rezine, P. Ru ̈mmer, and J. Sten- man, “String constraints for verification,” in International Conference on Computer Aided Verification. Springer, 2014, pp. 150–166.[37] T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters, “A dpll (t) theory solver for a theory of strings and regular expressions,” in International Conference on Computer Aided Verification. Springer, 2014, pp. 646–662.[38] Y. Zheng, X. Zhang, and V. Ganesh, “Z3-str: A z3-based string solver for web application analysis,” in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 2013, pp. 114–124.[39] A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst, “Hampi: a solver for string constraints,” in Proceedings of the eighteenth international symposium on Software testing and analysis. ACM, 2009, pp. 105–116.[40] G. Li and I. Ghosh, “Pass: String solving with parameterized array and interval automaton,” in Haifa Verification Conference. Springer, 2013, pp. 15–31.[41] F. Yu, M. Alkhalaf, T. Bultan, and O. H. Ibarra, “Automata-based symbolic string analysis for vulnerability detection,” Formal Methods in System Design, vol. 44, no. 1, pp. 44–70, 2014.[42] F. Yu, T. Bultan, and O. H. Ibarra, “Relational string verification using multi- track automata,” in International Conference on Implementation and Application of Automata. Springer, 2010, pp. 290–299.[43] F. Yu, M. Alkhalaf, and T. Bultan, “Stranger: An automata-based string analysis tool for php,” in International Conference on Tools and Algorithms for the Construc- tion and Analysis of Systems. Springer, 2010, pp. 154–157.[44] H.-E. Wang, T.-L. Tsai, C.-H. Lin, F. Yu, and J.-H. R. Jiang, String Analysis via Automata Manipulation with Logic Circuit Representation. Cham: Springer International Publishing, 2016, pp. 241–260. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-41528-4 13[45] F. Yu, M. Alkhalaf, and T. Bultan, “Patching vulnerabilities with sanitization synthesis,” in Proceedings of the 33rd International Conference on Software Engineering, ser. ICSE ’11. New York, NY, USA: ACM, 2011, pp. 251–260. [Online]. Available: http://doi.acm.org/10.1145/1985793.1985828[46] F. Yu, C.-Y. Shueh, C.-H. Lin, Y.-F. Chen, B.-Y. Wang, and T. Bultan, “Optimal sanitization synthesis for web application vulnerability repair,” in Proceedings of the 25th International Symposium on Software Testing and Analysis, ser. ISSTA 2016. New York, NY, USA: ACM, 2016, pp. 189–200. [Online]. Available: http://doi.acm.org/10.1145/2931037.2931050[47] “Ida: About - hex-rays,” http://www.hex-rays.com/products/ida, (Visited on 01/04/2016).[48] F. Yu, C.-Y. Shueh, C.-H. Lin, Y.-F. Chen, B.-Y. Wang, and T. Bultan, “Optimal sanitization synthesis for web application vulnerability repair,” in Proceedings of the 25th International Symposium on Software Testing and Analysis. ACM, 2016, pp. 189–200. 描述 碩士
國立政治大學
資訊管理學系
104356016資料來源 http://thesis.lib.nccu.edu.tw/record/#G0104356016 資料類型 thesis dc.contributor.advisor 郁方 zh_TW dc.contributor.author (作者) 林君翰 zh_TW dc.contributor.author (作者) Lin, Jun Han en_US dc.creator (作者) 林君翰 zh_TW dc.creator (作者) Lin, Jun Han en_US dc.date (日期) 2017 en_US dc.date.accessioned 31-七月-2017 10:59:10 (UTC+8) - dc.date.available 31-七月-2017 10:59:10 (UTC+8) - dc.date.issued (上傳時間) 31-七月-2017 10:59:10 (UTC+8) - dc.identifier (其他 識別碼) G0104356016 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/111455 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊管理學系 zh_TW dc.description (描述) 104356016 zh_TW dc.description.abstract (摘要) 當今已有數以百萬計的行動應用程序在 Apple 的 App Store 中發布,並在iOS設備下載量超過150億次。為了保護iOS用戶免於惡意應用程式的傷害,Apple 對於上架之App 有相對嚴格的審查政策。通過審查的App才能在App Store中發布。在本文中,我們提出基於iOS可執行檔的靜態字串分析技術用於檢驗App可能動態載入之類別 。為了檢查動態載入之類別是否符合Apple之規範,必須要能確定動態加載函數之可能字串參數值 。我們方法的第一步是使用現有工具擷取 iOS可執行檔的組合語言。然後自組合語言中建立整個程式的控制流程圖(CFGs) 。接著,在控制流程圖上識別動態加載類別的函數,並且對於該函數的每個參數,我們構造一個字串相依圖,用以顯示流向字串參數值的所有構成成分以及構成方式 。最後,我們對這些可能流向參數的字串進行字串分析,以確定這些參數值所有的可能值集合。透過把這些可能值與特徵值(從Apple 審查政策建構而來,例如私有/敏感性API),我們能夠檢測到App潛在違背Apple政策之情形。我們分析了1300多種目前上架於App Store的App,並檢查他們是否違反蘋果關於使用私有API的政策以及廣告識別碼(IDFA)政策。我們的工具提取了超過37000這些App的字符相依圖,分析結果顯示208個App透過字串操作構組合出對應的API名稱並且有潛在的IDFA違規濫用之可能。我們的分析還發現了372個可以使用字串構建私有類名稱的應用程序和236個可以使用路徑字符串加載私有框架的App,這些App可能違反Apple 禁止使用私有API使用政策。 zh_TW dc.description.abstract (摘要) Millions of mobile apps have been published in Apple`s AppStore with more than 15 billion downloads by iOS devices. In order to protect iOS users from malicious apps, Apple has strict policies which are used to eliminate apps before they can be published in the AppStore. In this paper we present a string analysis technique for iOS executables for statically checking policies that are related to dynamically loaded classes. In order to check that an app conforms to such a policy, it is necessary to determine the possible string values for the class name parameters of the functions that dynamically load classes. The first step of our approach is to construct the assembly for iOS executables using existing tools. We then extract flow information from the assembly code and construct control flow graphs (CFGs) of functions. We identify functions that dynamically load classes, and for each parameter that corresponds to a dynamically loaded class, we construct a dependency graph that shows the set of values that flow to that parameter. Finally, we conduct string analysis on these dependency graphs to determine all potential string values that these parameters can take, which identifies the set of dynamically loaded classes. Taking the intersection of these values with patterns that characterize Apple`s app policies (such as private/sensitive APIs), we are able to detect potential policy violations. We analyzed more than 1300 popular apps from Apple`s AppStore and checked them against Apple`s policy about the use of private APIs and the identifier for Advertising (IDFA). Our tool extracted more than 37000 string dependency graphs from these applications and our analysis reported 208 apps that compose the corresponding API with strings and have potential IDFA violations. Our analysis also found 372 apps that could have compose the private class name with string and 236 apps that could have load the private framework with path string; and could violate the private API usage policy. en_US dc.description.tableofcontents 1 Introduction 12 Related work 63 Overview 113.1 A Quick Example 12 3.1.1 Construct dependency graph from assembly 133.1.2 Forward analysis on dependency graph 174 Flow analysis 184.1 Segment Information Extraction 194.1.1 __text Segment 22 4.1.2 Stub Segments 23 4.1.3 __cstring & __CFString Segment 24 4.1.4 __lazysymbol & __nlsymbolptr Segment 24 4.1.5 __objcSegment 254.1.6 __objcconst & __data Segment 284.1.7 Import Segment 324.2 Control flow graph construction 325 String analysis on classes loaded from strings 385.1 String dependency graph constructions 395.1.1 Dependency Graph construction algorithm 405.2 String analysis and property checking 496 Evaluation 516.1 Implementation 51 6.2 Apps and their string dependency graphs 52 6.3 Unknown nodes in string dependency graph 53 6.4 Property checking 567 Conclusion 57 zh_TW dc.format.extent 1713508 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0104356016 en_US dc.subject (關鍵詞) 字串分析 zh_TW dc.subject (關鍵詞) 行動應用程式 zh_TW dc.subject (關鍵詞) 動態載入類別 zh_TW dc.subject (關鍵詞) String analysis en_US dc.subject (關鍵詞) Mobile App en_US dc.subject (關鍵詞) Dynamically loaded classes en_US dc.title (題名) 使用字串分析揭露iOS執行檔之動態載入類別 zh_TW dc.title (題名) Uncovering dynamically loaded classes of iOS executables with static string analysis en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] “Number of apps available in leading app stores as of july 2015,” http://www.statista. com/statistics/276623/number-of-apps-available-in-leading-app-stores, (Visited on 01/04/2016).[2] “G data mobile malware report threat report: Q3/2015,” https:// public.gdatasoftware.com/Presse/Publikationen/Malware Reports/G DATA MobileMWR Q3 2015 EN.pdf, (Visited on 01/04/2016).[3] “Mcafee labs threats report november 2015,” http://www.mcafee.com/us/resources/ reports/rp-quarterly-threats-nov-2015.pdf, (Visited on 01/04/2016).[4] “Path,” https://itunes.apple.com/us/app/path/id403639508?mt=8, (Visited on 01/04/2016).[5] “Path app under fire for unauthorized address book upload,” http://appleinsider. com/articles/12/02/07/path app under fire for unauthorized address book upload. html, (Visited on 01/04/2016).[6] “Mobilead2013,” http://www.emarketer.com/Article/ Driven-by-Facebook-Google-Mobile-Ad-Market-Soars-10537-2013/1010690, (Vis- ited on 01/04/2016).[7] “Gartner says mobile advertising spending will reach $18 billion in 2014,” http:// www.gartner.com/newsroom/id/2653121, (Visited on 01/04/2016).[8] J. Gui, S. Mcilroy, M. Nagappan, and W. G. J. Halfond, “Truth in advertising: The hidden cost of mobile ads for software developers,” in 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1, 2015, pp. 100–110.[9] Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu, “iris: Vetting private api abuse in ios applications,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 44–56.[10] F. Yu, Y.-C. Lee, S. Tai, and W.-S. Tang, “Appbeach: Characterizing app behaviors via static binary analysis,” in Proceedings of the 2013 IEEE Second International Conference on Mobile Services. IEEE Computer Society, 2013, p. 86.[11] Z. R. Fang, S. W. Huang, and F. Yu, “Appreco: Behavior-aware recommendation for ios mobile applications,” in 2016 IEEE International Conference on Web Services (ICWS), June 2016, pp. 492–499.[12] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth, “Taintdroid: an information-flow tracking system for real- time privacy monitoring on smartphones,” ACM Transactions on Computer Systems (TOCS), vol. 32, no. 2, p. 5, 2014.[13] J. Huang, X. Zhang, L. Tan, P. Wang, and B. Liang, “Asdroid: detecting stealthy behaviors in android applications by user interface and program behavior contradic- tion,” in 36th International Conference on Software Engineering, Hyderabad, India - May 31 - June 07, 2014, 2014, pp. 1036–1046.[14] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. McDaniel, “Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps,” in ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, Edinburgh, United Kingdom - June 09 - 11, 2014, 2014, p. 29.[15] L. Li, T. F. Bissyand ́e, D. Octeau, and J. Klein, “Droidra: taming reflection to support whole-program analysis of android apps,” in Proceedings of the 25th Inter- national Symposium on Software Testing and Analysis. ACM, 2016, pp. 318–329.[16] P. d. B. SILVA FILHO, “Static analysis of implicit control flow: resolving java re- flection and android intents,” 2016.[17] DroidBench, “Droidbench benchmarks,” https://github.com/ secure-software-engineering/DroidBench.[18] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, ser. SPSM ’11, 2011, pp. 3–14.[19] C. Mann and A. Starostin, “A framework for static detection of privacy leaks in android applications,” in Proceedings of the 27th Annual ACM Symposium on Applied Computing. ACM, 2012, pp. 1457–1462.[20] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets,” in Proceedings of the 19th Annual Network & Distributed System Security Symposium, ser. NDSS’12, 2012.[21] D. Babi ́c, D. Reynaud, and D. Song, “Malware analysis with tree automata in- ference,” in Proceedings of the 23rd International Conference on Computer Aided Verification, ser. CAV’11, 2011, pp. 116–131.[22] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “Pios: Detecting privacy leaks in ios applications.” in NDSS, 2011, pp. 177–183.[23] N. Nethercote and J. Seward, “Valgrind: a framework for heavyweight dynamic binary instrumentation,” in ACM Sigplan notices, vol. 42, no. 6. ACM, 2007, pp. 89–100.[24] T. Bao, J. Burket, M. Woo, R. Turner, and D. Brumley, “Byteweight: Learning to recognize functions in binary code,” in Proceedings of the 23rd USENIX Conference on Security Symposium, ser. SEC’14. USENIX Association, 2014, pp. 845–860.[25] X. Meng and B. P. Miller, “Binary code is not easy,” in Proceedings of the 25th International Symposium on Software Testing and Analysis, ser. ISSTA 2016. ACM, 2016, pp. 24–35.[26] T. Reinbacher and J. Brauer, “Precise control flow reconstruction using boolean logic,” in Proceedings of the Ninth ACM International Conference on Embedded Soft- ware, ser. EMSOFT ’11. ACM, 2011, pp. 117–126.[27] D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz, “BAP: A binary analysis platform,” in Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 2011, pp. 463–469.[28] Hex-Rays, “IDAPro,” https://www.hex-rays.com/products/ida.[29] Dynist, “Dynist: Tools for binary instrumentation, analysis, and modification,” https://github.com/dyninst.[30] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. New- some, P. Poosankam, and P. Saxena, “Bitblaze: A new approach to computer security via binary analysis,” in Proceedings of the 4th International Conference on Informa- tion Systems Security, ser. ICISS ’08, 2008, pp. 1–25.[31] A. S. Christensen, A. Møller, and M. I. Schwartzbach, “Precise analysis of string expressions,” in Proc. 10th International Static Analysis Symposium (SAS), ser. LNCS, vol. 2694. Springer-Verlag, June 2003, pp. 1–18, available from http://www.brics.dk/JSA/.[32] C. Gould, Z. Su, and P. Devanbu, “Static checking of dynamically generated queries in database applications,” in Software Engineering, 2004. ICSE 2004. Proceedings. 26th International Conference on. IEEE, 2004, pp. 645–654.[33] Y. Minamide, “Static approximation of dynamically generated web pages,” in Pro- ceedings of the 14th international conference on World Wide Web. ACM, 2005, pp. 432–441.[34] G. Wassermann and Z. Su, “Sound and precise analysis of web applications for in- jection vulnerabilities,” in ACM Sigplan Notices, vol. 42, no. 6. ACM, 2007, pp. 32–41.[35] ——, “Static detection of cross-site scripting vulnerabilities,” in Proceedings of the 30th International Conference on Software Engineering, ser. ICSE ’08. New York, NY, USA: ACM, 2008, pp. 171–180. [Online]. Available: http://doi.acm.org/10.1145/1368088.1368112[36] P. A. Abdulla, M. F. Atig, Y.-F. Chen, L. Hol ́ık, A. Rezine, P. Ru ̈mmer, and J. Sten- man, “String constraints for verification,” in International Conference on Computer Aided Verification. Springer, 2014, pp. 150–166.[37] T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters, “A dpll (t) theory solver for a theory of strings and regular expressions,” in International Conference on Computer Aided Verification. Springer, 2014, pp. 646–662.[38] Y. Zheng, X. Zhang, and V. Ganesh, “Z3-str: A z3-based string solver for web application analysis,” in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 2013, pp. 114–124.[39] A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst, “Hampi: a solver for string constraints,” in Proceedings of the eighteenth international symposium on Software testing and analysis. ACM, 2009, pp. 105–116.[40] G. Li and I. Ghosh, “Pass: String solving with parameterized array and interval automaton,” in Haifa Verification Conference. Springer, 2013, pp. 15–31.[41] F. Yu, M. Alkhalaf, T. Bultan, and O. H. Ibarra, “Automata-based symbolic string analysis for vulnerability detection,” Formal Methods in System Design, vol. 44, no. 1, pp. 44–70, 2014.[42] F. Yu, T. Bultan, and O. H. Ibarra, “Relational string verification using multi- track automata,” in International Conference on Implementation and Application of Automata. Springer, 2010, pp. 290–299.[43] F. Yu, M. Alkhalaf, and T. Bultan, “Stranger: An automata-based string analysis tool for php,” in International Conference on Tools and Algorithms for the Construc- tion and Analysis of Systems. Springer, 2010, pp. 154–157.[44] H.-E. Wang, T.-L. Tsai, C.-H. Lin, F. Yu, and J.-H. R. Jiang, String Analysis via Automata Manipulation with Logic Circuit Representation. Cham: Springer International Publishing, 2016, pp. 241–260. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-41528-4 13[45] F. Yu, M. Alkhalaf, and T. Bultan, “Patching vulnerabilities with sanitization synthesis,” in Proceedings of the 33rd International Conference on Software Engineering, ser. ICSE ’11. New York, NY, USA: ACM, 2011, pp. 251–260. [Online]. Available: http://doi.acm.org/10.1145/1985793.1985828[46] F. Yu, C.-Y. Shueh, C.-H. Lin, Y.-F. Chen, B.-Y. Wang, and T. Bultan, “Optimal sanitization synthesis for web application vulnerability repair,” in Proceedings of the 25th International Symposium on Software Testing and Analysis, ser. ISSTA 2016. New York, NY, USA: ACM, 2016, pp. 189–200. [Online]. Available: http://doi.acm.org/10.1145/2931037.2931050[47] “Ida: About - hex-rays,” http://www.hex-rays.com/products/ida, (Visited on 01/04/2016).[48] F. Yu, C.-Y. Shueh, C.-H. Lin, Y.-F. Chen, B.-Y. Wang, and T. Bultan, “Optimal sanitization synthesis for web application vulnerability repair,” in Proceedings of the 25th International Symposium on Software Testing and Analysis. ACM, 2016, pp. 189–200. zh_TW