TriggerScope: Towards Detecting Logic Bombs in Android Applications

Slides:

Advertisements

Similar presentations

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Advertisements

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Automated malware classification based on network behavior

Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Presented By: Steven Zittrower William Enck ( Penn St) (Duke)

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Verification and Validation.

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Software Testing Testing types Testing strategy Testing principles.

Bug Localization with Machine Learning Techniques Wujie Zheng

Effective Real-time Android Application Auditing

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Checking More Alerting Less PRESENTED BY: AMIN ROIS SINUNG NUGROHO.

Grace. M, Zhou. Y, Shilong. Z, Jiang. X.  RiskRanker analyses the paths within an android application  Potentially malicious security risks are flagged.

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

Cryptography and Network Security Sixth Edition by William Stallings.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,

BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses.

AppAudit Effective Real-time Android Application Auditing Andrew Jeong

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.

“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.

Android’s Malware Attack, Stealthiness and Defense: An Improvement Mohammad Ali, Humayun Ali and Zahid Anwar 2011 Frontiers of Information Technology.

What mobile ads know about mobile users

Security Issues in Information Technology

Joshua Garcia Institute for Software Research

DETECTING LOGIC BOMBS IN ANDROID APPLICATIONS

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Security and Programming Language Work on SmartPhones

Adaptive Android Kernel Live Patching

Automatic Network Protocol Analysis

Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan.

What the App is That? Deception and Countermeasures in the Android User Interface Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio,

TriggerScope: Towards Detecting Logic Bombs in Android Applications

Profiling based unstructured process logs

AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.

Presented by Xiaohui (Amy) Lin

Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden

TriggerScope Towards Detecting Logic Bombs in Android Applications

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

FORMAL SYSTEM DEVELOPMENT METHODOLOGIES

Deception and Countermeasures in the Android User Interface

Systematic Detection of capability leaks in stock android smartphones

TriggerScope Towards detecting logic bombs in android applications

Verification and Validation

Analyzing WebView Vulnerabilities in Android Applications

Program Slicing Baishakhi Ray University of Virginia

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

CSC-682 Advanced Computer Security

Attack and defense on learning-based security system

Precise Condition Synthesis for Program Repair

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Detecting Attacks Against Robotic Vehicles:

Presentation transcript:

TriggerScope: Towards Detecting Logic Bombs in Android Applications [Fratantonio, Yanick, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. "Triggerscope: Towards detecting logic bombs in android applications." In Security and Privacy (SP), 2016 IEEE Symposium on, pp. 377-396. IEEE, 2016.] Presented by Suzzie Yang

Threats to applications Malicious application logic Violate the expectations of the users Private sensitive data leakage eg. contextual information, GPS location, personal accounts Sophisticated malware designs increase stealthiness and becomes difficult to prevent and detect

What is logic bomb? Functionalities with condition check statements The malware is only activated under certain circumstances May appear as a perfectly legitimate action bypassing automatic analysis systems Example: Navigation typed app Time-related checks Locations checks

The attack is triggered under certain, narrow circumstances

State-of-art analysis Static analysis Base on permission sets Machine learning techniques Dynamic analysis Execution of data in real-time Modifications on Android framework and native libraries Main purpose is to analyse malware detection The definition of the application’s specific purpose and “normal” functionality are lacking

Proposed system: TriggerScope Trigger analysis technique Triggers are suspicious predicates (or checks) Suspicious checks for very specific conditions Focus on characterising the predicates Less attention with the behaviour itself Time, location and SMS related predicates Identify triggered malware through the identification of logic bombs

Overview of trigger analysis (1) Input: Android app Dalvik bytecode Step 1: Symbolic execution Records operations on relevant objects Annotated with expression tree Step 2: Predicate extraction Backward traverse of control-flow graph (CFG) Remove false dependencies Recovers intra-procedural path predicates

Overview of trigger analysis (2) Step 3: Predicate characterisation Appraise how suspicious/narrow a predicate is Base on type of comparison performed Step 4: Control dependencies Checks whether a suspicious predicate guards and sensitive operation Inter-procedural Step 5: Post-filter Filter out cases that match our definition of suspiciousness but that are clearly benign Output: Suspicious apps or benign apps

35 out of 9,582 benign apps flagged suspicious Experiment Dataset 9,582 benign apps: A mix of time, location and SMS related APIs 14 malicious apps: Developed by DARPA red team and real-world malware Result 35 out of 9,582 benign apps flagged suspicious

Each consecutive steps reduced the false positive rate to 0.38% Accuracy evaluation Each consecutive steps reduced the false positive rate to 0.38%

Criticism Seems like the author is only considering cases where predicates are checked against hard coded object values The trigger may be invoked by other means such as over the network Indirect modification of values at different circumstances Since their focus is on triggers and not their behaviour, the paper adopts a lenient of flagging suspiciousness Therefore contributing to the result of 0% false negative as almost the majority of the checks will be considered interesting as potential suspicious predicates.

Thank you Questions?