Zhi Xin

DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware

Since smartphones have stored diverse sensitive privacy information, including credit card and so on, a great deal of malware are desired to tamper them. As one of the most prevalent platforms, Android contains sensitive resources that can only be accessed via corresponding APIs, and the APIs can be invoked only when user has authorized permissions in the Android permission model. However, a novel threat called privilege escalation attack may bypass this watchdog. Its presented as that an application with less permissions can access sensitive resources through public interfaces of a more privileged application, which is especially useful for malware to hide sensitive functions by dispersing them into multiple programs. We explore privilege-escalation malware evolution techniques on samples from Android Malware Genome Project. And they have showed great effectiveness against a set of powerful antivirus tools provided by VirusTotal. The detection ratios present different and distinguished reduction, compared to an average 61% detection ratio before transformation. In order to conquer this threat model, we have developed a tool called DroidAlarm to conduct a full-spectrum analysis for identifying potential capability leaks and present concrete capability leak paths by static analysis on Android applications. And we can still alarm all these cases by exposing capability leak paths in them.

BRICK: A Binary Tool for Run-Time Detecting and Locating Integer-Based Vulnerability

Integer-based vulnerability is an extremely serious bug for programs written in languages such as C/C++. However,in practice, very few software security tools can efficiently detect and accurately locate such vulnerability. In addition, previous methods mainly depend on source code analysis and recompilation which are impractical when protecting the program without source code. In this paper,we present the design, implementation, and evaluation of BRICK (Binary Run-time Integer-based vulnerability Checker), a tool for run-time detecting and locating integer-based vulnerability. Given an integer-based vulnerability exploit, BRICK is able to catch the value which falls out of the range of its corresponding type, then find the root cause for this vulnerability, and finally locate the vulnerability code and give a warning, based on its checking scheme. BRICK is implemented on the dynamic binary instrumentation framework Valgrind and its type inference plug-in: Catchconv. Preliminary experimental results are quit promising: BRICK can detect and locate most of integer-based vulnerability in real software, and has very low false positives and negatives.

Detecting Code Reuse in Android Applications Using Component-Based Control Flow Graph

Recently smartphones and mobile devices have gained incredible popularity for their vibrant feature-rich applications (or apps). Because it is easy to repackage Android apps, software plagiarism has become a serious problem. In this paper, we present an accurate and robust system DroidSim to detect code reuse. DroidSim calculates similarity score only with component-based control flow graph (CB-CFG). CB-CFG is a graph of which nodes are Android APIs and edges represent control flow precedence order in each Android component. Our system can be applied to detect repackaged apps and malware variants. We evaluate DroidSim on 121 apps and 706 malware variants. The results show that our system has no false negative and a false positive of 0.83% for repackaged apps, and a detection ratio of 96.60% for malware variants. Besides, ADAM is used to obfuscate apps and the result reveals that ADAM has no influence on our system.

Detect Android Malware Variants Using Component Based Topology Graph

Smartphone has experienced explosive growth recently. At present, Android system is the most popular mobile platform and attracts lots of developers as well as malware authors. In order to evade detection, malware authors often apply obfuscation techniques to morph malware. Since traditional malware detectors are based on pure syntax, they may fail to detect obfuscated malware variants. We present a novel signature, topology graph based on Android components, which could model malicious payloads properly and resist against common obfuscation used by hackers. We performe stress test on security tools provided by Virus total with ten kinds of malware families from Android Malware Genome Project. Unfortunately, the result is not optimistic that obfuscated malware samples evade most of security tools. Nevertheless, 86.36% of obfuscated malware samples we tested are caught by our detector with tolerable false positive. The evaluation demonstrates that our approach is able to detect malware variants generated by common obfuscation techniques.

Replacement attacks on behavior based software birthmark

Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics-equivalent system calls to unlock the high frequent dependency between the system calls in an original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

Replacement Attacks: Automatically Impeding Behavior-Based Malware Specifications

As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and clearly stand out from other programs. It is evident that the classical syntactic signatures are insufficient to defeat state-of-the art malware. Behavior-based specifications which capture real malicious characteristics during runtime, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from system call dependence graphs that a malware sample invokes. In this paper we present replacement attacks to poison behavior-based specifications by concealing similar behaviors among malware variants. The essence of the attacks is to replace a behavior specification to its semantically equivalent one, so that similar malware variants within one family turn out to be different. As a result, malware analysts have to put more efforts to re-analyze similar samples. We distill general attacking strategies by mining more than 5,000 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate effectiveness of our approach to impede multiple malware analyses based on behavior specifications, such as similarity comparison and malware clustering. In the end, we provide possible counter-measures to strengthen behavior-based malware analysis.

Misleading malware similarities analysis by automatic data structure obfuscation

Program obfuscation techniques have been widely used by malware to dodge the scanning from anti-virus detectors. However, signature based on the data structures appearing in the runtime memory makes traditional code obfuscation useless. Laika [2] implements this signature using Bayesian unsupervised learning, which clusters similar vectors of bytes in memory into the same class. We present a novel malware obfuscation technique that automatically obfuscate the data structure layout so that memory similarities between malware programs are blurred and hardly recognized. We design and implement the automatic data structure obfuscation technique as a GNU GCC compiler extension that can automatically distinguish the obfuscability of the data structures and convert part of the unobfuscable data structures into obfuscable. After evaluated by fourteen real-world malware programs, we present that our tool maintains a high proportion of obfuscated data structures as 60.19% for type and 60.49% for variable.

Impeding behavior-based malware analysis via replacement attacks to malware specifications

As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and also clearly stand out from other programs. Although the traditional malware specifications based on syntactic signatures are efficient, they can be easily defeated by various obfuscation techniques. Since the malicious behavior is often stable across similar malware instances, behavior-based specifications which capture real malicious characteristics during run time, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from the system call dependence graph that a malware sample invokes. In this paper, we present replacement attacks to camouflage similar behaviors by poisoning behavior-based specifications. The key method of our attacks is to replace a system call dependence graph to its semantically equivalent variants so that the similar malware samples within one family turn out to be different. As a result, malware analysts have to put more efforts into reexamining the similar samples which may have been investigated before. We distil general attacking strategies by mining more than 5200 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate the effectiveness of our approach to impede various behavior-based malware analysis tasks, such as similarity comparison and malware clustering. In the end, we also discuss possible countermeasures in order to strengthen existing malware defense.

Replacement attacks: automatically evading behavior-based software birthmark

Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics equivalent system calls to unlock the high frequency dependencies between the system calls in the victim’s original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

Automatic construction of printable return-oriented programming payload

Return-oriented programming is a kind of codereuse technique for attackers, which is very effective to bypass the DEP defense. However, the instruction snippet (we call it gadget) is often unprintable 1. This shortcoming can limit the ROP attack to be deployed to practice, since non-ASCII scanning can detect such ROP payload. In this paper, we present a novel method that only uses the printable gadgets, as such it can circumvent the non-ASCII detection. However, this method is non-trival because printable gadgets count for about 10 percents of all the gadgets we can find in existing code(e.g., library or program code). Additionally, not only the gadget address but also data should all be printable in our ROP payload. To construct the printable ROP payload, we propose reverse derivation method to transform original shellcode to printable ROP payload. The transformation is driven by state machines, which indicate the status of data flows. Experimental results show that our method can construct the printable ROP payload that has the same functionality as the real-world malicious shellcode, in addition, the construction process is totally automatic.