Predicting what software will do and will not do has always been hard. Testing can produce false negatives, and miss issues: They can only cover a fraction of the possible executions, and therefore can give no guarantees about future executions. On the other hand, the precision of static code analysis diminishes as programs grow, leading to false positives, or false alarms.The problem becomes significant when analyzing potentially malicious software, as these can actively thwart their analysis: At runtime, for instance, a program may detect that it is analyzed dynamically, and turn off malicious behavior as a consequence. Static analysis, on the other hand, can be made impossible by loading and decrypting code at runtime. In the presence of targeted obfuscation techniques, both static and dynamic analysis become effectively powerless.The TESTIFY project aims at restoring precision and effectiveness as it comes to predicting software behavior. The key idea is to combine the respective strengths of static analysis, automatic test generation and dynamic analysis:1. DEMONSTRATE POTENTIAL ISSUES THROUGH TEST GENERATION. We use static analysis to detect potential issues in software (say, an undesired information flow). We let such potential issues guide _automatic test generation_ to produce witness executions; these prove that a potential issue may indeed manifest itself in a real execution. In other words, we automatically generate exploits for potential issues.2. STRENGTHEN STATIC ANALYSIS WITH DYNAMIC INFORMATION. Automatic test generation systematically aims at maximum coverage of program behavior. As a side effect, this means that all program code be loaded and decrypted. As execution progresses, we can thus analyze the new program code statically, predict what the code is up to, and again guide test generation towards potential issues.TESTIFY specifically targets the Android platform, known for its abundance of malicious programs. With TESTIFY, security analysts, developers, app store curators, and end users can all assess apps for undesired behavior. TESTIFY demonstrates each issue by a real input, and consequently, produces exact information on how the issue manifests itself: "If the server malwarecontrol.io sends a 'RECORD' message, the app will silently start recording all audio."

DFG Programme Research Grants