TriggerScope Towards detecting logic bombs in android applications

Slides:



Advertisements
Similar presentations
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Advertisements

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.
Fast and Precise In-Browser JavaScript Malware Detection
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.
2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,
Bug Localization with Machine Learning Techniques Wujie Zheng
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
1 Program Slicing Amir Saeidi PhD Student UTRECHT UNIVERSITY.
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
Chapter 5: Software Re-Engineering Omar Meqdadi SE 3860 Lecture 5 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,
BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses.
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.
Android’s Malware Attack, Stealthiness and Defense: An Improvement Mohammad Ali, Humayun Ali and Zahid Anwar 2011 Frontiers of Information Technology.
GroddDroid A Gorilla for Triggering Malicious Behavior 10th Int. Conference on Malicious and Unwanted Software October 20-23rd 2015  Abraham, R. Andriatsimandefitra,
DETECTING LOGIC BOMBS IN ANDROID APPLICATIONS
More Security and Programming Language Work on SmartPhones
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Security and Programming Language Work on SmartPhones
Application of Obfuscation Techniques on Android Applications
Towards a framework for architectural design decision support
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Automatic Network Protocol Analysis
Cash Me Presented By Group 8 Kartik Patel, Aaron Zhong, Wen-Kai Chen,
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Techniques, Tools, and Research Issues
Input Space Partition Testing CS 4501 / 6501 Software Testing
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
Presented by Xiaohui (Amy) Lin
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden
Graph Coverage for Specifications CS 4501 / 6501 Software Testing
Automated Pattern Based Mobile Testing
TriggerScope Towards Detecting Logic Bombs in Android Applications
Un</br>able’s MySecretSecrets
Deception and Countermeasures in the Android User Interface
Microsoft Visual Basic 2005 BASICS
High Coverage Detection of Input-Related Security Faults
Analyzing WebView Vulnerabilities in Android Applications
Unit# 9: Computer Program Development
Chap 10 Malicious Software.
Business Process Management Software
Detecting Targeted Attacks Using Shadow Honeypots
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Graph Coverage for Specifications CS 4501 / 6501 Software Testing
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Software Verification and Validation
Software Verification and Validation
Chap 10 Malicious Software.
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
CSC-682 Advanced Computer Security
Towards Obfuscation Resilient Software Plagiarism Detection
Investigating Provably Secure and Practical Software Protection
Software Verification and Validation
Automatically Diagnosing and Repairing Error Handling Bugs in C
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

TriggerScope Towards detecting logic bombs in android applications Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, Giovanni Vigna Presented by Aaron Zhong

Background Android is the most popular mobile platform (78% of all smartphones sold Q1 2015) Most widely attacked mobile platform App store providers invest significant resources to keep their platform clean Automated program analysis (ie. Google Bouncer) Manual app review Some malice very difficult to capture => Logic bombs

Logic bomb “Malicious application logic that is executed, or triggered, only under certain (often narrow) circumstances “ Malicious application logic: Modifies output which violates user’s expectations Example A navigation application meant to assist a solider by determining shortest route to a given location After a hard-coded date, the application provides the longer route

Detecting Logic Bombs with Traditional Methods Manual audit Costly in terms of time and labor No guarantees logic bombs identified – especially if source code is not available Dynamic Analysis Code may not be executed (i.e. Hardcoded date in the future) Static Analysis No unusual permissions or unwanted API calls Network-related API calls perfectly legitimate for a navigation app ”The key challenge is related to the fact that automatically detecting malicious application logic is very hard without taking into account the specific purpose and “normal” functionality of an application”

Key Observation “An aspect that is necessary for the implementation of a logic bomb is that the malicious behavior is triggered only under very specific circumstances.”

Trigger Analysis “Detect logic bombs by precisely analyzing and characterizing the checks that guard a given behavior” Predicate (Checks) Represents a condition in a program, such as an if statement A predicate is considered suspicious if it is satisfied only under very specific conditions Functionality (Behavior) Set of basic blocks in a program A functionality is considered sensitive if it performs directly or indirectly a sensitive operation Sensitive operation: Generally, Android APIs protected by a permission combined with operations that involve the filesystem (Definition of sensitivity can be changed) Trigger: A suspicious predicate that controls the execution of a sensitive functionality

TriggerScope: Phase 1 Android APK unpacked to Dalvik bytecode and produce a sCFG (super control flow graph) Symbolic Execution Reconstruct semantics (annotate sCFG with info about it’s type, value, operations its influenced by and simple block predicates) Produces expression tree for checks Block Predicate Extraction Annotates sCFG with block predicates using expression tree produced from symbolic execution sCFG – super control-flow graph (inter-procedural CFG superimposed on the intra-procedural CFGs for each method)

After block predicate extraction After symbolic execution b1 p b2 b3 b4 Predicate p: now.after(target) P involves symbolic time values therefore b2 and b3 have a dependency on a time-based input

TriggerScope: Phase 2 Path Predicate Recovery and Minimization Recovers full intra-procedural path predicates, minimizes them to remove redundant terms and thus false dependencies Predicate Classification From all the predicates recovered, Identify the suspicious predicates by looking at comparators (=, <, > etc) and operands Control-Dependency Analysis Checks whether the suspicious predicates guard any sensitive operations

After Path Predicate Recovery and Minimization b1 p b2 b3 b4 Predicate p: now.after(target) P involves symbolic time values therefore b2 and b3 have a dependency on a time-based input

Evaluation Benign Applications Malicious Applications 9582 applications from Google Play Store All known to use time, location or SMS-related APIs (Sensitive operations) Malicious Applications 14 applications from several sources Mostly made for research, intentionally made to be stealthy

Results 35 benign applications marked as suspicious Predicate classification Control dependency analysis 35 benign applications marked as suspicious Manually inspected these 35 applications All 35 found to be have suspicious triggers but appeared to be legitimate 0.38% false positives 20 random applications not marked as suspicious analyzed for false negatives All found to not have any suspicious checks 0% false negatives Excellent trade off between false positives and false negatives compared to existing analysis tools Legitimate example: Reminder application – remind you to get milk when you are at the supermarket

Performance Timeout set to one hour Approximately 97% successfully analyzed ~3% timed out (>250 applications) 90% successfully analyzed under 13 minutes

Critiques: Strengths TriggerScope Good tool to use in conjunction with existing tools and manual audit For applications marked as suspicious, TriggerScope returns precise information about location and type of trigger to make manual audit easier Evaluation Fewer false positives and false negatives compared with other tools Trigger Analysis Novelty: Checking predicates

Critiques: Weaknesses Evaluation Small sample size for applications known to be malicious (14) >250 applications unsuccessfully analyzed (timeout) Conservative definition of sensitivity (Only considers time, location and SMS related APIs) Small sample size to check for false negatives Avoiding Trigger Analysis Checks could be obfuscated to appear non-hardcoded Malicious application can move suspicious triggers to a web server

Questions?