static vs dynamic analysis
play

Static vs. Dynamic Analysis Static analysis: analyze source code or - PowerPoint PPT Presentation

Dec 20, 2023 •685 likes •1.02k views

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

  1. I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016

  2. • ! ! ! B ACKGROUND Static vs. Dynamic Analysis • Static analysis: analyze source code or byte code ◦ Imprecise ◦ No run-time data • Dynamic analysis: analyze during execution ◦ Run-time values → precise I NTELLI D ROID 2 U NIVERSITY OF T ORONTO

  3. 
 
 • ! ! ! B ACKGROUND Dynamic Code Coverage • To detect malicious activity, first have to execute it • Example: 
 message = <receive confirmation SMS> 
 if message.number == ‘1234’: <malicious action> I NTELLI D ROID 3 U NIVERSITY OF T ORONTO

  4. • ! ! ! B ACKGROUND Concolic Testing • Run all execution paths in application • Symbolic execution, solve constraints for inputs constraint 1 constraint 1 !(constraint 1) !(constraint 1) constraint 2 !(constraint 2) constraint 3 !(constraint 3) I NTELLI D ROID 4 U NIVERSITY OF T ORONTO

  5. • ! ! ! B ACKGROUND Specific Malicious Paths • Malicious activity only executed in certain parts of the code malicious code I NTELLI D ROID 5 U NIVERSITY OF T ORONTO

  6. ! • ! ! D ESIGN IntelliDroid • Targets specific parts of the application ◦ Input generator for existing dynamic detector ◦ Hybrid static and dynamic design • Implemented for Android • Improve malware analysis and detection I NTELLI D ROID 6 U NIVERSITY OF T ORONTO

  7. ! • ! ! D ESIGN Target Malicious Paths • Malicious activity present only in certain parts of the code malicious code I NTELLI D ROID 7 U NIVERSITY OF T ORONTO

  8. ! • ! ! D ESIGN Target Malicious Paths • Use static analysis to look for call paths to malicious activity malicious code I NTELLI D ROID 8 U NIVERSITY OF T ORONTO

  9. ! • ! ! D ESIGN Target Over-Approximation • Target over-approximation of malicious behaviors suspicious suspicious suspicious code code code I NTELLI D ROID 9 U NIVERSITY OF T ORONTO

  10. ! • ! ! D ESIGN Target Over-Approximation • Target over-approximation of malicious behaviors suspicious suspicious suspicious code code code I NTELLI D ROID 10 U NIVERSITY OF T ORONTO

  11. ! • ! ! D ESIGN Targeted Methods • Use method invocations as over-approximation ◦ Depends on attached dynamic malware detector Dynamic Tool Goal Features for Analysis • Existing dynamic detectors 
 AASandbox [10] Monitor behavior via track- System calls ing of system calls Malware detection via sys- Low-level device fea- Andromaly [36] for Android: tem resource usage tures (e.g. battery us- age, CPU load) CopperDroid [39] Monitor behavior via sys- System calls tem call tracking Monitor behavior via track- System calls Crowdroid [12] ✔ ◦ Method invocations ing of system calls DroidBox [18] Sandbox to monitor exter- Sink API methods nal accesses DroidRanger [50] Detect malware using pre- Sequence of API specified behavioral foot- method invocations ✔ ◦ System call traces prints and heuristics and parameters DroidScope [39] Plugins for API track- API methods; ing, instruction tracing, and source/sink API taint tracking methods RiskRanker [39] Detect malware using Sequence of API ❌ ◦ Anomaly detection known vulnerability method invocations signatures Detect privacy leakage Source/sink API meth- TaintDroid [19] ods VetDroid [47] Malware detection via per- Permission requests mission use behavior (can be mapped to API methods) I NTELLI D ROID 11 U NIVERSITY OF T ORONTO

  12. ! • ! ! D ESIGN Static Constraint Extraction • Extract constraints on inputs that can trigger targeted paths Path Path Constraints Constraints Path Constraints suspicious code I NTELLI D ROID 12 U NIVERSITY OF T ORONTO

  13. ! • ! ! D ESIGN Targeted Input Injection • Inject constrained inputs to execute paths at run-time Static Dynamic Path inputs Constraints … Run-time inputs Path Constraints I NTELLI D ROID U NIVERSITY OF T ORONTO

  14. ! • ! ! D ESIGN Challenges • Finding targeted paths using static analysis ◦ Imprecision? • Executing path to suspicious code ◦ Dependencies between paths? • Run-time input injection ◦ Where to inject? I NTELLI D ROID 14 U NIVERSITY OF T ORONTO

  15. 
 
 ! • ! ! D ESIGN Static Imprecision • Static analysis cannot determine run-time values • Example: 
 message = <receive confirmation SMS> 
 if message.number == <file A>.text: <malicious action> Constraint <SMS message>.number == <file A> I NTELLI D ROID 15 U NIVERSITY OF T ORONTO

  16. ! • ! ! D ESIGN Using Run-time Data • Solve constraints at run-time (with run-time data) Static Dynamic Run-time Path 1 file A file A Constraints “1234” “1234” constraint … constraints … solver location location Path N San Diego San Diego Constraints <SMS message>.number == <file A> “1234” I NTELLI D ROID 16 U NIVERSITY OF T ORONTO

  17. ! • ! ! D ESIGN Path Dependencies • Data- and control-flow dependencies between call paths read X data flow malicious write X code I NTELLI D ROID 17 U NIVERSITY OF T ORONTO

  18. ! • ! ! D ESIGN Path Dependencies • Data- and control-flow dependencies between call paths 1 2 Event Chain read X 1) <path to write X> 2) <path to malicious code> malicious write X code I NTELLI D ROID 18 U NIVERSITY OF T ORONTO

  19. ! • ! ! D ESIGN Run-Time Injection Application Event SMS Event Handler Handler Handler Framework System SMS System Service Service Service Cellular Sensor Radio Hardware/Device I NTELLI D ROID 19 U NIVERSITY OF T ORONTO

  20. ! • ! ! D ESIGN Application Injection Application info on SMS? Event SMS Event Handler Handler Handler Framework what SMS? System SMS System Service Service Service Cellular Sensor Radio Hardware/Device I NTELLI D ROID 20 U NIVERSITY OF T ORONTO

  21. ! • ! ! D ESIGN Device-Framework Injection Application info on SMS? Event SMS Event Handler Handler Handler Framework OK! System SMS System Service Service Service Cellular Sensor Radio Hardware/Device I NTELLI D ROID 21 U NIVERSITY OF T ORONTO

  22. ! • ! ! D ESIGN Contributions • Static imprecision ◦ Dynamic constraint solving with run-time values • Path dependencies ◦ Event chains • Consistent input injection ◦ Device-framework injection I NTELLI D ROID 22 U NIVERSITY OF T ORONTO

  23. ! ! • ! I MPLEMENTATION Static Component Targeted App APK Application Behaviors BootReceiver onReceive(Intent i): if i == BOOT_COMPLETED: a = 1234 SMSReceiver IntelliDroid onReceive(Intent i): Static Component if i == SMS_RECEIVED: handleSMS(…) handleSMS(addr, msg): if a == addr: sendTextMessage(…) I NTELLI D ROID 23 U NIVERSITY OF T ORONTO

  24. ! ! • ! I MPLEMENTATION Static Component Targeted App APK Application Behaviors BootReceiver Extract event handlers onReceive(Intent i): if i == BOOT_COMPLETED: a = 1234 Find call paths SMSReceiver Extract path constraints onReceive(Intent i): 2 1 if i == SMS_RECEIVED: handleSMS(…) Add to event chain handleSMS(addr, msg): if a == addr: If dependency: sendTextMessage(…) find dependent path I NTELLI D ROID 24 U NIVERSITY OF T ORONTO

  25. ! ! • ! I MPLEMENTATION Static Component Targeted App APK Application Behaviors BootReceiver Extract event handlers onReceive(Intent i): 1 if i == BOOT_COMPLETED: a = 1234 Find call paths SMSReceiver Extract path constraints onReceive(Intent i): 2 if i == SMS_RECEIVED: handleSMS(…) Add to event chain handleSMS(addr, msg): if a == addr: If dependency: Output: target call 
 sendTextMessage(…) find dependent path paths and constraints I NTELLI D ROID 25 U NIVERSITY OF T ORONTO

  26. ! ! • ! I MPLEMENTATION Implementation • Static analysis (Android-specific): WALA 1 • Dynamic component: ◦ Client program (Python) Constraint solver: Z3 2 - ◦ Custom Android OS IntelliDroidService : system service to receive input - information and inject events 1 Watson libraries for analysis. http://wala.sourceforge.net. Accessed: September 2014. 2 Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, pages 337–340. Springer, 2008. I NTELLI D ROID 26 U NIVERSITY OF T ORONTO

  27. ! ! ! • E VALUATION Evaluation • Can IntelliDroid be integrated with existing dynamic malware detectors? • Can it execute targeted behaviours at run-time? • Is the analysis time reasonable? I NTELLI D ROID 27 U NIVERSITY OF T ORONTO

  28. ! ! ! • E VALUATION Integration with TaintDroid • Attached to TaintDroid (dynamic taint tracking tool) • Input generator to execute taint sources and sinks TaintDroid leakage IntelliDroid IntelliDroid paths inputs Dynamic paths (Static) (Dynamic) Detector taint source taint sink e.g. getDeviceId() sendTextMessage() I NTELLI D ROID 28 U NIVERSITY OF T ORONTO

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp;

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp;

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp; Artificial Intelligence Lab http://pag.csail.mit.edu/~mernst/ PASTE June 7, 2004 Michael Ernst, page 1 Goals Theme: Static and dynamic analyses

451 views • 34 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have to worry about types (+ Dynamic) Dependent on input (- Dynamic) Runtime overhead (- Dynamic) Serve as documentation (+ Static)

572 views • 24 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis

Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis

Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis (gkastrinis@di.uoa.gr) Yannis Smaragdakis (yannis@smaragd.org) University of Athens, Greece ISSTA18, July 17, 2018, Amsterdam, Netherlands Dynamic

403 views • 23 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner Hhnle Software Engineering Group Department of Computer Science Technische Universitt Darmstadt http://www.se.tu-darmstadt.de/

239 views • 23 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic Program Analysis Program Analysis Patrice Godefroid Godefroid Patrice Bell Laboratories, Lucent Technologies Bell Laboratories, Lucent

1.05k views • 56 slides
COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in F5 iRules and how it can be detected or exploited WHOAMI AND THANKS Big thanks to my fellow researchers Jesper Blomstrm Pasi Saarinen

679 views • 47 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
A Bruhat type decomposition of the set of conditioned invariant subspaces Jochen Trumpf

A Bruhat type decomposition of the set of conditioned invariant subspaces Jochen Trumpf

A Bruhat type decomposition of the set of conditioned invariant subspaces Jochen Trumpf Jochen.Trumpf@anu.edu.au Department of Systems Engineering Research School of Information Sciences and Engineering The Australian National University and

642 views • 45 slides
DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020

DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020

DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020 DLL INJECTION - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

655 views • 36 slides
The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

Center for W eb I ntelligence Center for W eb I ntelligence School of CTI, DePaul University Chicago, Illinois, USA The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation * Chad Williams, Runa Bhaumik,

380 views • 24 slides
Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

520 views • 48 slides
End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 | About me Security engineer @ Google Hacks libraries, tools, languages TC39 member ( JavaScript language committee ) Editor of &quot;A Roadmap

407 views • 29 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides

More recommend