1,075 research outputs found
Mining Sandboxes
Modern software is ubiquitous, yet insecure. It has the potential to expose billions of humans to serious harm, up to and including losing fortunes and taking lives. Existing approaches for securing programs are either exceedingly hard and costly to apply, significantly decrease usability, or just don’t work well enough against a determined attacker. In this thesis we propose a new solution that significantly increases application security yet it is cheap, easy to deploy, and has minimal usability impact. We combine in a novel way the best of what existing techniques of test generation, dynamic program analysis and runtime enforcement have to offer: We introduce the concept of sandbox mining. First, in a phase called mining, we use automatic test generation to discover application behavior. Second, we apply a sandbox to limit any behavior during normal usage to the one discovered during mining. Users of an application running in a mined sandbox are thus protected from the application suddenly changing its behavior, as compared to the one observed during automatic test generation. As a consequence, backdoors, advanced persistent threats and other kinds of attacks based on the passage of time become exceedingly hard to conduct covertly. They are either discovered in the secure mining phase, where they can do no damage, or are blocked altogether. Mining is cheap because we leverage fully automated test generation to provide baseline behavior. Usability is not degraded: the sandbox runtime enforcement impact is negligible; the mined behavior is comprehensive and presented in a human readable format, thus any unexpected behavior changes are rare and easy to reason about. Our BOXMATE prototype for Android applications shows the approach is technically feasible, has an easy setup process, and is widely applicable to existing apps. Experiments conducted with BOXMATE show less than one hour is required to mine Android applications sandboxes, requiring few to no confirmations for frequently used functionality.Moderne Software ist allgegenwärtig und zeitgleich unsicher. Dies stellt ein Risiko dar, welches Milliarden Menschen verwundbar gegenüber Schadsoftware macht und dessen Folgen sich bis hin zu Vermögensverlust und Lebensgefahr ausweiten können. Gegenwärtige Ansätze zur Gewährleistung der Sicherheit in Computerprogrammen gestalten sich entweder höchst kompliziert und aufwendig, beeinflussen massiv die Benutzbarkeit oder aber stellen sich als nicht effektiv genug gegen resolute Angreifer heraus. In dieser Arbeit präsentieren wir einen neuen Lösungsansatz, welcher die Sicherheit einer Applikation drastisch erhöht, zeitgleich sowohl kostengünstig als auch einfach einzusetzen ist und ferner nur minimalen Einfluss auf die Benutzbarkeit des Programmes nimmt. In einem neuartigen Verfahren kombinieren wir die Vorteile von etablierten Methoden der Testgenerierung, dynamischer Programmanalyse und kontrolliert restriktiver Laufzeitumgebung und stellen das Konzept des Sandbox Mining vor. Im ersten Schritt verwenden wir automatische Testgenerierung in der Mining Phase, um das Verhalten der Applikation zu erkunden und zu beobachten. In einer weiteren Phase verwenden wir eine sogenannte Sandbox, um jegliches bisher nicht beobachtete Verhalten der Applikation während des normalen Betriebes zu unterbinden. Bei Nutzung einer Applikation in solch einer Sandbox sind Nutzer somit geschützt vor plötzlicher Änderung des Verhaltens der Applikation im Vergleich zu dem bereits beobachteten Verhalten während der Testgenerierung. Folglich sind Hintertüren, komplexe, persistente Bedrohungen sowie andere Angriffe, welche auf der Verzögerung ihrer Durchführung beruhen außerordentlich schwer umzusetzen, ohne dass diese dabei entdeckt werden. Diese Bedrohungen werden entweder während der abgesicherten Mining Phase, in welcher sie keinen Schaden anrichten können, entdeckt oder werden während der Ausführung in der Sandbox verhindert. Der Mining-Prozess ist günstig in seiner Umsetzung, da das normale Verhalten des Programmes vollkommen automatisch erlernt wird. Zur gleichen Zeit bleibt die Benutzbarkeit des Programmes unbeeinflusst und der Mehraufwand der Laufzeitabsicherung durch die Sandbox vernachlässigbar gering. Ferner ist das erlernte Verhalten verständlich und in einem von Menschen lesbaren Format aufbereitet; daher sind jegliche unvorhergesehenen Änderungen im Verhalten des Programmes selten und einfach zu erklären. Unser BOXMATE Prototyp für Android Applikationen zeigt, dass das Verfahren technisch realisierbar ist, einen einfachen Einrichtungsprozess bietet und weitflächig anwendbar auf bestehende Applikation ist. Bei der Durchführung von Versuchen mit BOXMATE hat sich gezeigt, dass es weniger als eine Stunde bedarf um Sandboxes für Android Applikation zu generieren und es derweil nur wenige oder gar keine Konfirmation der Regeln für die häufig genutzten Funktionen erfordert
Survey of Machine Learning Techniques for Malware Analysis
Coping with malware is getting more and more challenging, given their
relentless growth in complexity and volume. One of the most common approaches
in literature is using machine learning techniques, to automatically learn
models and patterns behind such complexity, and to develop technologies for
keeping pace with the speed of development of novel malware. This survey aims
at providing an overview on the way machine learning has been used so far in
the context of malware analysis. We systematize surveyed papers according to
their objectives (i.e., the expected output, what the analysis aims to), what
information about malware they specifically use (i.e., the features), and what
machine learning techniques they employ (i.e., what algorithm is used to
process the input and produce the output). We also outline a number of problems
concerning the datasets used in considered works, and finally introduce the
novel concept of malware analysis economics, regarding the study of existing
tradeoffs among key metrics, such as analysis accuracy and economical costs
Regulation of Corporate Activity in the Space Sector
This Article argues that commercialisation of space coupled with technological innovation calls for a regulatory approach beyond (and complementary to) the treaty regime offered by international law. The rapid technological advances in the financial sector and corresponding regulatory innovations make financial technology (fintech) regulation a likely candidate to draw lessons from for the nascent space sector. The Article draws from the fintech sector and proposes that some lessons about initial regulation via regulatory sandboxes and sandbox bridges are useful in the space sector. At the domestic level, the Article proposes regulatory sandboxes to enable innovation while ensuring the necessary safeguards; and at the multi-national level, it proposes cooperation between regulators in various spacefaring nations along the lines of sandbox bridges used in the fintech sector. Since different states have varying levels of space sector activity, this Article makes broad recommendations with pointers that identify aspects that are more suitable to certain types of jurisdictions than others
REGULATORY SANDBOXES ENABLE PRAGMATIC BLOCKCHAIN REGULATION
Since blockchain technology supports digitally-native money, the centralized chokepoints that governments have traditionally targeted to regulate commerce no longer apply to our (digital) property. However, competent regulation furthers basic public policy goals and should enable responsible innovation of this promising technology. This Article discusses pragmatic policies that enable responsible innovation by cultivating regulatory expertise required to write enforceable rules. Responsible innovation is necessary because unlike the early internet, where programmers could manipulate simple colors and text on webpages, these same individuals can now create financial services applications that manipulate actual money—we are faced with an inescapable reality that more is at stake
Eight years of rider measurement in the Android malware ecosystem: evolution and lessons learned
Despite the growing threat posed by Android malware,
the research community is still lacking a comprehensive
view of common behaviors and trends exposed by malware families
active on the platform. Without such view, the researchers
incur the risk of developing systems that only detect outdated
threats, missing the most recent ones. In this paper, we conduct
the largest measurement of Android malware behavior to date,
analyzing over 1.2 million malware samples that belong to 1.2K
families over a period of eight years (from 2010 to 2017). We
aim at understanding how the behavior of Android malware
has evolved over time, focusing on repackaging malware. In
this type of threats different innocuous apps are piggybacked
with a malicious payload (rider), allowing inexpensive malware
manufacturing.
One of the main challenges posed when studying repackaged
malware is slicing the app to split benign components apart from
the malicious ones. To address this problem, we use differential
analysis to isolate software components that are irrelevant to the
campaign and study the behavior of malicious riders alone. Our
analysis framework relies on collective repositories and recent
advances on the systematization of intelligence extracted from
multiple anti-virus vendors. We find that since its infancy in
2010, the Android malware ecosystem has changed significantly,
both in the type of malicious activity performed by the malicious
samples and in the level of obfuscation used by malware to avoid
detection. We then show that our framework can aid analysts
who attempt to study unknown malware families. Finally, we
discuss what our findings mean for Android malware detection
research, highlighting areas that need further attention by the
research community.Accepted manuscrip
Agent-based Vs Agent-less Sandbox for Dynamic Behavioral Analysis
Malicious software is detected and classified by either static analysis or dynamic analysis. In static analysis, malware samples are reverse engineered and analyzed so that signatures of malware can be constructed. These techniques can be easily thwarted through polymorphic, metamorphic malware, obfuscation and packing techniques, whereas in dynamic analysis malware samples are executed in a controlled environment using the sandboxing technique, in order to model the behavior of malware. In this paper, we have analyzed Petya, Spyeye, VolatileCedar, PAFISH etc. through Agent-based and Agentless dynamic sandbox systems in order to investigate and benchmark their efficiency in advanced malware detection
Mining sandboxes for Linux containers
NSFC Progra
Towards mining comprehensive Android sandboxes
National Research Foundation (NRF) Singapor
- …