static vs dynamic analysis
play

Static vs. Dynamic Analysis Static analysis: analyze source code or - PowerPoint PPT Presentation

Dec 20, 2023 •685 likes •1.02k views

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

  1. I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016

  2. • ! ! ! B ACKGROUND Static vs. Dynamic Analysis • Static analysis: analyze source code or byte code ◦ Imprecise ◦ No run-time data • Dynamic analysis: analyze during execution ◦ Run-time values → precise I NTELLI D ROID 2 U NIVERSITY OF T ORONTO

  3. 
 
 • ! ! ! B ACKGROUND Dynamic Code Coverage • To detect malicious activity, first have to execute it • Example: 
 message = <receive confirmation SMS> 
 if message.number == ‘1234’: <malicious action> I NTELLI D ROID 3 U NIVERSITY OF T ORONTO

  4. • ! ! ! B ACKGROUND Concolic Testing • Run all execution paths in application • Symbolic execution, solve constraints for inputs constraint 1 constraint 1 !(constraint 1) !(constraint 1) constraint 2 !(constraint 2) constraint 3 !(constraint 3) I NTELLI D ROID 4 U NIVERSITY OF T ORONTO

  5. • ! ! ! B ACKGROUND Specific Malicious Paths • Malicious activity only executed in certain parts of the code malicious code I NTELLI D ROID 5 U NIVERSITY OF T ORONTO

  6. ! • ! ! D ESIGN IntelliDroid • Targets specific parts of the application ◦ Input generator for existing dynamic detector ◦ Hybrid static and dynamic design • Implemented for Android • Improve malware analysis and detection I NTELLI D ROID 6 U NIVERSITY OF T ORONTO

  7. ! • ! ! D ESIGN Target Malicious Paths • Malicious activity present only in certain parts of the code malicious code I NTELLI D ROID 7 U NIVERSITY OF T ORONTO

  8. ! • ! ! D ESIGN Target Malicious Paths • Use static analysis to look for call paths to malicious activity malicious code I NTELLI D ROID 8 U NIVERSITY OF T ORONTO

  9. ! • ! ! D ESIGN Target Over-Approximation • Target over-approximation of malicious behaviors suspicious suspicious suspicious code code code I NTELLI D ROID 9 U NIVERSITY OF T ORONTO

  10. ! • ! ! D ESIGN Target Over-Approximation • Target over-approximation of malicious behaviors suspicious suspicious suspicious code code code I NTELLI D ROID 10 U NIVERSITY OF T ORONTO

  11. ! • ! ! D ESIGN Targeted Methods • Use method invocations as over-approximation ◦ Depends on attached dynamic malware detector Dynamic Tool Goal Features for Analysis • Existing dynamic detectors 
 AASandbox [10] Monitor behavior via track- System calls ing of system calls Malware detection via sys- Low-level device fea- Andromaly [36] for Android: tem resource usage tures (e.g. battery us- age, CPU load) CopperDroid [39] Monitor behavior via sys- System calls tem call tracking Monitor behavior via track- System calls Crowdroid [12] ✔ ◦ Method invocations ing of system calls DroidBox [18] Sandbox to monitor exter- Sink API methods nal accesses DroidRanger [50] Detect malware using pre- Sequence of API specified behavioral foot- method invocations ✔ ◦ System call traces prints and heuristics and parameters DroidScope [39] Plugins for API track- API methods; ing, instruction tracing, and source/sink API taint tracking methods RiskRanker [39] Detect malware using Sequence of API ❌ ◦ Anomaly detection known vulnerability method invocations signatures Detect privacy leakage Source/sink API meth- TaintDroid [19] ods VetDroid [47] Malware detection via per- Permission requests mission use behavior (can be mapped to API methods) I NTELLI D ROID 11 U NIVERSITY OF T ORONTO

  12. ! • ! ! D ESIGN Static Constraint Extraction • Extract constraints on inputs that can trigger targeted paths Path Path Constraints Constraints Path Constraints suspicious code I NTELLI D ROID 12 U NIVERSITY OF T ORONTO

  13. ! • ! ! D ESIGN Targeted Input Injection • Inject constrained inputs to execute paths at run-time Static Dynamic Path inputs Constraints … Run-time inputs Path Constraints I NTELLI D ROID U NIVERSITY OF T ORONTO

  14. ! • ! ! D ESIGN Challenges • Finding targeted paths using static analysis ◦ Imprecision? • Executing path to suspicious code ◦ Dependencies between paths? • Run-time input injection ◦ Where to inject? I NTELLI D ROID 14 U NIVERSITY OF T ORONTO

  15. 
 
 ! • ! ! D ESIGN Static Imprecision • Static analysis cannot determine run-time values • Example: 
 message = <receive confirmation SMS> 
 if message.number == <file A>.text: <malicious action> Constraint <SMS message>.number == <file A> I NTELLI D ROID 15 U NIVERSITY OF T ORONTO

  16. ! • ! ! D ESIGN Using Run-time Data • Solve constraints at run-time (with run-time data) Static Dynamic Run-time Path 1 file A file A Constraints “1234” “1234” constraint … constraints … solver location location Path N San Diego San Diego Constraints <SMS message>.number == <file A> “1234” I NTELLI D ROID 16 U NIVERSITY OF T ORONTO

  17. ! • ! ! D ESIGN Path Dependencies • Data- and control-flow dependencies between call paths read X data flow malicious write X code I NTELLI D ROID 17 U NIVERSITY OF T ORONTO

  18. ! • ! ! D ESIGN Path Dependencies • Data- and control-flow dependencies between call paths 1 2 Event Chain read X 1) <path to write X> 2) <path to malicious code> malicious write X code I NTELLI D ROID 18 U NIVERSITY OF T ORONTO

  19. ! • ! ! D ESIGN Run-Time Injection Application Event SMS Event Handler Handler Handler Framework System SMS System Service Service Service Cellular Sensor Radio Hardware/Device I NTELLI D ROID 19 U NIVERSITY OF T ORONTO

  20. ! • ! ! D ESIGN Application Injection Application info on SMS? Event SMS Event Handler Handler Handler Framework what SMS? System SMS System Service Service Service Cellular Sensor Radio Hardware/Device I NTELLI D ROID 20 U NIVERSITY OF T ORONTO

  21. ! • ! ! D ESIGN Device-Framework Injection Application info on SMS? Event SMS Event Handler Handler Handler Framework OK! System SMS System Service Service Service Cellular Sensor Radio Hardware/Device I NTELLI D ROID 21 U NIVERSITY OF T ORONTO

  22. ! • ! ! D ESIGN Contributions • Static imprecision ◦ Dynamic constraint solving with run-time values • Path dependencies ◦ Event chains • Consistent input injection ◦ Device-framework injection I NTELLI D ROID 22 U NIVERSITY OF T ORONTO

  23. ! ! • ! I MPLEMENTATION Static Component Targeted App APK Application Behaviors BootReceiver onReceive(Intent i): if i == BOOT_COMPLETED: a = 1234 SMSReceiver IntelliDroid onReceive(Intent i): Static Component if i == SMS_RECEIVED: handleSMS(…) handleSMS(addr, msg): if a == addr: sendTextMessage(…) I NTELLI D ROID 23 U NIVERSITY OF T ORONTO

  24. ! ! • ! I MPLEMENTATION Static Component Targeted App APK Application Behaviors BootReceiver Extract event handlers onReceive(Intent i): if i == BOOT_COMPLETED: a = 1234 Find call paths SMSReceiver Extract path constraints onReceive(Intent i): 2 1 if i == SMS_RECEIVED: handleSMS(…) Add to event chain handleSMS(addr, msg): if a == addr: If dependency: sendTextMessage(…) find dependent path I NTELLI D ROID 24 U NIVERSITY OF T ORONTO

  25. ! ! • ! I MPLEMENTATION Static Component Targeted App APK Application Behaviors BootReceiver Extract event handlers onReceive(Intent i): 1 if i == BOOT_COMPLETED: a = 1234 Find call paths SMSReceiver Extract path constraints onReceive(Intent i): 2 if i == SMS_RECEIVED: handleSMS(…) Add to event chain handleSMS(addr, msg): if a == addr: If dependency: Output: target call 
 sendTextMessage(…) find dependent path paths and constraints I NTELLI D ROID 25 U NIVERSITY OF T ORONTO

  26. ! ! • ! I MPLEMENTATION Implementation • Static analysis (Android-specific): WALA 1 • Dynamic component: ◦ Client program (Python) Constraint solver: Z3 2 - ◦ Custom Android OS IntelliDroidService : system service to receive input - information and inject events 1 Watson libraries for analysis. http://wala.sourceforge.net. Accessed: September 2014. 2 Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, pages 337–340. Springer, 2008. I NTELLI D ROID 26 U NIVERSITY OF T ORONTO

  27. ! ! ! • E VALUATION Evaluation • Can IntelliDroid be integrated with existing dynamic malware detectors? • Can it execute targeted behaviours at run-time? • Is the analysis time reasonable? I NTELLI D ROID 27 U NIVERSITY OF T ORONTO

  28. ! ! ! • E VALUATION Integration with TaintDroid • Attached to TaintDroid (dynamic taint tracking tool) • Input generator to execute taint sources and sinks TaintDroid leakage IntelliDroid IntelliDroid paths inputs Dynamic paths (Static) (Dynamic) Detector taint source taint sink e.g. getDeviceId() sendTextMessage() I NTELLI D ROID 28 U NIVERSITY OF T ORONTO

Recommend

Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp;

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp;

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp; Artificial Intelligence Lab http://pag.csail.mit.edu/~mernst/ PASTE June 7, 2004 Michael Ernst, page 1 Goals Theme: Static and dynamic analyses

451 views • 34 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have to worry about types (+ Dynamic) Dependent on input (- Dynamic) Runtime overhead (- Dynamic) Serve as documentation (+ Static)

572 views • 24 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis

Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis

Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis (gkastrinis@di.uoa.gr) Yannis Smaragdakis (yannis@smaragd.org) University of Athens, Greece ISSTA18, July 17, 2018, Amsterdam, Netherlands Dynamic

403 views • 23 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner Hhnle Software Engineering Group Department of Computer Science Technische Universitt Darmstadt http://www.se.tu-darmstadt.de/

239 views • 23 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic Program Analysis Program Analysis Patrice Godefroid Godefroid Patrice Bell Laboratories, Lucent Technologies Bell Laboratories, Lucent

1.05k views • 56 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
CS653 Static and Dynamic Program Analysis Instructor: Michelle Strout mstrout@cs.colostate.edu

CS653 Static and Dynamic Program Analysis Instructor: Michelle Strout mstrout@cs.colostate.edu

CS653 Static and Dynamic Program Analysis Instructor: Michelle Strout mstrout@cs.colostate.edu USC 227 Office hours: 3-4 Tuesday, 2-3 Thursday URL: http://www.cs.colostate.edu/~cs653 These notes are loosely based on Amer Diwans CSCI 7135

299 views • 8 slides
#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for

#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for

#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results Rick Smith, Senior Product Manager Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit Automation Static Analysis

583 views • 22 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper

Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper

Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper takeaways tl;dr JUST USE HASKELL JUST USE IDRIS several modern functional languages have optional type systems they are mature enough to be

1.12k views • 76 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

134 views • 10 slides
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

481 views • 37 slides

More recommend