Preventing the release of illegitimate applications on mobile markets

The popularity of mobile applications has been growing worldwide over the last few decades. This popularity is attracting more and more authors of malicious applications called malwares. To detect those malwares, mobile markets have implemented analysis methods that suffer from several limitations. Those we have identified and which we propose to solve in the scope of this thesis are mainly two . The first is the inability to cope with a new method of malware publication consisting in anticipating the mobile version of a company that does not yet have one. The second limitation is the difficulty, due to app tracing, encountered by dynamic analysis solutions to be able to scale. To solve the first limitation we designed and implemented a security check system called IMAD (Illegitimate Mobile App Detector), which is based mainly on online search engines and machine learning techniques. To solve the second problem, we introduced a scalable tracing approach, that we call delegated instrumentation. It leverages Android's instrumentation module and mainly relies on ART (Android RunTime) reverse engineering and hacking. The evaluation results show that IMAD can protect companies from anticipation attacks with an acceptable error rate and at a low cost for MMPs. And we demonstrated the effectiveness of the delegated instrumentation with a prototype named ODILE that traces various app types (including benign apps and malwares) on Samsung Galaxy A7 2017. In particular, we show how much ODILE outperforms Frida, the state-of-the-art tool in the domain

Lutte contre la publication d'applications illégitimes sur les marchés mobiles

La popularité des applications mobiles grandit depuis ces dernières décennies dans le monde entier. cette popularité attire de plus en plus d'auteurs d'applications malvaillantes ou malwares. Pour détecter ces malwares, les marchés mobiles ont mis en place des méthodes d'analyse qui souffrent de plusieurs limitations. Celles que nous avons identifiées et que nous nous proposons de résoudre dans le cadre de cette thèse sont au nombre de deux. La première est l'impossibilité de faire face à une nouvelle méthode de plublication de malwares consisant à anticiper la version mobile d'une entreprise qui n'en a pas encore une. La seconde est la difficulté liée au trancing d’applications que rencontrent les solutions d'analyse dynamiques actuelles à pouvoir passser à l'échelle. Pour résoudre le premier problème, nous avons conçu et implémenté un système nommé IMAD (Illegitimate Mobile App Detector), qui se base principalement sur les moteurs de recherche en ligne et les techniques de machine learning afin d’identifier les malwares coupable d’anticipation. Pour résoudre le second problème, nous introduisons une approche de tracing scalable, que nous avons nommé l’instrumentation déléguée. Cette approche exploite le module d’instrumentation du système Android et se base principalement sur les techniques de hacking ainsi que sur le reverse engineering de l’Android Runtime (ART). Un prototype implémentant l’instrumentation déléguée et nommé ODILE a aussi été développé. Les résutats de l’évaluation montrent qu’IMAD peut protéger les entreprises des attaques par anticipation avec un taux d’erreur acceptable et un coût réduit pour les marchés mobiles d’applications. Aussi nous avons démontré l’effectivité de ODILE pour le tracing de plusieurs types d’applications (incluant les applications bénignes et les malwares) sur un Samsung Galaxy A7 2017. En particulier nous avons montré que ODILE outrepasse Frida l’outil actuellement utilisé dans le domaine.The popularity of mobile applications has been growing worldwide over the last few decades. This popularity is attracting more and more authors of malicious applications called malwares. To detect those malwares, mobile markets have implemented analysis methods that suffer from several limitations. Those we have identified and which we propose to solve in the scope of this thesis are mainly two . The first is the inability to cope with a new method of malware publication consisting in anticipating the mobile version of a company that does not yet have one. The second limitation is the difficulty, due to app tracing, encountered by dynamic analysis solutions to be able to scale. To solve the first limitation we designed and implemented a security check system called IMAD (Illegitimate Mobile App Detector), which is based mainly on online search engines and machine learning techniques. To solve the second problem, we introduced a scalable tracing approach, that we call delegated instrumentation. It leverages Android's instrumentation module and mainly relies on ART (Android RunTime) reverse engineering and hacking. The evaluation results show that IMAD can protect companies from anticipation attacks with an acceptable error rate and at a low cost for MMPs. And we demonstrated the effectiveness of the delegated instrumentation with a prototype named ODILE that traces various app types (including benign apps and malwares) on Samsung Galaxy A7 2017. In particular, we show how much ODILE outperforms Frida, the state-of-the-art tool in the domain

Dealing with performance unpredictability in an asymmetric multicore processor cloud

International audienceIn a Cloud computing data center and especially in a IaaS (Infrastructure as a Service), performance predictability is one of the most important challenges. For a given allocated virtual machine (VM) in one IaaS, a client expects his application to perform identically whatever is the hosting physical server or its resource management strategy. However, performance predictability is very difficult to enforce in a heterogeneous hardware environment where machines do not have identical performance characteristics, and even more difficult when machines are internally heterogeneous as for Asymmetric Multicore Processor machines. In this paper, we introduce a VM scheduler extension which takes into account hardware performance heterogeneity of Asymmetric Multicore Processor machines in the cloud. Based on our analysis of the problem, we designed and implemented two solutions: the first weights CPU allocations according to core performance, while the second adapts CPU allocations to reach a given instruction execution rate (Ips) regardless the core types. We demonstrate that such scheduler extensions can enforce predictability with a negligible overhead on application performance

Preventing the propagation of a new kind of illegitimate apps

International audienceA significant amount of apps submitted to mobile market places (MMP) are illegitimate, resulting in a negative publicity for these MMPs. To our knowledge, all scanning solutions in this domain only focus on the detection of illegitimate apps which mimic existing ones. However, recent attack analysis reveal the appearance of a new category of victims: enterprises which did not yet publish their app on the MMP. Thereby, an attacker may be one step ahead and publish a malicious app using the graphic identity of a trusted enterprise. Famous enterprises such as Blackberry, Netflix, and Niantic (Pokemon Go) have been subject of such attacks. We designed and implemented a security check system called IMAD (IllegitimateMobile App Detector) which is able to limit aforementioned attacks. The evaluation results show that IMAD can protect companies from such attacks with an acceptable error rate and at a low cost for MMPs

When eXtended Para-Virtualization (XPV) meets NUMA

International audienceThis paper addresses the problem of efficiently virtualizing NUMA architectures. The major challenge comes from the fact that the hypervisor regularly reconfigures the placement of a virtual machine (VM) over the NUMA topology. However, neither guest operating systems (OSes) nor system runtime libraries (e.g., Hotspot) are designed to consider NUMA topology changes at runtime, leading end user applications to unpredictable performance. This paper presents eXtended Para-Virtualization (XPV), a new principle to efficiently virtualize a NUMA architecture. XPV consists in revisiting the interface between the hypervisor and the guest OS, and between the guest OS and system runtime libraries (SRL) so that they can dynamically take into account NUMA topology changes. The paper presents a methodology for systematically adapting legacy hypervisors, OSes, and SRLs. We have applied our approach with less than 2k line of codes in two legacy hypervisors (Xen and KVM), two legacy guest OSes (Linux and FreeBSD), and three legacy SRLs (Hotspot, TCMalloc, and jemalloc). The evaluation results showed that XPV outperforms all existing solutions by up to 304%