A declarative framework for stateful analysis of execution traces

With newer complex multi-core systems, it is important to understand applications’ run-time behaviour to be able to debug their executions, detect possible problems and bottlenecks and finally identify potential root-causes. Execution traces usually contain precise data about applications’ execution, with which analysis and abstraction at multiple levels, they can provide valuable information and insights about the applications’run-time behaviour. However, with multiple abstraction levels, it becomes increasingly difficult to find the exact location of detected performance or security problem. Tracing tools provide various analysis views to help understand these problems. However, these views are not somehow enough to uncover all aspects of the underlying issues. The developer is in fact the one who best knows his application. Therefore, a declarative approach that enables users to specify and build their custom analysis based on their knowledge, requirements and problems can be more useful and effective. In this paper we propose a generic declarative trace analysis framework to analyze, comprehend and visualize execution traces. This enhanced framework builds custom analysis based on a specified modelled state, extracted from a system execution trace and stored in a special purpose database. The proposed solution enables users to first define their different analysis models based on their application and requirements, then visualize these models in many alternate representations (Gantt chart, XY chart, etc.), and finally filter the data to get some highlights or detect some potential patterns. Several sample applications with different operating systems are shown using trace events gathered from Linux and Windows kernel and user-space levels

Leveraging the Use of API Call Traces for Mobile Security

The growing popularity of Android applications has generated increased concerns over the danger of piracy and the spread of malware. A popular way to distribute malware in the mobile world is through the repackaging of legitimate apps. This process consists of downloading, unpacking, manipulating, recompiling an application, and publishing it again in an app store. In this thesis, we conduct an empirical study of over 15,000 apps to gain insights into the factors that drive the spread of repackaged apps. We also examine the motivations of developers who publish repackaged apps and those of users who download them, as well as the factors that determine which apps are chosen for repackaging, and the ways in which the apps are modified during the repackaging process. We have also studied android applications structure to investigate the locations where malicious code are more probable to be embedded into legitimate applications. We observed that service components contain key characteristics that entice attackers to misuse them. Therefore, we have focus on studying the behavior of malicious and benign services. Whereas benign services tend to inform the user of the background operations, malicious services tend to do long running operations and have a loose connection with rest of the code. These findings lead us to propose an approach to detect malware by studying the services’ behavior. To model the services’ behavior, we used API calls as feature sets. We proposed a hybrid approach using static and dynamic analysis to extract the API calls through the service lifecycle. Finally, we used the list of API calls preponderantly present in both malware as well as benign services as the feature set. We applied machine learning algorithms to use the feature set to classify malicious services and benign services