---
_id: '27045'
abstract:
- lang: eng
text: 'Due to the lack of established real-world benchmark suites for static taint
analyses of Android applications, evaluations of these analyses are often restricted
and hard to compare. Even in evaluations that do use real-world apps, details
about the ground truth in those apps are rarely documented, which makes it difficult
to compare and reproduce the results. To push Android taint analysis research
forward, this paper thus recommends criteria for constructing real-world benchmark
suites for this specific domain, and presents TaintBench, the first real-world
malware benchmark suite with documented taint flows. TaintBench benchmark apps
include taint flows with complex structures, and addresses static challenges that
are commonly agreed on by the community. Together with the TaintBench suite, we
introduce the TaintBench framework, whose goal is to simplify real-world benchmarking
of Android taint analyses. First, a usability test shows that the framework improves
experts’ performance and perceived usability when documenting and inspecting taint
flows. Second, experiments using TaintBench reveal new insights for the taint
analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world
malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources
and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions
of both tools are less accurate than their predecessors.'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Felix
full_name: Pauck, Felix
id: '22398'
last_name: Pauck
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Manuel
full_name: Benz, Manuel
last_name: Benz
- first_name: Ivan
full_name: Pashchenko, Ivan
last_name: Pashchenko
- first_name: Martin
full_name: Mory, Martin
id: '65667'
last_name: Mory
orcid: 0000-0001-5609-0031
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Fabio
full_name: Massacci, Fabio
last_name: Massacci
citation:
ama: 'Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware
benchmarking of Android taint analyses. Empirical Software Engineering.
Published online 2021. doi:10.1007/s10664-021-10013-5'
apa: 'Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden,
E., Hermann, B., & Massacci, F. (2021). TaintBench: Automatic real-world malware
benchmarking of Android taint analyses. Empirical Software Engineering.
https://doi.org/10.1007/s10664-021-10013-5'
bibtex: '@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021,
title={TaintBench: Automatic real-world malware benchmarking of Android taint
analyses}, DOI={10.1007/s10664-021-10013-5},
journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix
and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and
Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }'
chicago: 'Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko,
Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic
Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software
Engineering, 2021. https://doi.org/10.1007/s10664-021-10013-5.'
ieee: 'L. Luo et al., “TaintBench: Automatic real-world malware benchmarking
of Android taint analyses,” Empirical Software Engineering, 2021, doi:
10.1007/s10664-021-10013-5.'
mla: 'Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking
of Android Taint Analyses.” Empirical Software Engineering, 2021, doi:10.1007/s10664-021-10013-5.'
short: L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden,
B. Hermann, F. Massacci, Empirical Software Engineering (2021).
date_created: 2021-11-02T05:13:49Z
date_updated: 2022-01-06T06:57:32Z
ddc:
- '000'
department:
- _id: '77'
- _id: '76'
doi: 10.1007/s10664-021-10013-5
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf
oa: '1'
project:
- _id: '1'
name: SFB 901
- _id: '3'
name: SFB 901 - Project Area B
- _id: '12'
name: SFB 901 - Subproject B4
publication: Empirical Software Engineering
publication_identifier:
issn:
- 1382-3256
- 1573-7616
publication_status: published
status: public
title: 'TaintBench: Automatic real-world malware benchmarking of Android taint analyses'
type: journal_article
user_id: '15249'
year: '2021'
...
---
_id: '20341'
abstract:
- lang: eng
text: "When implementing secure software, developers must ensure certain\r\nrequirements,
such as the erasure of secret data after its use and execution in\r\nreal time.
Such requirements are not explicitly captured by the C language and\r\ncould potentially
be violated by compiler optimizations. As a result,\r\ndevelopers typically use
indirect methods to hide their code's semantics from\r\nthe compiler and avoid
unwanted optimizations. However, such workarounds are\r\nnot permanent solutions,
as increasingly efficient compiler optimization causes\r\ncode that was considered
secure in the past now vulnerable. This paper is a\r\nliterature review of (1)
the security complications caused by compiler\r\noptimizations, (2) approaches
used by developers to mitigate optimization\r\nproblems, and (3) recent academic
efforts towards enabling security engineers\r\nto communicate implicit security
requirements to the compiler. In addition, we\r\npresent a short study of six
cryptographic libraries and how they approach the\r\nissue of ensuring security
requirements. With this paper, we highlight the need\r\nfor software developers
and compiler designers to work together in order to\r\ndesign efficient systems
for writing secure software."
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: A. Bhat
full_name: Handadi, A. Bhat
last_name: Handadi
- first_name: Martin
full_name: Mory, Martin
id: '65667'
last_name: Mory
orcid: 0000-0001-5609-0031
citation:
ama: Shivarpatna Venkatesh AP, Handadi AB, Mory M. Security Implications Of Compiler
Optimizations On Cryptography -- A Review. arXiv:190702530. 2019.
apa: Shivarpatna Venkatesh, A. P., Handadi, A. B., & Mory, M. (2019). Security
Implications Of Compiler Optimizations On Cryptography -- A Review. ArXiv:1907.02530.
bibtex: '@article{Shivarpatna Venkatesh_Handadi_Mory_2019, title={Security Implications
Of Compiler Optimizations On Cryptography -- A Review}, journal={arXiv:1907.02530},
author={Shivarpatna Venkatesh, Ashwin Prasad and Handadi, A. Bhat and Mory, Martin},
year={2019} }'
chicago: Shivarpatna Venkatesh, Ashwin Prasad, A. Bhat Handadi, and Martin Mory.
“Security Implications Of Compiler Optimizations On Cryptography -- A Review.”
ArXiv:1907.02530, 2019.
ieee: A. P. Shivarpatna Venkatesh, A. B. Handadi, and M. Mory, “Security Implications
Of Compiler Optimizations On Cryptography -- A Review,” arXiv:1907.02530.
2019.
mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. “Security Implications Of Compiler
Optimizations On Cryptography -- A Review.” ArXiv:1907.02530, 2019.
short: A.P. Shivarpatna Venkatesh, A.B. Handadi, M. Mory, ArXiv:1907.02530 (2019).
date_created: 2020-11-11T17:46:16Z
date_updated: 2022-01-06T06:54:26Z
ddc:
- '000'
file:
- access_level: closed
content_type: application/pdf
creator: ashwin
date_created: 2021-02-17T11:39:14Z
date_updated: 2021-02-17T11:39:14Z
file_id: '21255'
file_name: 1907.02530.pdf
file_size: 663876
relation: main_file
success: 1
file_date_updated: 2021-02-17T11:39:14Z
has_accepted_license: '1'
language:
- iso: eng
publication: arXiv:1907.02530
status: public
title: Security Implications Of Compiler Optimizations On Cryptography -- A Review
type: preprint
user_id: '66637'
year: '2019'
...