Valérie Viet Triem Tong

Reachability Analysis over Term Rewriting Systems

Abstract This paper surveys some techniques and tools for achieving reachability analysis over term rewriting systems. The core of those techniques is a generic tree automata completion algorithm used to compute in an exact or approximated way the set of descendants (or reachable terms). This algorithm has been implemented in the \textsf{Timbuk} tool. Furthermore, we show that many classes with regular sets of descendants of the literature corresponds to specific instances of the tree automata completion algorithm and can thus be efficiently computed by \textsf{Timbuk} . An extension of the completion algorithm to conditional term rewriting systems and some applications are also presented.

Reachability Analysis of Term Rewriting Systems with Timbuk

We present Timbuk - a tree automata library - which implements usual operations on tree automata as well as a completion algorithm used to compute an over-approximation of the set of descendants R*(E) for a regular set E and a term rewriting system R, possibly non linear and non terminating. On several examples of term rewriting systems representing programs and systems to verify, we show how to use Timbuk to construct their approximations and then prove unreachability properties of these systems.

GroddDroid: a gorilla for triggering malicious behaviors

Android malware authors use sophisticated techniques to hide the malicious intent of their applications. They use cryptography or obfuscation techniques to avoid detection during static analysis. They can also avoid detection during a dynamic analysis. Frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. However, we believe that dynamic analysis methods give good results when they really monitor the malware execution. In this article1, we propose a method to enhance the execution of the malicious code of unknown malware. We especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. In these cases, solely executing the malware is far from being sufficient. We propose to force the triggering of the malicious code by combining two contributions. First, we define an algorithm that automatically identifies potentially malicious code. Second, we propose an enhanced monkey called GroddDroid, that stimulates the GUI of an application and forces the execution of some branching conditions if needed. The forcing is used by GroddDroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. The source code for our experiments with GroddDroid is released as free software2. We have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by GroddDroid. Additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28%.

Privacy-Preserving Reputation Mechanism: A Usable Solution Handling Negative Ratings

Reputation mechanisms allow users to mutually evaluate their trust. This is achieved through the computation of a reputation score summarizing their past behaviors. Depending on these scores, users are free to accept or refuse to interact with each other. When users are virtual, volatile, or distant, an accurate evaluation of reputation scores is complex. Furthermore, users expect reputation mechanisms to preserve the privacy of their interactions and of their feedback. Existing solutions often rely on costly cryptographic tools that may lead to impractical solutions. In this article, we propose a usable privacy preserving reputation mechanism. This mechanism is distributed and handles non-monotonic ratings. Its implementation on cheap single board computers validates its adequacy to large-scale systems.

Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory

Information flow control can be used at the Operating System level to enforce restrictions on the diffusion of security-sensitive data. In Linux, information flow trackers are often implemented as Linux Security Modules. They can fail to monitor some indirect flows when flows occur concurrently and affect the same containers of information. Furthermore, they are not able to monitor the flows due to file mappings in memory and shared memory between processes. We first present two attacks to evade state-of-the-art LSM-based trackers. We then describe an approach, formally proved with Coq [12] to perform information flow tracking able to cope with concurrency and in-memory flows. We demonstrate its implementability and usefulness in Rfblare, a race condition-free version of the flow tracking done by KBlare [4].

Information flows at OS level unmask sophisticated Android malware

The detection of new Android malware is far from being a relaxing job. Indeed, each day new Android malware appear in the market and it remains difficult to quickly identify them. Unfortunately users still pay the lack of real efficient tools able to detect zero day malware that have no known signature. The difficulty is that most of the existing approaches rely on static analysis coupled with the ability of malware to hide their malicious code. Thus, we believe that it should be easier to study what malware do instead of what they contain. In this article, we propose to unmask Android malware hidden among benign applications using the observed information flows at the OS level. For achieving such a goal, we introduce a simple characterization of all the accountable information flows of a standard benign application. With such a model for benign apps, we lead some experiments evidencing that malware present some deviations from the expected normal behavior. Experiments show that our model recognizes most of the 3206 tested benign applications and spots most of the tested sophisticated malware (ransomware, rootkits, bootkit).

GPFinder: Tracking the invisible in Android malware

Malicious Android applications use clever techniques to hide their real intents from the user and avoid detection by security tools. They resort to code obfuscation and dynamic loading, or wait for special events on the system like reboot or WiFi activation. Therefore, promising approaches aim to locate, study and execute specific parts of Android applications in order to monitor for suspicious behavior. They rely on Control Flow Graphs (CFGs) to obtain execution paths towards sensitive codes. We claim here that these CFGs are incomplete because they do not take into consideration implicit control flow calls, i.e., those that occur when the Android framework calls a method implemented in the application space. This article proposes a practical tool, GPFinder, exposing execution paths towards any piece of code considered as suspicious. GPFinder takes the Android framework into account and considers explicit and implicit control flow calls to build CFGs. Using GPFinder, we give global characteristics of application CFGs by studying a dataset of 14,224 malware and 2,311 goodware samples. We evaluate that 72.69% of the analyzed malicious samples have at least one suspicious method reachable only through implicit calls.

Kayrebt: An activity diagram extraction and visualization toolset designed for the Linux codebase

We present Extractor and Viewer, two tools from the Kayrebt toolset. The former is a plugin for the Gnu Compiler Collection (GCC) which builds pseudo-UML2 activity diagrams from C source code. It is specifically designed to handle the Linux kernel, a large and complex codebase. Use cases for this tool are numerous. The diagrams extracted from the C source code can be used to get a better insight of the control or data flow inside a program, or to evaluate the complexity of a function at a glance. Kayrebt::Viewer is a GUI designed for visualizing and navigating between the diagrams to explore source code.