st statistical de de ob obfu fusc scation ion for or
play

St Statistical De De-ob obfu fusc scation ion for or Android - PowerPoint PPT Presentation

Jun 02, 2023 β€’105 likes β€’429 views

www.srl.inf.ethz.ch St Statistical De De-ob obfu fusc scation ion for or Android oid Pe Petar Tsankov, ETH Zurich DeGua De uard Team Te Benjamin Veselin Petar Martin Bichsel Raychev Tsankov Vechev Why De-obfuscate Android

  1. www.srl.inf.ethz.ch St Statistical De De-ob obfu fusc scation ion for or Android oid Pe Petar Tsankov, ETH Zurich DeGua De uard Team Te Benjamin Veselin Petar Martin Bichsel Raychev Tsankov Vechev

  2. Why De-obfuscate Android Applications? Android binaries (APKs) (no code available) Open-source (code available) Google Play F-Droid 2

  3. Why De-obfuscate Android Applications? 2.6 M APKs Which APKs are malicious ? Which ones use vulnerable libraries ? 5 K APKs Google Play F-Droid 2

  4. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { db = getWritableDatabase(); b = getWritableDatabase(); } } API names Cursor execSQL (String str) { Cursor c (String str) { remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names 3

  5. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c Security Challenges class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Code inspection Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { db = getWritableDatabase(); b = getWritableDatabase(); } } Third-party library detection API names Cursor execSQL (String str) { Cursor c (String str) { … many others remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names 3

  6. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Can we reverse Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { layout obfuscation db = getWritableDatabase(); b = getWritableDatabase(); } } API names Cursor execSQL (String str) { Cursor c (String str) { remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names 3

  7. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { www.apk-deguard.com db = getWritableDatabase(); b = getWritableDatabase(); } } API names Cursor execSQL (String str) { Cursor c (String str) { remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names Yes, with roughly 80% accuracy! 3

  8. Demo

  9. www.apk-deguard.com Released in October 2016, so far: > 100GB distinct APKs de-obfuscated Reddit posts/comments Tweets . . . 4 . . .

  10. How Does DeGuard Work?

  11. DeGuard: System Overview Learning phase Semantic representation Static Training analysis Probabilistic model 𝑄 ) Open-source, unobfuscated APKs Prediction phase class a extends SQLiteHelper { class DBHelper extends SQLiteHelper{ SQLiteDatabase b ; Static MAP SQLiteDatabase db ; public a (Context ctx) { Transform public DBHelper (Context ctx) { analysis inference b = getWritableDB(); db = getWritableDB(); } } } } De-obfuscated code Obfuscated code 5

  12. Probabilistic Graphical Models

  13. Probabilistic Graphical Models name1 name2 weight 𝑔 SQLiteHelper DBUtils 0.3 ) 𝑔 * SQLiteHelper DBHelper 0.2 class a extends SQLiteHelper { SQLiteHelper a name1 name2 weight SQLiteDatabase b ; extends 𝑔 - DBUtils instance 0.5 public a (Context ctx) { ` field-in 𝑔 . DBHelper db 0.4 b = getWritableDB(); gets getWritableDB b 𝑔 / … … … } } name1 name2 weight 𝑔 + getWritableDB db 0.7 Graph + features define a probabilistic graphical model 𝑔 , getWritableDB instance 0.4 𝑄 𝑏, 𝑐 π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , π‘•π‘“π‘’π‘‹π‘ π‘—π‘’π‘π‘π‘šπ‘“πΈπΆ ) Known variables = 1 SQLiteHelper, getWritableDB π‘Ž exp (0.3 J 𝑔 ) π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 Unknown variables a, b + 0.2 J 𝑔 * π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 + β‹― ) 𝑔 ) , 𝑔 * , . . , 𝑔 Feature functions / 6 For details see report on www.apk-deguard.com

  14. Probabilistic Graphical Models name1 name2 weight 𝑔 SQLiteHelper DBUtils 0.3 ) 𝑔 * SQLiteHelper DBHelper 0.2 class a extends SQLiteHelper { SQLiteHelper a name1 name2 weight SQLiteDatabase b ; extends 𝑔 - DBUtils instance 0.5 public a (Context ctx) { ` field-in 𝑔 . DBHelper db 0.4 Next b = getWritableDB(); gets getWritableDB b 𝑔 / … … … } } How are the features and name1 name2 weight their weights learned? 𝑔 + getWritableDB db 0.7 Graph + features define a probabilistic graphical model 𝑔 , getWritableDB instance 0.4 𝑄 𝑏, 𝑐 π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , π‘•π‘“π‘’π‘‹π‘ π‘—π‘’π‘π‘π‘šπ‘“πΈπΆ ) Known variables = 1 SQLiteHelper, getWritableDB π‘Ž exp (0.3 J 𝑔 ) π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 Unknown variables a, b + 0.2 J 𝑔 * π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 + β‹― ) 𝑔 ) , 𝑔 * , . . , 𝑔 Feature functions / 6 For details see report on www.apk-deguard.com

  15. Learning

  16. Learning Actual graphs have > 1,000 nodes > 2,000 name1 name2 weight Dependency graphs 𝑔 ) SQLiteHelper DBUtils 0.3 Unobfuscated 𝑔 * SQLiteHelper DBHelper 0.2 name1 name2 𝑔 + getWritableDB db 0.7 APKs Static Train 𝑔 ) SQLiteHelper DBUtils 𝑔 , getWritableDB instance 0.4 analysis model 𝑔 * SQLiteHelper DBHelper 𝑔 - DBUtils instance 0.5 𝑔 + getWritableDB db 𝑔 . DBHelper db 0.4 𝑔 , getWritableDB instance 𝑔 / … … … Feature 𝑔 - DBUtils instance 𝑔 . DBHelper db templates 𝑔 / … … Compute weights that > 100,000 Features (with maximize 𝑄 𝑃 = 𝑝 O 𝐿 = 𝑙 O for 28 templates candidate names) all training samples (𝑝 O , 𝑙 O ) 7

  17. DeGuard: System Overview Learning phase Static Training analysis Probabilistic model 𝑄 ) Open-source, unobfuscated APKs Prediction phase class a extends SQLiteHelper { class DBHelper extends SQLiteHelper{ SQLiteDatabase b ; Static MAP SQLiteDatabase db ; public a (Context ctx) { Transform public DBHelper (Context ctx) { analysis inference b = getWritableDB(); db = getWritableDB(); } } } } De-obfuscated code Obfuscated code

  18. Prediction Phase name1 name2 weight SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static public a (Context ctx) { SQLiteHelper a analysis b = getWritableDB(); extends } field-in Obfuscated Code } gets getWritableDB b name1 name2 weight name1 name2 weight DBUtils instance 0.5 getWritableDB db 0.7 DBHelper db 0.4 getWritableDB instance 0.4 DBUtils db 0.2 DBHelper instance 0.2 8

  19. Prediction Phase name1 name2 weight MAP Inference SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static Static 𝑝 βƒ— = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑄 𝑃 = 𝑝 βƒ—β€² 𝐿 = 𝑙 public a (Context ctx) { SQLiteHelper a analysis analysis b = getWritableDB(); 𝑝 βƒ—β€² ∈ Ξ© extends } field-in Obfuscated Code } gets Candidate assignment 𝒑 getWritableDB b 𝑸 𝒑 𝒍) * a = DBUtils b = instance 1.2 a = DBHelper b = db 1.3 name1 name2 weight name1 name2 weight DBUtils instance 0.5 a = DBUtils b = db 0.8 getWritableDB db 0.7 DBHelper db 0.4 a = DBHelper b = instance 1.2 getWritableDB instance 0.4 DBUtils db 0.2 DBHelper instance 0.2 *Non-normalized 8

  20. Prediction Phase name1 name2 weight MAP Inference SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static 𝑝 βƒ— = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑄 𝑃 = 𝑝 βƒ—β€² 𝐿 = 𝑙 public a (Context ctx) { SQLiteHelper a analysis b = getWritableDB(); 𝑝 βƒ—β€² ∈ Ξ© extends } field-in Obfuscated Code } gets Candidate assignment 𝒑 getWritableDB b 𝑸 𝒑 𝒍) * a = DBUtils b = instance 1.2 a = DBHelper b = db 1.3 name1 name2 weight name1 name2 weight DBUtils instance 0.5 a = DBUtils b = db 0.8 getWritableDB db 0.7 DBHelper db 0.4 a = DBHelper b = instance 1.2 getWritableDB instance 0.4 DBUtils db 0.2 DBHelper instance 0.2 *Non-normalized 8

  21. Prediction Phase name1 name2 weight SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static public a (Context ctx) { SQLiteHelper DBHelper analysis b = getWritableDB(); extends } field-in Obfuscated Code } Semantically gets getWritableDB db the same? class DBHelper extends SQLiteHelper { SQLiteDatabase db ; name1 name2 weight public DBHelper (Context ctx) { name1 name2 weight DBUtils instance 0.5 Transform db = getWritableDB(); getWritableDB db 0.7 DBHelper db 0.4 } getWritableDB instance 0.4 DBUtils db 0.2 Deobfuscated Code } DBHelper instance 0.2 8

Recommend

Se Sequence Obfu fuscation ion to o Thwar art Pa Pattern Matching Attacks Bo Guan , Nazanin

Se Sequence Obfu fuscation ion to o Thwar art Pa Pattern Matching Attacks Bo Guan , Nazanin

Se Sequence Obfu fuscation ion to o Thwar art Pa Pattern Matching Attacks Bo Guan , Nazanin Takbiri, Dennis L. Goeckel, Amir Houmansadr, Hossein Pishro-Nik University of Massachusetts Amherst IEEE International Symposium on Information

422 views β€’ 28 slides
Statistical presentation Statistical presentation Statistical tabulations by age, sex and 3 digit

Statistical presentation Statistical presentation Statistical tabulations by age, sex and 3 digit

Statistical presentation Statistical presentation Statistical tabulations by age, sex and 3 digit codes Condensed and selected lists (national lists) Standards and reporting requirements for fetal, perinatal, neonatal and infant mortality Live

295 views β€’ 5 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views β€’ 59 slides
Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models

Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models

Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models http://www.cims.nyu.edu/~cfgranda/pages/DSGA1002_fall16 Carlos Fernandez-Granda Descriptive statistics Statistical estimation Histogram Technique to visualize

1.16k views β€’ 99 slides
STA 214: Probability & Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability & Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability & Statistical Models STA 214: Analysis of Statistical Models Probability/Statistical Models: Theory prob/math stats Simulation samples of y ( | ) p y Statistical analysis: Computation: Likelihood

250 views β€’ 11 slides
Introduction to Statistical Process Control Statistical Process Control (SPC) uses seven major

Introduction to Statistical Process Control Statistical Process Control (SPC) uses seven major

ST 435/535 Statistical Methods for Quality and Productivity Improvement / Statistical Process Control Introduction to Statistical Process Control Statistical Process Control (SPC) uses seven major tools: Histogram or stem-and-leaf plot; 1

466 views β€’ 14 slides
III.4 Statistical Language Models III.4 Statistical LM (MRS book, Chapter 12*) 4.1 What is

III.4 Statistical Language Models III.4 Statistical LM (MRS book, Chapter 12*) 4.1 What is

III.4 Statistical Language Models III.4 Statistical LM (MRS book, Chapter 12*) 4.1 What is a statistical language model? 4.2 Smoothing Methods 4.3 Extended LMs *With extensions from: C. Zhai, J. Lafferty: A Study of Smoothing

504 views β€’ 29 slides
Nov 2010 Statistical Literacy: Harper's Magazine Fall 2010 1 Fall 2010 2 Statistical

Nov 2010 Statistical Literacy: Harper's Magazine Fall 2010 1 Fall 2010 2 Statistical

Nov 2010 Statistical Literacy: Harper's Magazine Fall 2010 1 Fall 2010 2 Statistical Literacy: Statistical Literacy Harpers Index Statistical literacy is the ability to read and MILO SCHIELD, interpret summary statistics in everyday

388 views β€’ 14 slides
Embeddings of statistical manifolds H ong V an L e Institute of Mathematics, CAS

Embeddings of statistical manifolds H ong V an L e Institute of Mathematics, CAS

Embeddings of statistical manifolds H ong V an L e Institute of Mathematics, CAS Conference in honor of Shun-ichi Amari Liblice, June 2016 1. Statistical manifold and embedding of statistical manifolds. 2. Obstructions to the

394 views β€’ 27 slides
Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical

Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical

Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical Programming for Statistical Science Science Shawn Santo Shawn Santo 1 / 59 1 / 59 Supplementary materials Full video lecture available in

613 views β€’ 59 slides
13 Jan, 2011 Statistical Literacy: Confounding UTSA Confounding 2011 1 2011 2 Statistical

13 Jan, 2011 Statistical Literacy: Confounding UTSA Confounding 2011 1 2011 2 Statistical

13 Jan, 2011 Statistical Literacy: Confounding UTSA Confounding 2011 1 2011 2 Statistical Literacy: Statistical Literacy Confounding Statistical literacy is the ability to read and MILO SCHIELD, interpret summary statistics in everyday

564 views β€’ 28 slides
Nonequilibrium and statistical ensembles Statistical properties of an Equilibrium state are

Nonequilibrium and statistical ensembles Statistical properties of an Equilibrium state are

Nonequilibrium and statistical ensembles Statistical properties of an Equilibrium state are obtained by several different probability distributions, e.g. canonical or microcanonical: which attribute the same average to physically interesting

507 views β€’ 38 slides
The presentations schedule Conceptual model of functioning of official statistics

The presentations schedule Conceptual model of functioning of official statistics

The concept of the new organization of statistical surveys Janusz Dygaszew icz Director Programming and Coordination of Statistical Surveys Department CSO Poland Meeting on the Management of Statistical Information Systems Paris, France 23 -

511 views β€’ 15 slides
Developing Statistical Thinking Theory My Thesis Statistical Thinking is di ff erent from

Developing Statistical Thinking Theory My Thesis Statistical Thinking is di ff erent from

Developing Statistical Thinking Theory My Thesis Statistical Thinking is di ff erent from popular conceptions of mathematical thinking Your Goal Identify some issues demarcating statistical and mathematical thinking Reflect on ways

290 views β€’ 28 slides
E UROPEAN STATISTICAL WEEK S TUDY VISIT TO EUROSTAT What is Eurostat? Eurostat is the statistical

E UROPEAN STATISTICAL WEEK S TUDY VISIT TO EUROSTAT What is Eurostat? Eurostat is the statistical

E UROPEAN STATISTICAL WEEK S TUDY VISIT TO EUROSTAT What is Eurostat? Eurostat is the statistical arm of the European Commission, producing data for the European Union and promoting the harmonisation of statistical methods across the Member

269 views β€’ 16 slides
Statistical methods in bioinformatics Brief introduction, statistical models, dimension

Statistical methods in bioinformatics Brief introduction, statistical models, dimension

u n i v e r s i t y o f c o p e n h a g e n m a r c h 3 1 s t , 2 0 2 0 Faculty of Health Sciences Statistical methods in bioinformatics Brief introduction, statistical models, dimension reductions. Claus Thorn Ekstrm Biostatistics,

660 views β€’ 65 slides
Statistical ensembles, entropy and probability in statistical mechamics Personne nignore que

Statistical ensembles, entropy and probability in statistical mechamics Personne nignore que

Statistical ensembles, entropy and probability in statistical mechamics Personne nignore que la chaleur peut etre la cause du mouvement, quelle poss` ede m eme une grande puissance motrice: les machines ` a vapeur, aujourdhui

757 views β€’ 20 slides
Model-Based Interpolation, Prediction, and Approximation Statistical Computing for

Model-Based Interpolation, Prediction, and Approximation Statistical Computing for

Model-Based Interpolation, Prediction, and Approximation Statistical Computing for Uncertainty Analysis Antonio Possolo Statistical Engineering Division Information T echnology Laboratory August 4, 2011 1 / 28 Outline Statistical

301 views β€’ 14 slides
Darwin's finches: A full-blown statistical analysis Statistical Thinking in Python II Your

Darwin's finches: A full-blown statistical analysis Statistical Thinking in Python II Your

STATISTICAL THINKING IN PYTHON II Darwin's finches: A full-blown statistical analysis Statistical Thinking in Python II Your well-equipped toolbox Graphical and quantitative EDA Parameter estimation Confidence interval

608 views β€’ 23 slides
Importing Data from Statistical So ware haven Importing Data into R Statistical So

Importing Data from Statistical So ware haven Importing Data into R Statistical So

IMPORTING DATA INTO R Importing Data from Statistical So ware haven Importing Data into R Statistical So ware Packages Data File Package Expanded Name Application Extensions Business Analytics .sas7bdat SAS Statistical

369 views β€’ 26 slides
Lab 2 Lab 2 Programming for Statistical Programming for Statistical Science Science 1 / 4 1

Lab 2 Lab 2 Programming for Statistical Programming for Statistical Science Science 1 / 4 1

Lab 2 Lab 2 Programming for Statistical Programming for Statistical Science Science 1 / 4 1 / 4 Getting started Navigate to https://classroom.github.com/a/sejG8Dhe to accept Lab 2 and create your private repository within our GitHub course

443 views β€’ 4 slides
Summary of unmet need guidance and statistical challenges Daniel B. Rubin, PhD Statistical

Summary of unmet need guidance and statistical challenges Daniel B. Rubin, PhD Statistical

Summary of unmet need guidance and statistical challenges Daniel B. Rubin, PhD Statistical Reviewer Division of Biometrics IV Office of Biostatistics, CDER, FDA 1 Disclaimer This presentation reflects the views of the presenter and

270 views β€’ 23 slides
Africa African Gro n Growth th Mira Miracle le or r Statistical T Statistical Tra ragedy?

Africa African Gro n Growth th Mira Miracle le or r Statistical T Statistical Tra ragedy?

Africa African Gro n Growth th Mira Miracle le or r Statistical T Statistical Tra ragedy? y? Interpretin ing tren ends i in th the e data o a over th the e pas ast two wo decad ades. By Morten Jerven School for International

803 views β€’ 21 slides
Statistical Natural Language Processing Statistical models: learning, inference, estimation,

Statistical Natural Language Processing Statistical models: learning, inference, estimation,

Statistical Natural Language Processing Statistical models: learning, inference, estimation, prediction ar ltekin University of Tbingen Seminar fr Sprachwissenschaft Summer Semester 2017 Statistical models: learning, inference,

497 views β€’ 25 slides

More recommend