Active Learning of Points-To Specifications

When analyzing programs, large libraries pose significant challenges to static points-to analysis. A popular solution is to have a human analyst provide points-to specifications that summarize relevant behaviors of library code, which can substantially improve precision and handle missing code such as native code. We propose ATLAS, a tool that automatically infers points-to specifications. ATLAS synthesizes unit tests that exercise the library code, and then infers points-to specifications based on observations from these executions. ATLAS automatically infers specifications for the Java standard library, and produces better results for a client static information flow analysis on a benchmark of 46 Android apps compared to using existing handwritten specifications

Analisis dan Deteksi Malware dengan Metode Hybrid Analysis Menggunakan Framework MOBSF

Abstract - The increase in the popularity of smartphones is followed by an increase in the number of users each year. In this case, smartphones with the Android platform are still ranked number one in the percentage of the highest number of users in the world. This fact is also followed by an increasing number of attacks by malicious programs or malware on the Android platform. These rogue application developers take advantage of the loopholes in the Android platform by inserting their malicious programs in the form of source code in Android applications and disseminating them through internet blogs and the Android application market. Ignorance and carelessness in lay users in installing android applications make the main target by malicious application developers. It is crucial to know by users what functions are performed by the Android application, especially in providing permissions or access rights to the Android system. This study, using a sample of Bouncing Golf and Riltok Banking Trojan malware. The study was conducted to know the characteristics and behavior using a combination of static analysis and dynamic analysis, or what is referred to in this study is a hybrid analysis using the MobSF framework. The analysis showed that Bouncing Golf stole information and was able to hijack infected Android devices effectively and Riltok Banking Trojan could take over mobile phones to steal information from credit cards through phishing techniques.Keywords  - Android; Dynamic Analysis; Hybrid Analysis; Malware; Static Analysis. Abstrak - Peningkatan popularitas smartphone diikuti dengan kenaikan jumlah pengguna pada setiap tahunnya. Dalam hal ini, smartphone dengan platform android masih menjadi urutan nomor satu dalam persentase jumlah pengguna terbanyak di dunia.  Fakta ini juga diikuti dengan meningkatnya jumlah serangan program jahat atau malware terhadap platform android. Para pengembang aplikasi jahat ini memanfaatkan celah yang ada pada platform android dengan menyisipkan program jahat mereka dalam bentuk source code di dalam aplikasi android dan menyebarluaskannya melalui blog-blog internet serta pasar aplikasi android. Tidak adanya kewaspadaan dan lengahnya pada pengguna awam dalam memasang aplikasi android menjadikan target utama oleh pengembang aplikasi jahat. Sangat penting untuk diketahui oleh para pengguna terkait apa saja fungsi yang dilakukan oleh aplikasi android, terutama dalam memberikan perizinan atau hak akses terhadap sistem android. Dalam penelitian ini menggunakan sampel malware Bouncing Golf dan Riltok Banking Trojan. Penelitian dilakukan dengan tujuan mengetahui karakteristik dan perilaku dengan menggunakan kombinasi analisis statis dan analisa dinamis, atau yang disebut dalam penelitian ini adalah analisis hybrid menggunakan framework MobSF. Analisis yang dilakukan menunjukkan bahwa Bouncing Golf melakukan pencurian informasi dan dapat secara efektif membajak perangkat android yang terinfeksi dan Riltok Banking Trojan memiliki kemampuan dalam mengambil alih smartphone untuk mencuri informasi dari kartu kredit melalui teknik phishing.Kata Kunci - Android; Dynamic Analysis; Hybrid Analysis; Malware; Static Analysis

Doctor of Philosophy

dissertationToday's smartphones house private and confidential data ubiquitously. Mobile apps running on the devices can leak sensitive information by accident or intentionally. To understand application behaviors before running a program, we need to statically analyze it, tracking what data are accessed, where sensitive data ow, and what operations are performed with the data. However, automated identification of malicious behaviors in Android apps is challenging: First, there is a primary challenge in analyzing object-oriented programs precisely, soundly and efficiently, especially in the presence of exceptions. Second, there is an Android-specific challenge|asynchronous execution of multiple entry points. Third, the maliciousness of any given behavior is application-dependent and subject to human judgment. In this work, I develop a generic, highly precise static analysis of object-oriented code with multiple entry points, on which I construct an eective malware identification system with a human in the loop. Specically, I develop a new analysis-pushdown exception-ow analysis, to generalize the analysis of normal control flows and exceptional flows in object-oriented programs. To rene points-to information, I generalize abstract garbage collection to object-oriented programs and enhance it with liveness analysis for even better precision. To tackle Android-specic challenges, I develop multientry point saturation to approximate the eect of arbitrary asynchronous events. To apply the analysis techniques to security, I develop a static taint- ow analysis to track and propagate tainted sensitive data in the push-down exception-flow framework. To accelerate the speed of static analysis, I develop a compact and ecient encoding scheme, called G odel hashes, and integrate it into the analysis framework. All the techniques are realized and evaluated in a system, named AnaDroid. AnaDroid is designed with a human in the loop to specify analysis conguration, properties of interest and then to make the nal judgment and identify where the maliciousness is, based on analysis results. The analysis results include control- ow graphs highlighting suspiciousness, permission and risk-ranking reports. The experiments show that AnaDroid can lead to precise and fast identication of common classes of Android malware

Demystifying security and compatibility issues in Android Apps

Never before has any OS been so popular as Android. Existing mobile phones are not simply devices for making phone calls and receiving SMS messages, but powerful communication and entertainment platforms for web surfing, social networking, etc. Even though the Android OS offers powerful communication and application execution capabilities, it is riddled with defects (e.g., security risks, and compatibility issues), new vulnerabilities come to light daily, and bugs cost the economy tens of billions of dollars annually. For example, malicious apps (e.g., back-doors, fraud apps, ransomware, spyware, etc.) are reported [Google, 2022] to exhibit malicious behaviours, including privacy stealing, unwanted programs installed, etc. To counteract these threats, many works have been proposed that rely on static analysis techniques to detect such issues. However, static techniques are not sufficient on their own to detect such defects precisely. This will likely yield false positive results as static analysis has to make some trade-offs when handling complicated cases (e.g., object-sensitive vs. object-insensitive). In addition, static analysis techniques will also likely suffer from soundness issues because some complicated features (e.g., reflection, obfuscation, and hardening) are difficult to be handled [Sun et al., 2021b, Samhi et al., 2022].Comment: Thesi

Sound and Precise Malware Analysis for Android via Pushdown Reachability and Entry-Point Saturation

We present Anadroid, a static malware analysis framework for Android apps. Anadroid exploits two techniques to soundly raise precision: (1) it uses a pushdown system to precisely model dynamically dispatched interprocedural and exception-driven control-flow; (2) it uses Entry-Point Saturation (EPS) to soundly approximate all possible interleavings of asynchronous entry points in Android applications. (It also integrates static taint-flow analysis and least permissions analysis to expand the class of malicious behaviors which it can catch.) Anadroid provides rich user interface support for human analysts which must ultimately rule on the "maliciousness" of a behavior. To demonstrate the effectiveness of Anadroid's malware analysis, we had teams of analysts analyze a challenge suite of 52 Android applications released as part of the Auto- mated Program Analysis for Cybersecurity (APAC) DARPA program. The first team analyzed the apps using a ver- sion of Anadroid that uses traditional (finite-state-machine-based) control-flow-analysis found in existing malware analysis tools; the second team analyzed the apps using a version of Anadroid that uses our enhanced pushdown-based control-flow-analysis. We measured machine analysis time, human analyst time, and their accuracy in flagging malicious applications. With pushdown analysis, we found statistically significant (p < 0.05) decreases in time: from 85 minutes per app to 35 minutes per app in human plus machine analysis time; and statistically significant (p < 0.05) increases in accuracy with the pushdown-driven analyzer: from 71% correct identification to 95% correct identification.Comment: Appears in 3rd Annual ACM CCS workshop on Security and Privacy in SmartPhones and Mobile Devices (SPSM'13), Berlin, Germany, 201

A New Protection for Android Applications

Today, Smartphones are very powerful, and many of its applications use wireless multimedia communications. Prevention from the external dangers (threats) has become a big concern for the experts these days. Android security has become a very important issue because of the free application it provides and the feature which make it very easy for anyone to develop and published it on Play store. Some work has already been done on the android security model, including several analyses of the model and frameworks aimed at enforcing security standards. In this article, we introduce a tool called PermisSecure that is able to perform both static and dynamic analysis on Android programs to automatically detect suspicious applications that request unnecessary or dangerous permissions