Xinhui Han

SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications

User interface (UI) interactions are essential to Android applications, as many Activities require UI interactions to be triggered. This kind of UI interactions could also help malicious apps to hide their sensitive behaviors (e.g., sending SMS or getting the users device ID) from being detected by dynamic analysis tools such as TaintDroid, because simply running the app, but without proper UI interactions, will not lead to the exposure of sensitive behaviors. In this paper we focus on the challenging task of triggering a certain behavior through automated UI interactions. In particular, we propose a hybrid static and dynamic analysis method to reveal UI-based trigger conditions in Android applications. Our method first uses static analysis to extract expected activity switch paths by analyzing both Activity and Function Call Graphs, and then uses dynamic analysis to traverse each UI elements and explore the UI interaction paths towards the sensitive APIs. We implement a prototype system SmartDroid and show that it can automatically and efficiently detect the UI-based trigger conditions required to expose the sensitive behavior of several Android malwares, which otherwise cannot be detected with existing techniques such as TaintDroid.

Studying Malicious Websites and the Underground Economy on the Chinese Web

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousands of parti cipants has developed, which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this chapter, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

Collecting autonomous spreading malware using high-interaction honeypots

Autonomous spreading malware in the form of worms or bots has become a severe threat in todays Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations

In this paper, we report the first large-scale, systematic study on the security qualities of emerging push-messaging services, focusing on their app-side service integrations. We identified a set of security properties different push-messaging services (e.g., Google Cloud Messaging) need to have, and automatically verified them in different integrations using a new technique, called Seminal. Seminal is designed to extract semantic information from a services sample code, and leverage the information to evaluate the security qualities of the services SDKs and its integrations within different apps. Using this tool, we studied 30 leading services around the world, and scanned 35,173 apps. Our findings are astonishing: over 20% apps in Google Play and 50% apps in mainstream Chinese app markets are riddled with security-critical loopholes, putting a huge amount of sensitive user data at risk. Also, our research brought to light new types of security flaws never known before, which can be exploited to cause serious confusions among popular apps and services (e.g., Facebook, Skype, Yelp, Baidu Push). Taking advantage of such confusions, the adversary can post his content to the victims apps in the name of trusted parties and intercept her private messages. The study highlights the serious challenges in securing push-messaging services and an urgent need for improving their security qualities.

Towards High Level Attack Scenario Graph through Honeynet Data Correlation Analysis

Honeynet data analysis has become a core requirement of honeynet technology. However, current honeynet data analysis mechanisms are still unable to provide security analysts enough capacities of comprehend the captured data quickly, in particular, there is no work done on behavior level correlation analysis. Towards providing high level attack scenario graphs, in this paper, we propose a honeynet data correlation analysis model and method. Based on a network attack and defense knowledge base and network environment perceiving mechanism, our proposed honeynet data correlation analysis method can recognize the attacker/s plan from a large volume of captured data and consequently reconstruct attack scenarios. Two proof-of-concept experiments on Scan of the Month 27 dataset and in-the-wild botnet scenarios are presented to show the effectiveness of our method

Ghost Installer in the Shadow: Security Analysis of App Installation on Android

Android allows developers to build apps with app installation functionality themselves with minimal restriction and support like any other functionalities. Given the critical importance of app installation, the security implications of the approach can be significant. This paper reports the first systematic study on this issue, focusing on the security guarantees of different steps of the App Installation Transaction (AIT). We demonstrate the serious consequences of leaving AIT development to individual developers: most installers (e.g., Amazon AppStore, DTIgnite, Baidu) are riddled with various security-critical loopholes, which can be exploited by attackers to silently install any apps, acquiring dangerous-level permissions or even unauthorized access to system resources. Surprisingly, vulnerabilities were found in all steps of AIT. The attacks we present, dubbed Ghost Installer Attack (GIA), are found to pose a realistic threat to Android ecosystem. Further, we developed both a user-app-level and a system-level defense that are innovative and practical.

Accurate and efficient exploit capture and classification

Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels. However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present SeismoMeter, which recognizes both control-flowhijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident, SeismoMeter generates a succinct data representation, called an exploit skeleton, to characterize the captured exploit. SeismoMeter then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons. To evaluate the efficiency of SeismoMeter, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that SeismoMeter is a practical system that successfully detects and correctly classifies all these exploit attacks.创新点Exploit(特别是0day Exploit)已经成为计算机安全最严重的威胁之一。当下,安全研究人员每天都在面对从蜜罐系统、取证系统以及地下市场中搜集来的大量的Exploit。然而缺乏一个快速有效的方法来分析这些搜集来的Exploit。我们实现了SeismoMeter,能够识别劫持控制流的Exploit攻击。同时我们结合了污点分析以及API沙盒来进一步提升攻击识别准确率。在检测到Exploit攻击时,SeismoMeter根据攻击对捕获到的Exploit 建立Exploit Skeleton。 然后根据这些建立起来的Exploit Skeleton对Exploit 进行分类。我们使用通用的渗透测试平台Metasploit等对SeismoMeter进行了测试,同时我们还用野外捕获的Exploit进行测试。实验结果证明SeismoMeter能够快速并且正确的检测Exploit攻击同时分类Exploit。

SF-DRDoS

We propose a novel reflective amplification DDoS attack called store-and-flood DRDoS.SF-DRDoS gains a high amplification factor by storing prepared data on reflectors.We implement prototypes on two Kademlia networks, Kad and BT-DHT.Real-world experiments achieves an average amplification factor of 2400 in Kad.The upper bound of attack bandwidth could be 670?Gbps and 10?Tbps for Kad and BTDHT. Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS, which leverages peer-to-peer (P2P) file-sharing networks. An attacker can store carefully prepared data on reflector nodes before the flooding phase, to greatly increase the amplification factor of an attack. In this way, SF-DRDoS is more surreptitious and powerful than traditional DRDoS. We present two prototype SF-DRDoS attacks on two popular Kademlia-based P2P file-sharing networks, Kad and BT-DHT. Experiments in real-world environments showed that, this attack can achieve an amplification factor of 2400 on average in Kad, and reach an upper bound of attack bandwidth at 670?Gbps and 10?Tbps for Kad and BT-DHT, respectively. We also propose some candidate defenses to mitigate the SF-DRDoS threat.

POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities

Use-after-free vulnerabilities are gaining more and more attentions in recent years, since they are commonly exploited in applications like browsers, and exposed in abundant security updates, e.g., from Microsoft, Google or Mozilla. This kind of vulnerabilities are triggered by dereferencing a dangling pointer, and may introduce high risks into the system once they are exploited. In this paper, we propose a comprehensive solution called UAFChecker to detect use-after-free vulnerabilities in source code. Our solution utilizes classical static analysis techniques, including taint analysis and symbolic execution, to make an inter-procedural analysis to find as many use-after-free vulnerabilities as possible, with a low false negative rate and a low false positive rate. We implement a prototype of UAFChecker based on the compiler framework LLVM. We then use the Juliet Test Suite to evaluate UAFCheckers capability of detecting use-after-free vulnerabilities. Results show that UAFChecker is able to identify most use-after-free vulnerabilities in the Juliet Test Suite. We also test UAFChecker against two open source applications, and successfully find out all known use-after-free vulnerabilities in them.

POSTER: AdHoneyDroid -- Capture Malicious Android Advertisements

In this paper we explore the problem of collecting malicious smartphone advertisements. Most smartphone app contains advertisements and also suffers from vulnerable advertisement libraries. Malicious advertisements exploit the ad library vulnerability and attack victim smartphones. Similar to the traditional honeypots, we need an effective way to capture malicious ads. In this paper, we provide our approach named AdHoneyDroid. We build a crawler to gather apps on the android marketplaces and manually collect ad libraries and their vulnerabilities. Then AdHoneyDroid executes the apps and detects malicious advertisements. In our approach, we adopt the idea of API sandbox and TaintDroid to detect the attack event. We store the malicious advertisements in a database for future analysis. Malicious ads can help security analysts have a better understanding of current mobile attacks and also disclose the attack payloads.