Mining Sandboxes

Modern software is ubiquitous, yet insecure. It has the potential to expose billions of humans to serious harm, up to and including losing fortunes and taking lives. Existing approaches for securing programs are either exceedingly hard and costly to apply, significantly decrease usability, or just don’t work well enough against a determined attacker. In this thesis we propose a new solution that significantly increases application security yet it is cheap, easy to deploy, and has minimal usability impact. We combine in a novel way the best of what existing techniques of test generation, dynamic program analysis and runtime enforcement have to offer: We introduce the concept of sandbox mining. First, in a phase called mining, we use automatic test generation to discover application behavior. Second, we apply a sandbox to limit any behavior during normal usage to the one discovered during mining. Users of an application running in a mined sandbox are thus protected from the application suddenly changing its behavior, as compared to the one observed during automatic test generation. As a consequence, backdoors, advanced persistent threats and other kinds of attacks based on the passage of time become exceedingly hard to conduct covertly. They are either discovered in the secure mining phase, where they can do no damage, or are blocked altogether. Mining is cheap because we leverage fully automated test generation to provide baseline behavior. Usability is not degraded: the sandbox runtime enforcement impact is negligible; the mined behavior is comprehensive and presented in a human readable format, thus any unexpected behavior changes are rare and easy to reason about. Our BOXMATE prototype for Android applications shows the approach is technically feasible, has an easy setup process, and is widely applicable to existing apps. Experiments conducted with BOXMATE show less than one hour is required to mine Android applications sandboxes, requiring few to no confirmations for frequently used functionality.Moderne Software ist allgegenwärtig und zeitgleich unsicher. Dies stellt ein Risiko dar, welches Milliarden Menschen verwundbar gegenüber Schadsoftware macht und dessen Folgen sich bis hin zu Vermögensverlust und Lebensgefahr ausweiten können. Gegenwärtige Ansätze zur Gewährleistung der Sicherheit in Computerprogrammen gestalten sich entweder höchst kompliziert und aufwendig, beeinflussen massiv die Benutzbarkeit oder aber stellen sich als nicht effektiv genug gegen resolute Angreifer heraus. In dieser Arbeit präsentieren wir einen neuen Lösungsansatz, welcher die Sicherheit einer Applikation drastisch erhöht, zeitgleich sowohl kostengünstig als auch einfach einzusetzen ist und ferner nur minimalen Einfluss auf die Benutzbarkeit des Programmes nimmt. In einem neuartigen Verfahren kombinieren wir die Vorteile von etablierten Methoden der Testgenerierung, dynamischer Programmanalyse und kontrolliert restriktiver Laufzeitumgebung und stellen das Konzept des Sandbox Mining vor. Im ersten Schritt verwenden wir automatische Testgenerierung in der Mining Phase, um das Verhalten der Applikation zu erkunden und zu beobachten. In einer weiteren Phase verwenden wir eine sogenannte Sandbox, um jegliches bisher nicht beobachtete Verhalten der Applikation während des normalen Betriebes zu unterbinden. Bei Nutzung einer Applikation in solch einer Sandbox sind Nutzer somit geschützt vor plötzlicher Änderung des Verhaltens der Applikation im Vergleich zu dem bereits beobachteten Verhalten während der Testgenerierung. Folglich sind Hintertüren, komplexe, persistente Bedrohungen sowie andere Angriffe, welche auf der Verzögerung ihrer Durchführung beruhen außerordentlich schwer umzusetzen, ohne dass diese dabei entdeckt werden. Diese Bedrohungen werden entweder während der abgesicherten Mining Phase, in welcher sie keinen Schaden anrichten können, entdeckt oder werden während der Ausführung in der Sandbox verhindert. Der Mining-Prozess ist günstig in seiner Umsetzung, da das normale Verhalten des Programmes vollkommen automatisch erlernt wird. Zur gleichen Zeit bleibt die Benutzbarkeit des Programmes unbeeinflusst und der Mehraufwand der Laufzeitabsicherung durch die Sandbox vernachlässigbar gering. Ferner ist das erlernte Verhalten verständlich und in einem von Menschen lesbaren Format aufbereitet; daher sind jegliche unvorhergesehenen Änderungen im Verhalten des Programmes selten und einfach zu erklären. Unser BOXMATE Prototyp für Android Applikationen zeigt, dass das Verfahren technisch realisierbar ist, einen einfachen Einrichtungsprozess bietet und weitflächig anwendbar auf bestehende Applikation ist. Bei der Durchführung von Versuchen mit BOXMATE hat sich gezeigt, dass es weniger als eine Stunde bedarf um Sandboxes für Android Applikation zu generieren und es derweil nur wenige oder gar keine Konfirmation der Regeln für die häufig genutzten Funktionen erfordert

Survey of Machine Learning Techniques for Malware Analysis

Coping with malware is getting more and more challenging, given their relentless growth in complexity and volume. One of the most common approaches in literature is using machine learning techniques, to automatically learn models and patterns behind such complexity, and to develop technologies for keeping pace with the speed of development of novel malware. This survey aims at providing an overview on the way machine learning has been used so far in the context of malware analysis. We systematize surveyed papers according to their objectives (i.e., the expected output, what the analysis aims to), what information about malware they specifically use (i.e., the features), and what machine learning techniques they employ (i.e., what algorithm is used to process the input and produce the output). We also outline a number of problems concerning the datasets used in considered works, and finally introduce the novel concept of malware analysis economics, regarding the study of existing tradeoffs among key metrics, such as analysis accuracy and economical costs

Regulation of Corporate Activity in the Space Sector

This Article argues that commercialisation of space coupled with technological innovation calls for a regulatory approach beyond (and complementary to) the treaty regime offered by international law. The rapid technological advances in the financial sector and corresponding regulatory innovations make financial technology (fintech) regulation a likely candidate to draw lessons from for the nascent space sector. The Article draws from the fintech sector and proposes that some lessons about initial regulation via regulatory sandboxes and sandbox bridges are useful in the space sector. At the domestic level, the Article proposes regulatory sandboxes to enable innovation while ensuring the necessary safeguards; and at the multi-national level, it proposes cooperation between regulators in various spacefaring nations along the lines of sandbox bridges used in the fintech sector. Since different states have varying levels of space sector activity, this Article makes broad recommendations with pointers that identify aspects that are more suitable to certain types of jurisdictions than others

REGULATORY SANDBOXES ENABLE PRAGMATIC BLOCKCHAIN REGULATION

Since blockchain technology supports digitally-native money, the centralized chokepoints that governments have traditionally targeted to regulate commerce no longer apply to our (digital) property. However, competent regulation furthers basic public policy goals and should enable responsible innovation of this promising technology. This Article discusses pragmatic policies that enable responsible innovation by cultivating regulatory expertise required to write enforceable rules. Responsible innovation is necessary because unlike the early internet, where programmers could manipulate simple colors and text on webpages, these same individuals can now create financial services applications that manipulate actual money—we are faced with an inescapable reality that more is at stake

Eight years of rider measurement in the Android malware ecosystem: evolution and lessons learned

Despite the growing threat posed by Android malware, the research community is still lacking a comprehensive view of common behaviors and trends exposed by malware families active on the platform. Without such view, the researchers incur the risk of developing systems that only detect outdated threats, missing the most recent ones. In this paper, we conduct the largest measurement of Android malware behavior to date, analyzing over 1.2 million malware samples that belong to 1.2K families over a period of eight years (from 2010 to 2017). We aim at understanding how the behavior of Android malware has evolved over time, focusing on repackaging malware. In this type of threats different innocuous apps are piggybacked with a malicious payload (rider), allowing inexpensive malware manufacturing. One of the main challenges posed when studying repackaged malware is slicing the app to split benign components apart from the malicious ones. To address this problem, we use differential analysis to isolate software components that are irrelevant to the campaign and study the behavior of malicious riders alone. Our analysis framework relies on collective repositories and recent advances on the systematization of intelligence extracted from multiple anti-virus vendors. We find that since its infancy in 2010, the Android malware ecosystem has changed significantly, both in the type of malicious activity performed by the malicious samples and in the level of obfuscation used by malware to avoid detection. We then show that our framework can aid analysts who attempt to study unknown malware families. Finally, we discuss what our findings mean for Android malware detection research, highlighting areas that need further attention by the research community.Accepted manuscrip

Agent-based Vs Agent-less Sandbox for Dynamic Behavioral Analysis

Malicious software is detected and classified by either static analysis or dynamic analysis. In static analysis, malware samples are reverse engineered and analyzed so that signatures of malware can be constructed. These techniques can be easily thwarted through polymorphic, metamorphic malware, obfuscation and packing techniques, whereas in dynamic analysis malware samples are executed in a controlled environment using the sandboxing technique, in order to model the behavior of malware. In this paper, we have analyzed Petya, Spyeye, VolatileCedar, PAFISH etc. through Agent-based and Agentless dynamic sandbox systems in order to investigate and benchmark their efficiency in advanced malware detection

Mining sandboxes for Linux containers

NSFC Progra

Towards mining comprehensive Android sandboxes

National Research Foundation (NRF) Singapor