DISCOVERING ANOMALOUS BEHAVIORS BY ADVANCED PROGRAM ANALYSIS TECHNIQUES

As soon as a technology started to be used by the masses, ended up as a target of the investigation of bad guys that write malicious software with the only and explicit intent to damage users and take control of their systems to perform different types of fraud. Malicious programs, in fact, are a serious threat for the security and privacy of billions of users. The bad guys are the main characters of this unstoppable threat which improves as the time goes by. At the beginning it was pure computer vandalism, then turned into petty theft followed by cybercrime, cyber espionage, and finally gray market business. Cybercrime is a very dangerous threat which consists of, for instance, stealing credentials of bank accounts, sending SMS to premium number, stealing user sensitive information, using resources of infected computer to develop e.g., spam business, DoS, botnets, etc. The interest of the cybercrime is to intentionally create malicious programs for its own interest, mostly lucrative. Hence, due to the malicious activity, cybercriminals have all the interest in not being detected during the attack, and developing their programs to be always more resilient against anti-malware solution. As a proof that this is a dangerous threat, the FBI reported a decline in physical crime and an increase of cybercrime. In order to deal with the increasing number of exploits found in legacy code and to detect malicious code which leverages every subtle hardware and software detail to escape from malware analysis tools, the security research community started to develop and improve various code analysis techniques (static, dynamic or both), with the aim to detect the different forms of stealthy malware and to individuate security bugs in legacy code. Despite the improvement of the research solutions, yet the current ones are inadequate to face new stealthy and mobile malware. Following such a line of research, in this dissertation, we present new program analysis techniques that aim to improve the analysis environment and deal with mobile malware. To perform malware analysis, behavior analysis technique is the prominent: the actions that a program is performing during its real-time execution are collected to understand its behavior. Nevertheless, they suffer of some limitations. State-of-the-Art malware analysis solutions rely on emulated execution environment to prevent the host to get infected, quickly recover to a pristine state, and easily collect process information. A drawback of these solutions is the non-transparency, that is, the execution environment does not faithfully emulate the physical end-user environment, which could lead to end up with incomplete results. In fact, malicious programs could detect when they are monitored in such environment, and thus modifying their behavior to mislead the analysis and avoid detection. On the contrary, a faithful emulator would drastically reduce the chance of detection of the analysis environment from the analyzed malware. To this end, we present EmuFuzzer, a novel testing methodology specific for CPU emulators, based on fuzzing to verify whether the CPU is properly emulated or not. Another shortcoming regards the stimulation of the analyzed application. It is not uncommon that an application exhibit certain behaviors only when exercised with specific events (i.e., button click, insert text, socket connection, etc.). This flaw is even exacerbated when analyzing mobile application. At this aim, we introduce CopperDroid, a program analysis tool built on top of QEMU to automatically perform out-of-the-box dynamic behavior analysis of Android malware. To this end, CopperDroid presents a unified analysis to characterize low-level OS-specific and high-level Android-specific behaviors

LOCATION SHARING: PRIVACY THREATS AND PROTECTION

In recent years there has been a growing increase in the number of users that use smartphones,tablets, wearable technologies and other devices that users have with them constantly. The capability of these latest generation mobile devices to detect the position of the users has led to the emergence of ad-hoc services as well as geo-aware social networks (GeoSN). Even if the sharing of our locations can enhance many useful services, there are several practical cases that unveil the danger of sharing location indiscriminately. For instance, let\u2019s suppose that a user has just told everyone that he is on vacation (and not at his house): if he adds how long his trip is, then thieves know exactly how much time they have to rob him. Many contributions in the scientific literature have shown how through the location information it is possible to infer several information about the user. It has been shown that it is possible to identify user\u2019s identity, if he is anonymous in the LBS, and, if the user is not anonymous, it is feasible to infer user\u2019s home location, habits and also politic preferences and sexual orientation. The scientific literature reflects this concerns, proposing many contributions that deal with privacy, in general, and location privacy, specifically. This dissertation deals with location privacy in Location Based Services and Geo-Social Networks. The goal is two-fold: on one hand we want to motivate the importance of the location privacy topic by identifying the privacy threats of sharing locations. In particular we study a new privacy threat, the co-location threat, and we further study an already known threat stemming from the use of distance preserving transformations.On the other hand, we want to propose privacy preserving techniques and tools: we propose a novel privacy preserving technique as well as presenting three (spatial and/or temporal) cloaking techniques, specifically designed for privacy techniques in which the privacy is granted by the use of a location\u2019s generalisation

Location privacy attacks based on distance and density information

Proximity services alert users about the presence of other users or moving objects based on their distance. Distance preserving transformations are among the techniques that may be used to avoid revealing the actual position of users while still effectively providing these services. Some of the proposed transformations have been shown to actually guarantee location privacy with the assumption that users are uniformly distributed in the considered geographical region, which is unrealistic assumption when the region extends to a county, a state or a country. In this paper we describe a location privacy attack that, only using partial information about the distances between users and public knowledge on the average density of population, can discover the approximate position of users on a map, independently on the fake or hidden position assigned to them by a privacy preserving algorithm. We implement this attack with an algorithm and we experimentally evaluate it showing that it is practically feasible and that partial distance information like the one exchanged in common friend-finder services can be sufficient to violate users' privacy