Static vs. Dynamic Analysis Static analysis: analyze source code or - - PowerPoint PPT Presentation

static vs dynamic analysis
SMART_READER_LITE
LIVE PREVIEW

Static vs. Dynamic Analysis Static analysis: analyze source code or - - PowerPoint PPT Presentation

Dec 20, 2023 685 likes •1.02k views

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

slide-1
SLIDE 1

INTELLIDROID

A Targeted Input Generator for the Dynamic Analysis of Android Malware

Michelle Y. Wong and David Lie

University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016

slide-2
SLIDE 2

UNIVERSITY OF TORONTO INTELLIDROID

Static vs. Dynamic Analysis

  • Static analysis: analyze source code or byte code
  • Imprecise
  • No run-time data
  • Dynamic analysis: analyze during execution
  • Run-time values → precise

2

  • ! ! ! BACKGROUND
slide-3
SLIDE 3

UNIVERSITY OF TORONTO INTELLIDROID

Dynamic Code Coverage

  • To detect malicious activity, first have to execute it
  • Example:


message = <receive confirmation SMS>
 
 <malicious action>

3

  • ! ! ! BACKGROUND

if message.number == ‘1234’:

slide-4
SLIDE 4

UNIVERSITY OF TORONTO INTELLIDROID

Concolic Testing

  • Run all execution paths in application
  • Symbolic execution, solve constraints for inputs

4

  • ! ! ! BACKGROUND

constraint 1 constraint 2 constraint 1 !(constraint 2) !(constraint 1) constraint 3 !(constraint 1) !(constraint 3)

slide-5
SLIDE 5

UNIVERSITY OF TORONTO INTELLIDROID

Specific Malicious Paths

  • Malicious activity only executed in certain parts of the code

5

  • ! ! ! BACKGROUND

malicious code

slide-6
SLIDE 6

UNIVERSITY OF TORONTO INTELLIDROID

IntelliDroid

  • Targets specific parts of the application
  • Input generator for existing dynamic detector
  • Hybrid static and dynamic design
  • Implemented for Android
  • Improve malware analysis and detection

6 ! • ! ! DESIGN

slide-7
SLIDE 7

UNIVERSITY OF TORONTO INTELLIDROID

Target Malicious Paths

  • Malicious activity present only in certain parts of the code

7 malicious code ! • ! ! DESIGN

slide-8
SLIDE 8

UNIVERSITY OF TORONTO INTELLIDROID

Target Malicious Paths

  • Use static analysis to look for call paths to malicious activity

8 malicious code ! • ! ! DESIGN

slide-9
SLIDE 9

UNIVERSITY OF TORONTO INTELLIDROID

Target Over-Approximation

  • Target over-approximation of malicious behaviors

9 suspicious code ! • ! ! DESIGN suspicious code suspicious code

slide-10
SLIDE 10

UNIVERSITY OF TORONTO INTELLIDROID

Target Over-Approximation

  • Target over-approximation of malicious behaviors

10 ! • ! ! DESIGN suspicious code suspicious code suspicious code

slide-11
SLIDE 11

UNIVERSITY OF TORONTO INTELLIDROID

Targeted Methods

  • Use method invocations as over-approximation
  • Depends on attached dynamic malware detector
  • Existing dynamic detectors 


for Android:

  • Method invocations
  • System call traces
  • Anomaly detection

11

✔ ✔

Dynamic Tool Goal Features for Analysis AASandbox [10] Monitor behavior via track- ing of system calls System calls Andromaly [36] Malware detection via sys- tem resource usage Low-level device fea- tures (e.g. battery us- age, CPU load) CopperDroid [39] Monitor behavior via sys- tem call tracking System calls Crowdroid [12] Monitor behavior via track- ing of system calls System calls DroidBox [18] Sandbox to monitor exter- nal accesses Sink API methods DroidRanger [50] Detect malware using pre- specified behavioral foot- prints and heuristics Sequence

  • f

API method invocations and parameters DroidScope [39] Plugins for API track- ing, instruction tracing, and taint tracking API methods; source/sink API methods RiskRanker [39] Detect malware using known vulnerability signatures Sequence

  • f

API method invocations TaintDroid [19] Detect privacy leakage Source/sink API meth-

  • ds

VetDroid [47] Malware detection via per- mission use behavior Permission requests (can be mapped to API methods)

! • ! ! DESIGN

slide-12
SLIDE 12

UNIVERSITY OF TORONTO INTELLIDROID

Static Constraint Extraction

  • Extract constraints on inputs that can trigger targeted paths

12 ! • ! ! DESIGN

Path Constraints Path Constraints Path Constraints

suspicious code

slide-13
SLIDE 13

UNIVERSITY OF TORONTO INTELLIDROID

Targeted Input Injection

  • Inject constrained inputs to execute paths at run-time

Run-time

Static Dynamic

Path Constraints Path Constraints

! • ! ! DESIGN

inputs inputs

slide-14
SLIDE 14

UNIVERSITY OF TORONTO INTELLIDROID

Challenges

  • Finding targeted paths using static analysis
  • Imprecision?
  • Executing path to suspicious code
  • Dependencies between paths?
  • Run-time input injection
  • Where to inject?

14 ! • ! ! DESIGN

slide-15
SLIDE 15

UNIVERSITY OF TORONTO INTELLIDROID

Static Imprecision

  • Static analysis cannot determine run-time values
  • Example:


message = <receive confirmation SMS>
 
 <malicious action>

15 ! • ! ! DESIGN

Constraint <SMS message>.number == <file A>

if message.number == <file A>.text:

slide-16
SLIDE 16

UNIVERSITY OF TORONTO INTELLIDROID

Run-time

file A “1234” location

San Diego

file A “1234” location

San Diego

Using Run-time Data

  • Solve constraints at run-time (with run-time data)

16 constraints constraint solver

Static Dynamic

Path 1 Constraints Path N Constraints

! • ! ! DESIGN …

<SMS message>.number == <file A> “1234”

slide-17
SLIDE 17

UNIVERSITY OF TORONTO INTELLIDROID

Path Dependencies

  • Data- and control-flow dependencies between call paths

17 malicious code ! • ! ! DESIGN

data flow

write X read X

slide-18
SLIDE 18

UNIVERSITY OF TORONTO INTELLIDROID

Path Dependencies

  • Data- and control-flow dependencies between call paths

18 malicious code ! • ! ! DESIGN 1 2

Event Chain

1) <path to write X> 2) <path to malicious code>

write X read X

slide-19
SLIDE 19

UNIVERSITY OF TORONTO INTELLIDROID

Run-Time Injection

19

Application

Event Handler SMS Handler Event Handler

Framework

System Service SMS Service System Service

Hardware/Device

Cellular Radio Sensor

! • ! ! DESIGN

slide-20
SLIDE 20

UNIVERSITY OF TORONTO INTELLIDROID

Application Injection

20

Application

Event Handler SMS Handler Event Handler

Framework

System Service SMS Service System Service

Hardware/Device

Cellular Radio Sensor

what SMS? info on SMS?

! • ! ! DESIGN

slide-21
SLIDE 21

UNIVERSITY OF TORONTO INTELLIDROID

Device-Framework Injection

21

Application

Event Handler SMS Handler Event Handler

Framework

System Service SMS Service System Service

Hardware/Device

Cellular Radio Sensor

OK! info on SMS?

! • ! ! DESIGN

slide-22
SLIDE 22

UNIVERSITY OF TORONTO INTELLIDROID

Contributions

  • Static imprecision
  • Dynamic constraint solving with run-time values
  • Path dependencies
  • Event chains
  • Consistent input injection
  • Device-framework injection

22 ! • ! ! DESIGN

slide-23
SLIDE 23

UNIVERSITY OF TORONTO INTELLIDROID

Static Component

23

Application

BootReceiver

  • nReceive(Intent i):

if i == BOOT_COMPLETED: a = 1234 SMSReceiver

  • nReceive(Intent i):

if i == SMS_RECEIVED: handleSMS(…) handleSMS(addr, msg): if a == addr: sendTextMessage(…)

! ! • ! IMPLEMENTATION

App APK

IntelliDroid

Static Component Targeted Behaviors

slide-24
SLIDE 24

UNIVERSITY OF TORONTO INTELLIDROID

Static Component

24

Extract event handlers Find call paths Extract path constraints If dependency: find dependent path Application

BootReceiver

  • nReceive(Intent i):

if i == BOOT_COMPLETED: a = 1234 SMSReceiver

  • nReceive(Intent i):

if i == SMS_RECEIVED: handleSMS(…) handleSMS(addr, msg): if a == addr: sendTextMessage(…)

Add to event chain

! ! • ! IMPLEMENTATION

Targeted Behaviors App APK

2 1

slide-25
SLIDE 25

UNIVERSITY OF TORONTO INTELLIDROID

Static Component

25

Extract event handlers Find call paths Extract path constraints If dependency: find dependent path Application

BootReceiver

  • nReceive(Intent i):

if i == BOOT_COMPLETED: a = 1234 SMSReceiver

  • nReceive(Intent i):

if i == SMS_RECEIVED: handleSMS(…) handleSMS(addr, msg): if a == addr: sendTextMessage(…)

Output: target call 
 paths and constraints Add to event chain

! ! • ! IMPLEMENTATION

Targeted Behaviors App APK

2 1

slide-26
SLIDE 26

UNIVERSITY OF TORONTO INTELLIDROID

Implementation

  • Static analysis (Android-specific): WALA 1
  • Dynamic component:
  • Client program (Python)
  • Constraint solver: Z3 2
  • Custom Android OS
  • IntelliDroidService: system service to receive input

information and inject events

26

1 Watson libraries for analysis. http://wala.sourceforge.net. Accessed: September 2014. 2 Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of

Systems, pages 337–340. Springer, 2008.

! ! • ! IMPLEMENTATION

slide-27
SLIDE 27

UNIVERSITY OF TORONTO INTELLIDROID

Evaluation

  • Can IntelliDroid be integrated with existing dynamic

malware detectors?

  • Can it execute targeted behaviours at run-time?
  • Is the analysis time reasonable?

27 ! ! ! • EVALUATION

slide-28
SLIDE 28

UNIVERSITY OF TORONTO INTELLIDROID

Integration with TaintDroid

  • Attached to TaintDroid (dynamic taint tracking tool)
  • Input generator to execute taint sources and sinks

28

IntelliDroid (Dynamic)

taint source taint sink

IntelliDroid (Static)

paths inputs

TaintDroid

Dynamic Detector

leakage paths

e.g. getDeviceId() sendTextMessage() ! ! ! • EVALUATION

slide-29
SLIDE 29

UNIVERSITY OF TORONTO INTELLIDROID

IntelliDroid-Driven TaintDroid

  • Tested on 26 privacy leaks in 17 malicious apps 1,2
  • IntelliDroid: Triggered and detected all leaks
  • Monkey: Missed 21 leaks
  • Executed < 5% of application code

29

1 Yajin Zhou and Xuxian Jiang. Dissecting Android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium

  • n Security and Privacy, pages 95–109. IEEE, 2012.

2 M. Parkour, “Contagio mobile,” 2015, http://contagiominidump. blogspot.ca/, Last Accessed Aug, 2015.

! ! ! • EVALUATION

slide-30
SLIDE 30

UNIVERSITY OF TORONTO INTELLIDROID

Targeted Input Injection

  • Target malicious behaviours

in Android Malware Genome and Contagio

  • Triggered 70 out of 75

behaviours

  • Missed behaviors:
  • Encoding
  • File dependencies (currently

not supported)

30 ! ! ! • EVALUATION

Known Malicious Activity Method Invocations

IntelliDroid

slide-31
SLIDE 31

UNIVERSITY OF TORONTO INTELLIDROID

Performance

  • Scales for large-scale analysis of applications
  • Static analysis:
  • 138.4s per application
  • Dynamic constraint solving:
  • 4.22ms per targeted call path


31

1 David Barrera, Jeremy Clark, Daniel McCarney, and Paul C. van Oorschot. Understanding and improving app installation security

mechanisms through empirical analysis of android. In Proceed- ings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’12, pages 81–92, New York, NY, USA, 2012. ACM.

! ! ! • EVALUATION

slide-32
SLIDE 32

UNIVERSITY OF TORONTO INTELLIDROID

Conclusion

  • Targeted input generation for effective dynamic malware

detection

  • IntelliDroid
  • Static constraint extraction with run-time data
  • Event chains and framework injection
  • Integrated with existing dynamic tools (TaintDroid)
  • Improve effectiveness, reduce amount of code to be

executed (< 5%)

32