Detecting Objective-C Malware through Memory Forensics

Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors. In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides a rich set of APIs that malware uses to manipulate and steal data and to perform other malicious activities. The novel memory forensics techniques presented in this thesis deeply examine the state of the Objective-C runtime, identifying a number of suspicious activities, from keystroke logging to pointer swizzling

Edge Reduce: Eliminating Mobile Network Traffic Using Application-Specific Edge Proxies

Mobile carriers are struggling to cope with the surge in smartphone traffic, which reflects badly on end users who often experience poor connectivity in densely populated urban environments. Data transfers between mobile client applications and their Internet backend services contribute significantly to the contention in radio access networks (RANs). Client applications, however, typically transfer unnecessary data because (i) backend service APIs do not support a fine-grained specification of the data actually required by clients and (ii) clients aggressively prefetch data that is never used. We describe EDGEREDUCE, an automated approach for reducing the data transmitted from backend services to a mobile device. Based on source-level program analysis, EDGEREDUCE generates application-specific proxies for mobile client applications that execute part of the application logic at the network edge to filter data returned by backend API calls and only send used data to the client. EDGEREDUCE also permits the tuning of aggressive prefetching strategies: proxies replace large prefetched objects such as images by futures, whose access by the client triggers the retrieval of the object on-demand. We show that EDGEREDUCE reduces the RAN traffic for real-world iOS client applications by up to 8×, with only a modest increase in response time