Vittoria Nardone

Ransomware Steals Your Phone. Formal Methods Rescue It

Ransomware is a recent type of malware which makes inaccessible the files or the device of the victim. The only way to unlock the infected device or to have the keys for decrypting the files is to pay a ransom to the attacker. Commercial solutions for removing ransomware and restoring the infected devices and files are ineffective, since this malware uses a very robust form of asymmetric cryptography and erases shadow copies and recovery points of the operating system. Literature does not count many solutions for effectively detecting and blocking ransomware and, at the best knowledge of the authors, formal methods were never applied to identify ransomware. In this paper we propose a methodology based on formal methods that is able to detect the ransomware and to identify in the malwares code the instructions that implement the characteristic instructions of the ransomware. The results of the experimentation are strongly encouraging and suggest that the proposed methodology could be the right way to follow for developing commercial solutions that could successful intercept the ransomware and blocking the infections it provokes.

Download malware? no, thanks: how formal methods can block update attacks

In mobile malware landscape there are many techniques to inject malicious payload in a trusted application: one of the most common is represented by the so-called update attack. After an apparently innocuous application is installed on the victims device, the user is asked to update the application, and a malicious behavior is added to the application. In this paper we propose a static method based on model checking able to identify this kind of attack. In addiction, our method is able to localize the malicious payload at method-level. We obtain an accuracy very close to 1 in identifying families implementing update attack using a real Android dataset composed by 2,581 samples.

Identification of Android Malware Families with Model Checking

Android malware is increasing more and more in complexity. Current signature based antimalware mechanisms are not able to detect zero-day attacks, also trivial code transformations may evade detection. Malware writers usually add functionality to existing malware or merge different pieces of malware code: this is the reason why Android malware is grouped into families, i.e., every family has in common the malicious behavior. In this paper we present a model checking based approach in detecting Android malware families by means of analysing and verifying the Java Bytecode that is produced when the source code is compiled. A preliminary investigation has been also conducted to assess the validity of the proposed approach.

Ransomware Inside Out

Android is currently the most widely used mobile environment. This trend encourages malware writers to develop specific attacks targeting this platform with threats designed to covertly collect data or financially extort victims, the so-called ransomware. In this paper we use formal methods, in particular model checking, to automatically dissect ransomware samples. Starting from manual inspection of few samples, we define a set of rule in order to check whether the behaviours we find are representative of ransomware functionalities.

Car hacking identification through fuzzy logic algorithms

Modern vehicles have lots of connectivity, this is the reason why protect in-vehicle network from cyber-attacks becomes an important issue. The Controller Area Network is a de facto standard for the in-vehicle network. However, lack of security features of CAN protocol makes vehicles vulnerable to attacks. The message injection attack is a representative attack type which injects fabricated messages to deceive original Electronic Control Units or to cause malfunctions. In this paper we propose a method able to detect four different type of attacks targeting the CAN protocol adopting fuzzy algorithms. We obtain encouraging results with a precision ranging from 0.85 to 1 using the fuzzy NN algorithm in the identification of attacks targeting CAN protocol.

Hey Malware, I Can Find You!

Android smartphones are the most widespread in the world. This is the reason why attackers write code more and more aggressive in order to steal data and other important information stored in the phone. One of the most representative malware that implements the typical trojan behaviour in Android environment is the so-called Fake Installer. In this paper we use formal methods, in particular model checking, in order to identify Fake Installer malware. We specify a set of formulae and then we check these on a designed application model, built in CCS, to recognize whether an application is a malware belonging to Fake Installer family or a legitimate sample. We experiment our methodology on 1125 real world samples obtaining very promising results.

Formal Methods Meet Mobile Code Obfuscation Identification of Code Reordering Technique

Android represents the most widespread mobile environment. This increasing diffusion is the reason why attackers are attracted to develop malware targeting this platform. Malware writers usually use code obfuscation techniques in order to evade the current antimalware detection and to generate new malware variants. These techniques make code programs harder to understand and they change the signature of the application making ineffective the signature extraction work. We propose a method based on formal methods able to identify whether a mobile application is obfuscated. In this preliminary work we identify one of the most widespread obfuscation technique: the code reordering. We test our method on a real-world dataset composed by Android trusted and ransomware samples, obtaining encouraging results.

Talos: No more Ransomware Victims with Formal Methods

Ransomware is a very effective form of malware that is recently spreading out on an impressive number of workstations and smartphones. This malware blocks the access to the infected machine or to the files located in the infected machine. The attackers will restore the machine and files only after the payment of a certain amount of money, usually given in the form of bitcoins. Commercial solutions are still ineffective to recognize the last variants of ransomware, and the problem has been poorly investigated in literature. In this paper we discuss a methodology based on formal methods for detecting ransomware malware on Android devices. We have implemented our method in a tool named Talos. We evaluate the method, and the obtained results show that Talos is very effective in recognizing ransomware (accuracy of 0.99) even when it is obfuscated (accuracy still remains at 0.99).

How Discover a Malware using Model Checking

Android operating system is constantly overwhelmed by new sophisticated threats and new zero-day attacks. While aggressive malware, for instance malicious behaviors able to cipher data files or lock the GUI, are not worried to circumvention users by infection (that can try to disinfect the device), there exist malware with the aim to perform malicious actions stealthy, i.e., trying to not manifest their presence to the users. This kind of malware is less recognizable, because users are not aware of their presence. In this paper we propose FormalDroid, a tool able to detect silent malicious beaviours and to localize the malicious payload in Android application. Evaluating real-world malware samples we obtain an accuracy equal to 0.94.

Malware and Formal Methods: Rigorous Approaches for detecting Malicious Behaviour

The crucial aim of software security is malware detection. A malware is a program with malicious intents. The predominate anti-malware solutions are signature-based. These detectors compute the signature starting from the syntactic characteristics of the malicious code. Unfortunately, the signature-based techniques are ineffective against the code obfuscations, i.e., trivial transformations that alter the syntax of the code preserving the normal behaviour of the program. To address this limitation, formal methods are used in software security. Formal methods are rigorous techniques used to verify the behaviour of a system. This paper aims to make an overview on behavioural based techniques developed to detect malware programs. The illustrated approaches are based on different formal techniques.