![Page 1: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/1.jpg)
Contextual Policy Enforcement in Android Applications with Permission Event GraphsKevin Chen, Noah Johnson, Vijay D’Silva, Shuaifu Dai, Kyle MacNamara, Tom Magrino, Edward Wu, Martin Rinard*, and Dawn Song
University of California, Berkeley*Massachusetts Institute of Technology
![Page 2: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/2.jpg)
Android
Figure: Google Play App Market Growth
![Page 3: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/3.jpg)
Android Malware
● "2577% growth over 2012" -Cisco Security Report 2013
● "Android malware cases to hit 1 million in 2013"
-Trend Micro Annual Threat ReportFigure: Google Play App Market Growth
![Page 4: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/4.jpg)
Android Malware Detection
...
......
...
...
...
...
APP
Permission
PkgAuthor
Our approach
![Page 5: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/5.jpg)
Undetected Malware Example
![Page 6: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/6.jpg)
User Intended Policy
"The recording can only be started by clicking the REC button, and it will be stopped when the user clicks the STOP button."
![Page 7: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/7.jpg)
Intuition
A representation that summarizes the event dependencies and their API/permission level behaviors (The Permission Event Graph), and a policy language based on that.
![Page 8: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/8.jpg)
Permission Event Graph (PEG)0
1
2
initializationsub-graph
finalizationsub-graph
REC.onClickStart-Recording
STOP.onClickStop-Recording
onCreate
onResumestartService
"The recording can only be started by clicking the REC button, and it will be stopped when the user clicks the STOP button."
![Page 9: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/9.jpg)
PEG: States0
1
2
initializationsub-graph
finalizationsub-graph
![Page 10: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/10.jpg)
PEG: States0
1
2
initializationsub-graph
finalizationsub-graph
State s: {true, false} ^ ModeVar
Predicate abstraction of event states.
e.g. ● Button.registered,● Activity.foreground,● API.called
![Page 11: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/11.jpg)
PEG: Transitions0
1
2
initializationsub-graph
finalizationsub-graph
REC.onClickSTOP.onClick
onCreate
onResume
![Page 12: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/12.jpg)
PEG: Labels0
1
2
initializationsub-graph
finalizationsub-graph
REC.onClickStart-Recording
STOP.onClickStop-Recording
onCreate
onResumestartService
![Page 13: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/13.jpg)
Sound Recorder: The Good Part0
1
2
initializationsub-graph
finalizationsub-graph
REC.onClickStart-Recording
STOP.onClickStop-Recording
onCreate
onResumestartService
![Page 14: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/14.jpg)
The Complete PEG0
65
4
1
2
3
initialization
Recorder Activity
finalization finalization
Recorder Service
REC.onClickStart-Recording
STOP.onClickStop-Recording
onCreate
onStart
onCreate
Timer.runStop-Recording
Timer.runStart-Recording
onResumestartService
![Page 15: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/15.jpg)
PEG: Context of the Benign Use0
65
4
1
2
3
initialization
Recorder Activity
finalization finalization
Recorder Service
REC.onClickStart-Recording
![Page 16: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/16.jpg)
PEG: Context of the Malicious Use0
65
4
1
2
3
initialization
Recorder Activity
finalization finalization
Recorder Service
Timer.runStart-Recording
onResumestartService
![Page 17: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/17.jpg)
Formal Specification
"The recording can only be started by clicking the REC button, and it will be stopped when the user clicks the STOP button."
0
1
2
...
...
![Page 18: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/18.jpg)
AbstractionPhase
VerificationPhase
Apps
Permission Event Graph
Conformance or counter- examples
Policies
Approach Overview
![Page 19: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/19.jpg)
Case Study: Geotag
"Mark location of your photos"
![Page 20: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/20.jpg)
Case Study: Geotag
"Mark location of your photos"
![Page 21: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/21.jpg)
Case Study: Geotag
"Mark location of your photos"
![Page 22: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/22.jpg)
Case Study: SMS Replicator Secret
A spyware that secretly forwards every SMS to another number.
![Page 23: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/23.jpg)
Case Study: SMS Replicator Secret
A spyware that secretly forwards every SMS to another number.
![Page 24: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/24.jpg)
LIFE PEG
AbstractionPhase
VerificationPhase
Apps
Permission Event Graph
Conformance or counter- examples
Policies
OF
![Page 25: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/25.jpg)
AbstractionPhase
Apps
Permission Event Graph
Abstraction
![Page 26: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/26.jpg)
Abstraction: The Android Trinity
Event System Sys. Libraries
Application
Application Code
System Code
![Page 27: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/27.jpg)
Abstraction: The Android Trinity
Event System Sys. Libraries
Application
States
Call event handlerApplication Code
System Code
![Page 28: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/28.jpg)
Abstraction: The Android Trinity
Event System Sys. Libraries
Application
States
Call event handler
Call APIApplication Code
System Code
![Page 29: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/29.jpg)
Abstraction: The Android Trinity
Event System Sys. Libraries
Application
States
Call event handler
Call API
Register handler
Application Code
System Code
![Page 30: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/30.jpg)
Abstraction: The Algorithm
Summary-based
Abstract Interpretation on (P(aState) x P(API) x P(aState)).Interprocedural CFG with a partially context sensitive points-to analysis
Summary-based1200+ APIs
63 Kinds of Events
Event Semantics Engine
API Semantics Engine
Application Analyzer
SrcStates(SrcStates,
DstStates) Pairs
Event Handler
PEG
* Partial Valuation of the vars in ModeVar
* Partial Valuation of the vars in ModeVar
![Page 31: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/31.jpg)
VerificationPhase
Permission Event Graph
Conformance or counter- examples
Policies
Verification: BFS for Conformance
![Page 32: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/32.jpg)
Evaluation: PEG size (# states, CDF)
* 269 applications. Binary code sizes vary from 4KB to 6MB
LOG scale
CDF
# of States
![Page 33: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/33.jpg)
Evaluation: Abstraction Time (CDF)
Sec
CDF
![Page 34: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/34.jpg)
Evaluation: Verification Time (CDF)
* Always terminate within 3.6 hours
LOG scale
Sec
CDF
![Page 35: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/35.jpg)
Conclusion
● Permission event graph: event-dependencies and their API/permission-level behaviors
● Contextual policies based on event sequences enable the detection and analysis of complex malicious behaviors (user-oriented security)
● Enriches the set of detection techniques used by security analysts
![Page 36: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/36.jpg)
Questions ?Kevin Chen <[email protected]>
![Page 37: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/37.jpg)
Backup Slides
![Page 38: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/38.jpg)
Backup Slides
A
![Page 39: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/39.jpg)
Native Code
● Known○ The API Semantics Engine
● Unknown○ Do NOT support
![Page 40: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/40.jpg)
Rewriting
● Barriers for static analysis:
● Solutions:○ Insert runtime checks○ More in the paper
Unresolved ReflectionUnresolved Dynamic dispatching
![Page 41: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/41.jpg)
API Frequency in 95,000 Apps
![Page 42: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/42.jpg)
Specification Constructs
Information Type Example
System status variables (Mode variables)
STOPButton.registered, MyActivity.inBackground
System APIs and their arguments
android.location.Location: double getLatitude(), "content://com.android.contacts/contacts"
Permissions "android.permission.INTERNET"
![Page 43: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/43.jpg)
Specification Checker Interface
Bounded BFS for conformance analysisWrite the specification FSM using the following interfaces:
public int getStateId();public void restoreFromStateId(int id);public ListenerResult stateListener(ModelState state);public ListenerResult actionListener(EventModality action);public ListenerResult methodListener(PathItemMethod method);
![Page 44: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/44.jpg)
![Page 45: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/45.jpg)
Evaluation
![Page 46: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/46.jpg)
Applications
● Usage scenarios: ○ Extra semantics-based filter for malware screening○ Diagnostic tool for security analysts○ Fine-grained information about permission use for
the user
![Page 47: Permission Event Graphs Android Applications with ...€¦ · Android Malware "2577% growth over 2012" -Cisco Security Report 2013 "Android malware cases to hit 1 million in 2013"-Trend](https://reader033.vdocuments.us/reader033/viewer/2022053023/6055caec43f4bd3d54187f7c/html5/thumbnails/47.jpg)
FP/FN
● emphasis: a new representation to detect a specific category of malicious behaviors. ...in addition to the traditional Android malware detection techniques.
● 2/18 for the specific set of behaviors● no longer binary,
○ should be a continues answer. ○ Geotag