muse

https://github.com/lordamit/muse

Science Score: 67.0%

This score indicates how likely this project is to be science-related based on various indicators:

✓
CITATION.cff file
Found CITATION.cff file
✓
codemeta.json file
Found codemeta.json file
✓
.zenodo.json file
Found .zenodo.json file
✓
DOI references
Found 9 DOI reference(s) in README
✓
Academic publication links
Links to: arxiv.org, acm.org
○
Academic email domains
○
Institutional organization owner
○
JOSS paper metadata
○
Scientific vocabulary similarity
Low similarity (15.7%) to scientific vocabulary

Keywords

android muse mutation static-analysis

Last synced: 6 months ago · JSON representation ·

Repository

Basic Info

Host: GitHub
Owner: LordAmit
Language: Java
Default Branch: master
Homepage: https://secure-platforms-lab-w-m.github.io/muse/
Size: 85.2 MB

Statistics

Stars: 2
Watchers: 1
Forks: 1
Open Issues: 2
Releases: 1

Topics

android muse mutation static-analysis

Created almost 7 years ago · Last pushed over 4 years ago

Metadata Files

Readme Citation

Muse

Update Notice May, 2021

Muse repository description is currently going through update.

There are two branches that require attention in terms of latest development. In chronologically ascending order, these are:

master Contains the Muse version used for the TOPS paper
435Ext20 Contains the Muse version used for the ICSE'21 Demonstrations paper. This is built on top of master branch, so it contains all the improvements master from there.

The website is also being updated accordingly.

Muse (alternatively µSE) is a mutation-based soundness evaluation framework which systematically evaluates Android static analysis tools to discover, document, and fix, flaws, by leveraging the well-founded practice of mutation analysis.

More information about Muse can be found in our TOPS'21 paper and on our website.

The original Muse tool was written by Richie Bonnett, done as a part of W&M's Software Engineering course, CSCI 435, year 2018, details of which can be found in USENIX Security'18 paper.

Compilation

The source code of Muse is available in Code section of this repository. It is maintained using the open source Eclipse Java IDE. To compile, simply clone this repo, and then import the project as a Java project in Eclipse.

Pre compiled Binary

Alternatively, you can use the Muse.jar file by downloading it from the releases section.

Usage

Muse relies on MDroidPlus. You will need the libs4ast folder of that project in order to run Muse.

To run Muse, use the following command, specifying the required arguments:

sh java -jar Muse-1.0.0.jar <libs4ast> <AppSourceCode> <AppName> <OutputPath> <OperatorType>

If running Muse within a IDE like Eclipse, import only the Muse folder within the code subdirectory, or else you might get a java.lang.SecurityException error when running Muse.java

Arguments

Provide the following list of required arguments when running Muse:

libs4ast: path of the lib4ast folder, from MDroidPlus
AppSourceCode: path of the Android app source code folder, which you want to apply mutation on;
AppName: Name of the App;
Output: Path of the folder where the mutants will be created;
OperatorType: Type of operator to be used while creating mutants. Currently supported arguments are: SOURCE, SINK, TAINT, REACHABILITY, TAINTSINK, and COMPLEXREACHABILITY.

Example

sh java -jar Muse-1.0.0.jar MDroidPlus/libs4ast/ /tmp/AppFoo/src/ AppFoo /tmp/mutants/ TAINTSINK

This will create a folder called AppFoo under /tmp/mutants where the mutated source files will be stored.

Muse Processor Helper Utility

We have created the Muse processor utility using python, which makes it easier to mutate android projects by generating relevant shell script files. To work with it, you need to replace the file paths, and edit the file called input_folders. In the file, you need to provide the list of directories containing Android projects. The provided input_folders already contains sample values.

Cite

If you use Muse for academic purposes, please cite:

Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2021. Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques. ACM Trans. Priv. Secur. 24, 3, Article 15 (April 2021), 37 pages. DOI:https://doi.org/10.1145/3439802

bib @article{10.1145/3439802, author = {Ami, Amit Seal and Kafle, Kaushal and Moran, Kevin and Nadkarni, Adwait and Poshyvanyk, Denys}, title = {Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques}, year = {2021}, issue_date = {April 2021}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {24}, number = {3}, issn = {2471-2566}, url = {https://doi.org/10.1145/3439802}, doi = {10.1145/3439802}, journal = {ACM Trans. Priv. Secur.}, month = feb, articleno = {15}, numpages = {37}, keywords = {CryptoPAn, Network trace anonymization, semantic attacks} }

Future Work

Currently Muse is oriented towards the evaluation of static analysis tools for Android data leak detection. We intend to expand Muse by developing additional security operators and mutation schemes for tools with other goals, e.g. SSL verification.

This repository is for a refactoring and expansion of the original muse tool built by Richie Bonnett, which is available here.

Team Members

Amit Seal Ami
Liz Weech
Yang Zhang

Owner

Name: Amit Seal Ami
Login: LordAmit
Kind: user
Location: Dhaka, Bangladesh
Company: William and Mary

Website: https://amitsealami.com
Twitter: Amit_Seal_Ami
Repositories: 57
Profile: https://github.com/LordAmit

Amit Seal Ami is researching Cyber Security and Software Engineering as Ph.D. Candidate at the Computer Science Department, William & Mary.

Citation (CITATION.CFF)

cff-version: 1.2.0
abstract:
    "Mobile application security has been a major area of focus for security research over
    the course of the last decade. Numerous application analysis tools have been proposed
    in response to malicious, curious, or vulnerable apps. However, existing tools, and
    specifically, static analysis tools, trade soundness of the analysis for precision
    and performance and are hence soundy. Unfortunately, the specific unsound choices
    or flaws in the design of these tools is often not known or well documented, leading
    to misplaced confidence among researchers, developers, and users. This article describes
    the Mutation-Based Soundness Evaluation (μSE) framework, which systematically evaluates
    Android static analysis tools to discover, document, and fix flaws, by leveraging
    the well-founded practice of mutation analysis. We implemented μSE and applied it
    to a set of prominent Android static analysis tools that detect private data leaks
    in apps. In a study conducted previously, we used μSE to discover 13 previously undocumented
    flaws in FlowDroid, one of the most prominent data leak detectors for Android apps.
    Moreover, we discovered that flaws also propagated to other tools that build upon
    the design or implementation of FlowDroid or its components. This article substantially
    extends our μSE framework and offers a new in-depth analysis of two more major tools
    in our 2020 study; we find 12 new, undocumented flaws and demonstrate that all 25
    flaws are found in more than one tool, regardless of any inheritance-relation among
    the tools. Our results motivate the need for systematic discovery and documentation
    of unsound choices in soundy tools and demonstrate the opportunities in leveraging
    mutation testing in achieving this goal."
authors:
  -
    affiliation: "William & Mary"
    family-names: Ami
    given-names: "Amit Seal"
    orcid: "https://orcid.org/0000-0002-9455-2230"
  -
    affiliation: "William & Mary"
    family-names: Kafle
    given-names: Kaushal
  -
    affiliation: "George Mason University"
    family-names: Moran
    given-names: Kevin
  -
    affiliation: "William & Mary"
    family-names: Nadkarni
    given-names: Adwait
  -
    affiliation: "William & Mary"
    family-names: Poshyvanyk
    given-names: Denys
cff-version: "1.1.0"
doi: "10.1145/3439802"
journal: ACM Trans. Priv. Secur."
message:
    "If you use this software, please cite it using this metadata.
    @article{10.1145/3439802,
    author = {Ami, Amit Seal and Kafle, Kaushal and Moran, Kevin and Nadkarni, Adwait and Poshyvanyk, Denys},
    title = {Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques},
    year = {2021},
    issue_date = {April 2021},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    volume = {24},
    number = {3},
    issn = {2471-2566},
    url = {https://doi.org/10.1145/3439802},
    doi = {10.1145/3439802},
    journal = {ACM Trans. Priv. Secur.},
    month = feb,
    articleno = {15},
    numpages = {37},
    keywords = {Network trace anonymization, semantic attacks, CryptoPAn}
    }"
title: "Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques"
version: 2.0
date-released: 2021-04-01
url: "https://secure-platforms-lab-w-m.github.io/muse/"

...

GitHub Events

Total

Last Year

Issues and Pull Requests

Last synced: 11 months ago

All Time

Total issues: 5
Total pull requests: 0
Average time to close issues: 2 months
Average time to close pull requests: N/A
Total issue authors: 2
Total pull request authors: 0
Average comments per issue: 0.0
Average comments per pull request: 0
Merged pull requests: 0
Bot issues: 0
Bot pull requests: 0

Past Year

Issues: 0
Pull requests: 0
Average time to close issues: N/A
Average time to close pull requests: N/A
Issue authors: 0
Pull request authors: 0
Average comments per issue: 0
Average comments per pull request: 0
Merged pull requests: 0
Bot issues: 0
Bot pull requests: 0

View more stats

Top Authors

Issue Authors

LordAmit (3)
KyleGorham (2)

Pull Request Authors

Top Labels

Issue Labels

Pull Request Labels

Dependencies

.github/workflows/maven_435Ext20.yml actions

actions/checkout v2 composite
actions/setup-java v1 composite

code/Muse/pom.xml maven

org.apache.directory.studio:org.apache.commons.io 2.4
org.eclipse.core:contenttype 3.4.200-v20140207-1251
org.eclipse.core:jobs 3.5.300-v20130429-1813
org.eclipse.core:resources 3.3.0-v20070604
org.eclipse.core:runtime 3.9.0-v20130326-1255
org.eclipse.equinox:app 1.0.0-v20070606
org.eclipse.equinox:common 3.6.200-v20130402-1505
org.eclipse.equinox:preferences 3.5.200-v20140224-1527
org.eclipse.jdt:org.eclipse.jdt.core 3.10.0.v20140604-1726
org.eclipse.text:org.eclipse.text 3.5.101
org.eclipse:osgi 3.9.1-v20130814-1242

code/pom.xml maven

org.apache.directory.studio:org.apache.commons.io 2.4
org.eclipse.core:contenttype 3.4.200-v20140207-1251
org.eclipse.core:jobs 3.5.300-v20130429-1813
org.eclipse.core:resources 3.3.0-v20070604
org.eclipse.core:runtime 3.9.0-v20130326-1255
org.eclipse.equinox:common 3.6.200-v20130402-1505
org.eclipse.equinox:preferences 3.5.200-v20140224-1527
org.eclipse.jdt:org.eclipse.jdt.core 3.12.3
org.eclipse:osgi 3.9.1-v20130814-1242