Specification mining and automated testing of mobile applications
- Static analysis represents a powerful set of techniques for understanding the behavior and security properties of software. However, pure static analysis of large and complex applications is challenging, due both to scalability limitations of precise analyses, as well as the likely presence of dynamic language features such as reflection. We thus propose to combine it with complementary dynamic analysis, which obtains information from actually running the program. A major issue in dynamic analysis involves directing the execution of the program towards all possible behaviors of interest. One way to do this is by obtaining or generating a set of comprehensive program tests or input samples that can drive the dynamic analysis. In this dissertation we examine these issues in the context of application (or "app") frameworks for mobile phones. We examine three distinct research problems. First, many precise whole-program static analysis techniques run into scalability, precision or soundness limitations when required to analyze the code of the platform itself, due to the large size of the platform's code and dynamic features usually present in this type of code. The standard solution is to construct manual models for the platform behavior. We show that we can mine explicit information flow specifications from concrete executions. Specification mining performs inference from concrete execution data to produce models or specifications of the behavior of code that is outside the scope of our static analysis. In particular, we use a dynamic analysis technique derived from dynamic taint tracking, which "lifts" the taint flows observed to refer only to the arguments and return value of each platform method. These specifications are then consumed by a static analysis system for malware detection, replacing existing manual models. Our technique is able to recover 96.36% of the manual specifications for the static analysis system, which were written over a period of 2 years. It also discovers many more correct annotations that our manual models missed, leading to new end-to-end information flow behaviors being detected by the original static analysis. Although our technique can give rise to false positives, in practice it does so at a slightly lower rate than the rate of manual errors in our hand-written models (99.63% vs 99.55% precision). This specification mining technique relies on leveraging an existing comprehensive test suite to obtain sufficient example executions to produce correct specifications. However, in many other cases of interest, the requisite level of test coverage is usually unavailable. This leads us to propose the following two black-box methods for approaching the problem of automated app exploration and testing, which we hope will drive future dynamic analysis techniques. Second, we present a novel approach for minimizing traces generated by random or recorded UI interactions. This approach is a variant of the classic delta-debugging technique, extended to handle application non-determinism. Experimentally, we show that our technique can minimize large GUI event traces reaching particular views of mobile applications, producing traces that are, on average, less than 2% the size of the original traces. Third, we automate the exploration of mobile applications through an agent that relies exclusively on being able to take screenshots of the application under test, and send input events in response, without need for static analysis or instrumentation. This agent partitions the screen into a grid and keeps track of specific image patches at particular locations in this grid, which cause the application to react when acted upon. An image patch is identified simply by the exact values of every pixel within the small grid square representing the patch location (we use hashing as an optimization). Visual changes to the screen are used as a proxy for application activity. Our tool is able to outperform random GUI testing in method coverage while being robust to a large set of conditions that can easily become limitations for more complex tools. Our techniques are implemented and evaluated in the popular Android mobile OS. This environment presents significant challenges for static analysis, due to the fact that Android applications are implemented as sets of components embedded into a coordinating runtime and a massive standard API. It also presents an interesting environment for automated testing techniques, due to the large variety of UI toolkits in active use, and the prevalence of application non-determinism.
|Type of resource
|electronic; electronic resource; remote
|1 online resource.
|Stanford University, Computer Science Department.
|Engler, Dawson R
|Lam, Monica S
|Engler, Dawson R
|Lam, Monica S
|Statement of responsibility
|Submitted to the Department of Computer Science.
|Thesis (Ph.D.)--Stanford University, 2017.
- © 2017 by Lazaro Clapp Jimenez Labora
- This work is licensed under a Creative Commons Attribution Non Commercial 3.0 Unported license (CC BY-NC).
Also listed in
Loading usage metrics...