2017 IEEE 28th International Symposium on Software Reliability Engineering Reflection Analysis for Java:Uncovering More Reflective Targets Precisely Jie Liu,Yue Li',Tian Tan',and Jingling Xuel.2 ISchool of Computer Science and Engineering,UNSW,Australia 2State Key Laboratory of Software Engineering,Computer School,Wuhan University,China Abstract-Reflection,which is widely used in practice and and records reflective targets accessed at reflective calls during abused by many security exploits,poses a significant obstacle program execution,can be both precise and efficient.As a to program analysis.Reflective calls can be analyzed statically result,bug detectors on finding,for example,data races [18], or dynamically.Static analysis is more sound but also more imprecise (by introducing many false reflective targets and thus deadlocks [19]and property violations [201),and security anal- affecting its scalability).Dynamic analysis can be precise but ysers on finding,for example,privacy leaks [21]and malicious often miss many true reflective targets due to low code coverage. functionalities [22],often resort to dynamic reflection analysis. We introduce MIRROR,the first automatic reflection analysis However,analyzing reflection dynamically often misses many for Java that increases significantly the code coverage of dynamic analysis while keeping false reflective targets low.In its static true reflective targets (due to low code coverage).This is analysis,a novel reflection-oriented slicing technique is applied to especially the case when GUI applications are analyzed.For identify a small number of small path-based slices for a reflective example,we observe that TAMIFLEX [17],the state-of-the-art call so that different reflective targets are likely exercised along dynamic reflection analysis,fails to find any new reflective these different paths.This preserves the soundness of pure static target after a long sequence of GUI operations has been reflection analysis as much as possible,improves its scalability, performed (on,for example,findbugs-1.2.1). and reduces substantially its false positive rate.In its dynamic analysis,these slices are executed with automatically generated In this paper,we introduce MIRROR,the first automatic test cases to report the reflective targets accessed.This signifi- reflection analysis for Java that combines program slicing cantly improves the code coverage of pure dynamic analysis.We (static analysis)and test case generation (dynamic analysis)to evaluate MIRROR against a state-of-the-art dynamic reflection uncover more reflective targets precisely.MIRROR is designed analysis tool,TAMIFLEX,by using 10 large real-world Java applications.MIRROR detects 12.5%-933.3%more reflective to assist dynamic reflection analysis (e.g.,TAMIFLEX)to targets efficiently (in 362.8 seconds on average)without producing resolve more reflective targets with low false positives.Thus, any false positives.These new targets enable 5-174949 call- MIRROR can discover effectively reflective targets that would graph edges to be reachable in the application code. otherwise be missed by TAMIFLEX in real-world applications and improve the code coverage of dynamic reflection analysis. I.INTRODUCTION In MIRROR,its static analysis applies a novel reflection- As one of the most widely adopted programming lan- oriented slicing technique to focus on the parts of the program guages [1].Java has been a popular attack target.Java suffers relevant to a reflective call.Unlike traditional slicing [23],[24]. still from serious security issues,with 87%of attack vectors which hardly scales to large object-oriented programs [25]. for web exploits in 2013 [2]and 91%in 2014 [3].A large [26],MIRROR identifies a small subgraph of the program's variety of exploited vulnerabilities are related to reflection,a call graph that likely affects the execution of a reflective call dynamic feature widely used in Java applications to enable and then computes a small number of small path-based slices their runtime behaviors to be examined or modified at run- in the subgraph so that potentially true yet different reflective time,which is abused by 45%of all exploits in the wild [4]. targets are likely exercised at the reflective call along these In practice,program analysis tools are invaluable for ensur- different paths.This preserves the soundness of pure static ing software quality and reliability.However,"you can't check reflection analysis as much as possible,improves its scalability, code you don't see"[5].Without analyzing reflection,bug and reduces substantially its false positive rate. detectors and security analysers may miss important program In MIRROR,its dynamic analysis executes each path-based behaviors.because these tools do not have a complete view slice with automatically generated test cases to exercise the of the code (as many reflectively induced call-graph edges are path and record the reflective targets accessed.This increases missing).Therefore,reflection poses a major obstacle to bug the code coverage of pure dynamic reflection analysis. detection and security analysis [6]-[9]. We have evaluated MIRROR against TAMIFLEX [17]by Reflective calls can be analyzed either statically or dy- using a set of 10 large real-world Java programs.MIRROR namically.Static analysis [6],[7].[10]-[15].which discovers detects 12.5%-933.3%more reflective targets efficiently reflective targets accessed at reflective calls via type inference, (in 362.8 seconds on average)with no false targets.These is often imprecise by reporting many false targets (and con- new reflective targets result in 5-174949 call-graph edges sequently,impairing scalability for some large applications). reachable in the application code of these programs. In contrast,dynamic analysis [16].[17].which instruments With MIRROR,more reflective targets can be found pre- IEEE 2332-6549/17$31.0002017IEEE 12 ④computer D0I10.1109/M1SSRE.2017.36 societyReflection Analysis for Java: Uncovering More Reflective Targets Precisely Jie Liu1, Yue Li1, Tian Tan1, and Jingling Xue1,2 1School of Computer Science and Engineering, UNSW, Australia 2State Key Laboratory of Software Engineering, Computer School, Wuhan University, China Abstract—Reflection, which is widely used in practice and abused by many security exploits, poses a significant obstacle to program analysis. Reflective calls can be analyzed statically or dynamically. Static analysis is more sound but also more imprecise (by introducing many false reflective targets and thus affecting its scalability). Dynamic analysis can be precise but often miss many true reflective targets due to low code coverage. We introduce MIRROR, the first automatic reflection analysis for Java that increases significantly the code coverage of dynamic analysis while keeping false reflective targets low. In its static analysis, a novel reflection-oriented slicing technique is applied to identify a small number of small path-based slices for a reflective call so that different reflective targets are likely exercised along these different paths. This preserves the soundness of pure static reflection analysis as much as possible, improves its scalability, and reduces substantially its false positive rate. In its dynamic analysis, these slices are executed with automatically generated test cases to report the reflective targets accessed. This signifi- cantly improves the code coverage of pure dynamic analysis. We evaluate MIRROR against a state-of-the-art dynamic reflection analysis tool, TAMIFLEX, by using 10 large real-world Java applications. MIRROR detects 12.5% – 933.3% more reflective targets efficiently (in 362.8 seconds on average) without producing any false positives. These new targets enable 5 – 174949 call￾graph edges to be reachable in the application code. I. INTRODUCTION As one of the most widely adopted programming lan￾guages [1], Java has been a popular attack target. Java suffers still from serious security issues, with 87% of attack vectors for web exploits in 2013 [2] and 91% in 2014 [3]. A large variety of exploited vulnerabilities are related to reflection, a dynamic feature widely used in Java applications to enable their runtime behaviors to be examined or modified at run￾time, which is abused by 45% of all exploits in the wild [4]. In practice, program analysis tools are invaluable for ensur￾ing software quality and reliability. However, “you can’t check code you don’t see” [5]. Without analyzing reflection, bug detectors and security analysers may miss important program behaviors, because these tools do not have a complete view of the code (as many reflectively induced call-graph edges are missing). Therefore, reflection poses a major obstacle to bug detection and security analysis [6]–[9]. Reflective calls can be analyzed either statically or dy￾namically. Static analysis [6], [7], [10]–[15], which discovers reflective targets accessed at reflective calls via type inference, is often imprecise by reporting many false targets (and con￾sequently, impairing scalability for some large applications). In contrast, dynamic analysis [16], [17], which instruments and records reflective targets accessed at reflective calls during program execution, can be both precise and efficient. As a result, bug detectors on finding, for example, data races [18], deadlocks [19] and property violations [20]), and security anal￾ysers on finding, for example, privacy leaks [21] and malicious functionalities [22], often resort to dynamic reflection analysis. However, analyzing reflection dynamically often misses many true reflective targets (due to low code coverage). This is especially the case when GUI applications are analyzed. For example, we observe that TAMIFLEX [17], the state-of-the-art dynamic reflection analysis, fails to find any new reflective target after a long sequence of GUI operations has been performed (on, for example, findbugs-1.2.1). In this paper, we introduce MIRROR, the first automatic reflection analysis for Java that combines program slicing (static analysis) and test case generation (dynamic analysis) to uncover more reflective targets precisely. MIRROR is designed to assist dynamic reflection analysis (e.g., TAMIFLEX) to resolve more reflective targets with low false positives. Thus, MIRROR can discover effectively reflective targets that would otherwise be missed by TAMIFLEX in real-world applications and improve the code coverage of dynamic reflection analysis. In MIRROR, its static analysis applies a novel reflection￾oriented slicing technique to focus on the parts of the program relevant to a reflective call. Unlike traditional slicing [23], [24], which hardly scales to large object-oriented programs [25], [26], MIRROR identifies a small subgraph of the program’s call graph that likely affects the execution of a reflective call and then computes a small number of small path-based slices in the subgraph so that potentially true yet different reflective targets are likely exercised at the reflective call along these different paths. This preserves the soundness of pure static reflection analysis as much as possible, improves its scalability, and reduces substantially its false positive rate. In MIRROR, its dynamic analysis executes each path-based slice with automatically generated test cases to exercise the path and record the reflective targets accessed. This increases the code coverage of pure dynamic reflection analysis. We have evaluated MIRROR against TAMIFLEX [17] by using a set of 10 large real-world Java programs. MIRROR detects 12.5% – 933.3% more reflective targets efficiently (in 362.8 seconds on average) with no false targets. These new reflective targets result in 5 – 174949 call-graph edges reachable in the application code of these programs. With MIRROR, more reflective targets can be found pre- 2017 IEEE 28th International Symposium on Software Reliability Engineering 2332-6549/17 $31.00 © 2017 IEEE DOI 10.1109/ISSRE.2017.36 12