Presentation is loading. Please wait.

Presentation is loading. Please wait.

TriggerScope Towards Detecting Logic Bombs in Android Applications

Published byAshley Howard Modified over 5 years ago

Similar presentations

Presentation on theme: "TriggerScope Towards Detecting Logic Bombs in Android Applications"— Presentation transcript:

1 TriggerScope Towards Detecting Logic Bombs in Android Applications
Authors: Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel Presented By: Kevin Yu

2 Problem Android is the most widely targeted platform by mobile malware
How can we be sure our apps are safe when there are millions of apps available on the app stores? App stores have existing app review processes that help to prevent a large amount of malicious apps However there are certain types of actions that are difficult to detect as malicious Logic bombs are a prime example of this

3 What is a Logic Bomb “Malicious application logic that is executed, or triggered, only under certain circumstances”

4 What are Logic Bombs

5 Current Solution Automated review systems
Malicious code may not be executed Even if it is, hard to tell what is the intended behaviour Manual audit combined with dynamic analysis tools Expensive Time cost Still hard to determine what exactly classifies as a logic bomb

6 TriggerScope Proposed Solution Advantages
Don’t look at what kind of functionality is being executed Look at what kind of conditions are required Advantages Automated Static analysis No need for source code

7 Defining key terms If ( Predicate ) { Functionality }
Predicate is suspicious if it represents a condition that is satisfied under specific circumstances Functionality is sensitive if one of its statements directly or indirectly executes a sensitive operation

8 Defining key terms Suspicious Sensitive Trigger
“If the predicate is semantically equivalent to one or more ordering comparisons between a current time value and a constant” Sensitive “If it executes any Android API that is protected by a permission” Trigger When a suspicious predicate controls the execution of a sensitive functionality

9 TriggerScope Overview
Phase 1 Parse bytecode to generate sCFG Symbolic Execution is used to annotate the sCFG with info about its type, value and operations that affect it Block Predicate Extraction is used to find each intra-procedural path predicate for each basic block Phase 2 Path Predicate Recovery and Minimization is used to simplify the predicates associated with each block to remove false positives Predicate Classification determines whether a predicate is suspicious Control Dependency Analysis checks each block guarded by a suspicious predicate, and determines if it contains sensitive operations

10 Symbolic Execution Annotates the sCFG with info about its type, value and operations that affect it

11 Symbolic Execution For example, this shows what date values are associated with the check.

12 Block Predicate Extraction
Finds each intra-procedural path predicate for each basic block

13 Path Predicate Recovery and Minimisation
Simplifies the predicates associated with each block to remove false positives

14 Predicate Classification
Determines whether a predicate is suspicious by looking what type of comparisons are being made, as well as the operands that are being compared Suspicious “If the predicate is semantically equivalent to one or more ordering comparisons between a current time value and a constant” Post filtering is done to remove trivial checks that would raise false positives.

15 Control Dependency analysis
Checks each block guarded by a suspicious predicate, and determines if it contains sensitive operations Just because it is a trigger, does not mean that there is a logic bomb.

16 Evaluation Benign Applications Malicious Applications
Only chose apps that used time, location, or SMS related APIs Malicious Applications 14 applications From real world as well as made for research

17 Results

18 Results

19 Criticism Overall, a different approach on a common problem with good results however there were a few points that could be improved. Tested on too small a sample size of malicious applications Can’t confirm that an app doesn’t include malicious logic Only spent 10 minutes on 20 benign applications Defining of new time and location types will evade the check from being labelled as suspicious Move all these check to external code e.g. a web server

Download ppt "TriggerScope Towards Detecting Logic Bombs in Android Applications"

Similar presentations

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Software Testing. Overview Definition of Software Testing Problems with Testing Benefits of Testing Effective Methods for Testing.

Software Testing. Overview Definition of Software Testing Problems with Testing Benefits of Testing Effective Methods for Testing.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.

Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)
AJ Guardado Comp. Sci. 49S.  In order to correctly manage programs (AdSense, AdWords), properly charge for the PPC revenue model, and detect invalid.

AJ Guardado Comp. Sci. 49S.  In order to correctly manage programs (AdSense, AdWords), properly charge for the PPC revenue model, and detect invalid.

Similar presentations

Ads by Google