Anjila Tamrakar, Justin D. Russell, Irfan Ahmed, G. Richard, C. Weems
End users are prone to insecure cyber behavior that may lead them to compromise the integrity, availability or confidentiality of their computer systems. For instance, replying to a phishing email may compromise an end user's login credentials. Identifying tendency toward insecure cyber behavior is critically important to improve cyber security posture and thesis of this paper is that the susceptibility of end-users to be a victim of a cyber-attack may be predicted using personality traits such as trait anxiety and callousness. This paper presents an easily configurable, script-based software tool to explore the relationships between the personality traits and insecure cyber behaviors of end users. The software utilizes well-established cognitive methods (such as dot probe) to identify a number of personality traits for a user and further allows researchers to design and conduct experiments through customizable scripting to study the endusers' insecure cyber behaviors. The software also collects fine-grained data on users for analysis.
{"title":"SPICE: A Software Tool for Bridging the Gap Between End-user's Insecure Cyber Behavior and Personality Traits","authors":"Anjila Tamrakar, Justin D. Russell, Irfan Ahmed, G. Richard, C. Weems","doi":"10.1145/2857705.2857744","DOIUrl":"https://doi.org/10.1145/2857705.2857744","url":null,"abstract":"End users are prone to insecure cyber behavior that may lead them to compromise the integrity, availability or confidentiality of their computer systems. For instance, replying to a phishing email may compromise an end user's login credentials. Identifying tendency toward insecure cyber behavior is critically important to improve cyber security posture and thesis of this paper is that the susceptibility of end-users to be a victim of a cyber-attack may be predicted using personality traits such as trait anxiety and callousness. This paper presents an easily configurable, script-based software tool to explore the relationships between the personality traits and insecure cyber behaviors of end users. The software utilizes well-established cognitive methods (such as dot probe) to identify a number of personality traits for a user and further allows researchers to design and conduct experiments through customizable scripting to study the endusers' insecure cyber behaviors. The software also collects fine-grained data on users for analysis.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132517264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Musard Balliu, Benjamin Liebe, Daniel Schoepe, A. Sabelfeld
Modern web and mobile applications are complex entities amalgamating different languages, components, and platforms. The rich features span the application tiers and components, some from third parties, and require substantial efforts to ensure that the insecurity of a single component does not render the entire system insecure. As of today, the majority of the known approaches fall short of ensuring security across tiers. This paper proposes a framework for end-to-end security, by tracking information flow through the client, server, and underlying database. The framework utilizes homogeneous meta-programming to provide a uniform language for programming different components. We leverage .NET meta-programming capabilities from the F# language, thus enabling language-integrated queries on databases and interoperable heterogeneous execution on the client and the server. We develop a core of our security enforcement in the form of a security type system for a functional language with mutable store and prove it sound. Based on the core, we develop JSLINQ, an extension of the WebSharper library to track information flow. We demonstrate the capabilities of JSLINQ on the case studies of a password meter, two location-based services, a movie rental database, an online Battleship game, and a friend finder app. Our experiments indicate that JSLINQ is practical for implementing high-assurance web and mobile applications.
{"title":"JSLINQ: Building Secure Applications across Tiers","authors":"Musard Balliu, Benjamin Liebe, Daniel Schoepe, A. Sabelfeld","doi":"10.1145/2857705.2857717","DOIUrl":"https://doi.org/10.1145/2857705.2857717","url":null,"abstract":"Modern web and mobile applications are complex entities amalgamating different languages, components, and platforms. The rich features span the application tiers and components, some from third parties, and require substantial efforts to ensure that the insecurity of a single component does not render the entire system insecure. As of today, the majority of the known approaches fall short of ensuring security across tiers. This paper proposes a framework for end-to-end security, by tracking information flow through the client, server, and underlying database. The framework utilizes homogeneous meta-programming to provide a uniform language for programming different components. We leverage .NET meta-programming capabilities from the F# language, thus enabling language-integrated queries on databases and interoperable heterogeneous execution on the client and the server. We develop a core of our security enforcement in the form of a security type system for a functional language with mutable store and prove it sound. Based on the core, we develop JSLINQ, an extension of the WebSharper library to track information flow. We demonstrate the capabilities of JSLINQ on the case studies of a password meter, two location-based services, a movie rental database, an online Battleship game, and a friend finder app. Our experiments indicate that JSLINQ is practical for implementing high-assurance web and mobile applications.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134594771","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Diversity works well in nature where it is the basis of natural selection, a phenomenon that helps biological populations survive as they are challenged by hazards in their environments. Diversity also has a long history in engineering where it is used to counter the effects of design faults. Engineered systems are subject to failure, and significant losses can result from the failure of safetyand security-critical applications. A system that includes identical replicates of one or more components can survive degradation faults, i.e., faults that arise during operation as components age. But identical replicates do not help a system to survive design faults, i.e., faults that are the result of defects in the basic design. Identical replicates will contain the same defect and so will fail together on the same inputs. All software faults are design faults, because software faults are not the result of software “wearing out” over time. Defects that arise in requirements, specification and coding of software are all design faults. A variety of different types of diversity have been developed to deal with design faults. Design diversity couples together systems with identical functionality but with different designs. The different systems are referred to as versions, and the versions are executed in parallel with the results subject to a vote. If erroneous outputs are produced because of design defects in some of the versions, the correct outputs will be produced provided the erroneous outputs are in a minority. There is no guarantee that the different designs will not contain the same faults, and so voting could select an erroneous output. Data diversity couples together identical copies of a given system but executes them in parallel with transformed data. The inverse transformation is applied to the outputs. Artificial diversity applies an algorithmic transformation, such as relocating the address space by a random amount, to a system thereby producing variants that differ in a systematic way. Artificial diversity is an effective method of avoiding the “software monoculture”. All forms of diversity have been applied successfully in the field of cyber security. Artificial diversity is especially important because: (a) when applied carefully it transforms information useful to an attacker, such as the fixed and known locations of variables, into a high-entropy search problem, (b) it incurs little to no execution-time overhead, and (c) it is applied mechanically – no development effort is required. Artificial diversity has been shown to provide strong security protection to systems that contain certain classes of vulnerability whether the problem vulnerabilities are known or unknown. A unique characteristic of artificial diversity is that artificially diverse variants can be constructed and combined into an operational system with a property known as secretless security. For certain classes of vulnerability, such a system is provably protected against
{"title":"DIVERSITY","authors":"J. Knight","doi":"10.1145/2857705.2857728","DOIUrl":"https://doi.org/10.1145/2857705.2857728","url":null,"abstract":"Diversity works well in nature where it is the basis of natural selection, a phenomenon that helps biological populations survive as they are challenged by hazards in their environments. Diversity also has a long history in engineering where it is used to counter the effects of design faults. Engineered systems are subject to failure, and significant losses can result from the failure of safetyand security-critical applications. A system that includes identical replicates of one or more components can survive degradation faults, i.e., faults that arise during operation as components age. But identical replicates do not help a system to survive design faults, i.e., faults that are the result of defects in the basic design. Identical replicates will contain the same defect and so will fail together on the same inputs. All software faults are design faults, because software faults are not the result of software “wearing out” over time. Defects that arise in requirements, specification and coding of software are all design faults. A variety of different types of diversity have been developed to deal with design faults. Design diversity couples together systems with identical functionality but with different designs. The different systems are referred to as versions, and the versions are executed in parallel with the results subject to a vote. If erroneous outputs are produced because of design defects in some of the versions, the correct outputs will be produced provided the erroneous outputs are in a minority. There is no guarantee that the different designs will not contain the same faults, and so voting could select an erroneous output. Data diversity couples together identical copies of a given system but executes them in parallel with transformed data. The inverse transformation is applied to the outputs. Artificial diversity applies an algorithmic transformation, such as relocating the address space by a random amount, to a system thereby producing variants that differ in a systematic way. Artificial diversity is an effective method of avoiding the “software monoculture”. All forms of diversity have been applied successfully in the field of cyber security. Artificial diversity is especially important because: (a) when applied carefully it transforms information useful to an attacker, such as the fixed and known locations of variables, into a high-entropy search problem, (b) it incurs little to no execution-time overhead, and (c) it is applied mechanically – no development effort is required. Artificial diversity has been shown to provide strong security protection to systems that contain certain classes of vulnerability whether the problem vulnerabilities are known or unknown. A unique characteristic of artificial diversity is that artificially diverse variants can be constructed and combined into an operational system with a property known as secretless security. For certain classes of vulnerability, such a system is provably protected against","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"96 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114886220","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Apostolis Zarras, K. Kohls, Markus Dürmuth, C. Pöpper
Once data is released to the Internet, there is little hope to successfully delete it, as it may have been duplicated, reposted, and archived in multiple places. This poses a significant threat to users' privacy and their right to permanently erase their very own data. One approach to control the implications on privacy is to assign a lifetime value to the published data and ensure that the data is no longer accessible after this point in time. However, such an approach suffers from the inability to successfully predict the right time when the data should vanish. Consequently, the author of the data can only estimate the correct time, which unfortunately can cause the premature or belated deletion of data. This paper tackles the problem of prefixed lifetimes in data deletion from a different angle and argues that alternative approaches are a desideratum for research. In our approach, we consider different criteria when data should be deleted, such as keeping data available as long as there is sufficient interest for it or untimely delete it in cases of excessive accesses. To assist the self-destruction of data, we propose a protocol and develop a prototype, called Neuralyzer, which leverages the caching mechanisms of the Domain Name System (DNS) to ensure the successful deletion of data. Our experimental results demonstrate that our approach can completely delete published data while at the same time achieving flexible expiration times varying from few days to several months depending on the users' interest.
{"title":"Neuralyzer: Flexible Expiration Times for the Revocation of Online Data","authors":"Apostolis Zarras, K. Kohls, Markus Dürmuth, C. Pöpper","doi":"10.1145/2857705.2857714","DOIUrl":"https://doi.org/10.1145/2857705.2857714","url":null,"abstract":"Once data is released to the Internet, there is little hope to successfully delete it, as it may have been duplicated, reposted, and archived in multiple places. This poses a significant threat to users' privacy and their right to permanently erase their very own data. One approach to control the implications on privacy is to assign a lifetime value to the published data and ensure that the data is no longer accessible after this point in time. However, such an approach suffers from the inability to successfully predict the right time when the data should vanish. Consequently, the author of the data can only estimate the correct time, which unfortunately can cause the premature or belated deletion of data. This paper tackles the problem of prefixed lifetimes in data deletion from a different angle and argues that alternative approaches are a desideratum for research. In our approach, we consider different criteria when data should be deleted, such as keeping data available as long as there is sufficient interest for it or untimely delete it in cases of excessive accesses. To assist the self-destruction of data, we propose a protocol and develop a prototype, called Neuralyzer, which leverages the caching mechanisms of the Domain Name System (DNS) to ensure the successful deletion of data. Our experimental results demonstrate that our approach can completely delete published data while at the same time achieving flexible expiration times varying from few days to several months depending on the users' interest.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133331717","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Preventing data exfiltration by insiders is a challenging process since insiders are users that have access permissions to the data. Existing mechanisms focus on tracking users' activities while they are connected to the database, and are unable to detect anomalous actions that the users perform on the data once they gain access to it. Being able to detect anomalous actions on the data is critical as these actions are often sign of attempts to misuse data. In this paper, we propose an approach to detect anomalous actions executed on data returned to the users from a database. The approach has been implemented as part of the Provenance-based ANomaly Detection of Data Exfiltration (PANDDE) tool. PANDDE leverages data provenance information captured at the operating system level. Such information is then used to create profiles of users' actions on the data once retrieved from the database. The profiles indicate actions that are consistent with the tasks of the users. Actions recorded in the profiles include data printing, emailing, and storage. Profiles are then used at run-time to detect anomalous actions.
{"title":"PANDDE: Provenance-based ANomaly Detection of Data Exfiltration","authors":"Daren Fadolalkarim, Asmaa Sallam, E. Bertino","doi":"10.1145/2857705.2857710","DOIUrl":"https://doi.org/10.1145/2857705.2857710","url":null,"abstract":"Preventing data exfiltration by insiders is a challenging process since insiders are users that have access permissions to the data. Existing mechanisms focus on tracking users' activities while they are connected to the database, and are unable to detect anomalous actions that the users perform on the data once they gain access to it. Being able to detect anomalous actions on the data is critical as these actions are often sign of attempts to misuse data. In this paper, we propose an approach to detect anomalous actions executed on data returned to the users from a database. The approach has been implemented as part of the Provenance-based ANomaly Detection of Data Exfiltration (PANDDE) tool. PANDDE leverages data provenance information captured at the operating system level. Such information is then used to create profiles of users' actions on the data once retrieved from the database. The profiles indicate actions that are consistent with the tasks of the users. Actions recorded in the profiles include data printing, emailing, and storage. Profiles are then used at run-time to detect anomalous actions.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125964478","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Malware on Android has been reported to be on the rise. There are many anti-virus (AV) apps available on Android. However, most AVs are presented as black-boxes without details given about their workings. In this paper, we propose to determine the key elements used by the AVs, which we call inferring the AV detection logic, through a black-box testing methodology. We perform a large scale experiment on 57 Android AVs using 2000 malware variants to evaluate whether the detection logic can be found and whether the AVs can detect the malware. Our experiments show that a majority of AVs detect malware using simple static features. Such features can be easily obfuscated by renaming or encrypting strings and data, which can make it easy to evade some AVs. We also observe trends showing that AVs use common features to detect malware across all families.
{"title":"Inferring the Detection Logic and Evaluating the Effectiveness of Android Anti-Virus Apps","authors":"Zhenquan Cai, R. Yap","doi":"10.1145/2857705.2857719","DOIUrl":"https://doi.org/10.1145/2857705.2857719","url":null,"abstract":"Malware on Android has been reported to be on the rise. There are many anti-virus (AV) apps available on Android. However, most AVs are presented as black-boxes without details given about their workings. In this paper, we propose to determine the key elements used by the AVs, which we call inferring the AV detection logic, through a black-box testing methodology. We perform a large scale experiment on 57 Android AVs using 2000 malware variants to evaluate whether the detection logic can be found and whether the AVs can detect the malware. Our experiments show that a majority of AVs detect malware using simple static features. Such features can be easily obfuscated by renaming or encrypting strings and data, which can make it easy to evade some AVs. We also observe trends showing that AVs use common features to detect malware across all families.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127750305","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The availability of smartphones is still severely restricted by the limited battery lifetime. To help users understand the energy consumption, major mobile platforms support fine-grained energy profiling for each app. In this paper, we present a new threat, called energy collateral attacks, which can abuse and mislead all existing energy modeling approaches. In particular, energy collateral attacks are able to divulge battery stealthily through interprocess communication, wakelock, and screen. To defend against those at- tacks, we propose E-Android to accurately profile the energy consumption in a comprehensive manner. E-Android monitors energy collateral related events and maintains energy consumption for relevant apps. We utilize E-Android to measure the energy consumption under the attack of six energy malware and two normal scenarios. While Android fails to disclose all these energy-malware-based attacks, E- Android can accurately profile energy consumption and re- veal the existence of energy malware.
{"title":"On Energy Security of Smartphones","authors":"Xing Gao, Dachuan Liu, Daiping Liu, Haining Wang","doi":"10.1145/2857705.2857738","DOIUrl":"https://doi.org/10.1145/2857705.2857738","url":null,"abstract":"The availability of smartphones is still severely restricted by the limited battery lifetime. To help users understand the energy consumption, major mobile platforms support fine-grained energy profiling for each app. In this paper, we present a new threat, called energy collateral attacks, which can abuse and mislead all existing energy modeling approaches. In particular, energy collateral attacks are able to divulge battery stealthily through interprocess communication, wakelock, and screen. To defend against those at- tacks, we propose E-Android to accurately profile the energy consumption in a comprehensive manner. E-Android monitors energy collateral related events and maintains energy consumption for relevant apps. We utilize E-Android to measure the energy consumption under the attack of six energy malware and two normal scenarios. While Android fails to disclose all these energy-malware-based attacks, E- Android can accurately profile energy consumption and re- veal the existence of energy malware.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127801026","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Aisha I. Ali-Gombe, Irfan Ahmed, G. Richard, Vassil Roussev
The growing threat to user privacy related to Android applications (apps) has tremendously increased the need for more reliable and accessible app analysis systems. This paper presents AspectDroid, an application-level system designed to investigate Android applications for possible unwanted activities. AspectDroid is comprised of app instrumentation, automated testing and containment systems. By using static bytecode instrumentation, The growing threat to user privacy related to Android applications (apps) has tremendously increased the need for more reliable and accessible app analysis systems. This paper presents AspectDroid, an application-level system designed to investigate Android applications for possible unwanted activities. AspectDroid is comprised of app instrumentation, automated testing and containment systems. By using static bytecode instrumentation, AspectDroid weaves monitoring code into an existing application and provides data flow and sensitive API usage as well as dynamic instrumentation capabilities. The newly repackaged app is then executed either manually or via an automated testing module. Finally, the flexible containment provided by AspectDroid adds a layer of protection so that malicious activities can be prevented from affecting other devices. The accuracy score of AspectDroid when tested on 105 DroidBench corpus shows it can detect tagged data with 95.29%. We further tested our system on 100 real malware families from the Drebin dataset cite{drebin2014}. The result of our analysis showed AspectDroid incurs approximately 1MB average total memory size overhead and 5.9% average increase in CPU-usage.
{"title":"AspectDroid: Android App Analysis System","authors":"Aisha I. Ali-Gombe, Irfan Ahmed, G. Richard, Vassil Roussev","doi":"10.1145/2857705.2857739","DOIUrl":"https://doi.org/10.1145/2857705.2857739","url":null,"abstract":"The growing threat to user privacy related to Android applications (apps) has tremendously increased the need for more reliable and accessible app analysis systems. This paper presents AspectDroid, an application-level system designed to investigate Android applications for possible unwanted activities. AspectDroid is comprised of app instrumentation, automated testing and containment systems. By using static bytecode instrumentation, The growing threat to user privacy related to Android applications (apps) has tremendously increased the need for more reliable and accessible app analysis systems. This paper presents AspectDroid, an application-level system designed to investigate Android applications for possible unwanted activities. AspectDroid is comprised of app instrumentation, automated testing and containment systems. By using static bytecode instrumentation, AspectDroid weaves monitoring code into an existing application and provides data flow and sensitive API usage as well as dynamic instrumentation capabilities. The newly repackaged app is then executed either manually or via an automated testing module. Finally, the flexible containment provided by AspectDroid adds a layer of protection so that malicious activities can be prevented from affecting other devices. The accuracy score of AspectDroid when tested on 105 DroidBench corpus shows it can detect tagged data with 95.29%. We further tested our system on 100 real malware families from the Drebin dataset cite{drebin2014}. The result of our analysis showed AspectDroid incurs approximately 1MB average total memory size overhead and 5.9% average increase in CPU-usage.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"98 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115981829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Gaoyao Xiao, Jun Wang, Peng Liu, Jiang Ming, Dinghao Wu
We introduce a novel Data Flow Analysis (DFA) technique, called PoL-DFA (Program-object Level Data Flow Analysis), to analyze the dynamic data flows of server programs. PoL-DFA symbolically analyzes every instruction in the execution trace of a process to keep track of the data flows among program objects (e.g., integers, structures, arrays), and concatenates these pieces of data flows to obtain the overall data flow graph of the execution. We leverage PoL-DFA to identify malicious data flows in data leakage and contamination forensics. In two mocked digital forensic scenarios, for data leakage and contamination respectively, we tested the ability of PoL-DFA to identify data flows among multiple inputs and outputs of server programs. Our results show that PoL-DFA can accurately determine whether the data (or the processed results) from a source file or socket flow to a certain output channel. Based on this information, security administrators can pinpoint the path of data leakage or data contamination. Different from existing dynamic DFA techniques that require excessive amount of instrumentation, PoL-DFA only requires logging the execution traces of the processes being monitored. The measured performance overhead for server programs is 4.24%, on average. The results indicate PoL-DFA is a lightweight DFA solution for data leakage and contamination forensics.
{"title":"Program-object Level Data Flow Analysis with Applications to Data Leakage and Contamination Forensics","authors":"Gaoyao Xiao, Jun Wang, Peng Liu, Jiang Ming, Dinghao Wu","doi":"10.1145/2857705.2857747","DOIUrl":"https://doi.org/10.1145/2857705.2857747","url":null,"abstract":"We introduce a novel Data Flow Analysis (DFA) technique, called PoL-DFA (Program-object Level Data Flow Analysis), to analyze the dynamic data flows of server programs. PoL-DFA symbolically analyzes every instruction in the execution trace of a process to keep track of the data flows among program objects (e.g., integers, structures, arrays), and concatenates these pieces of data flows to obtain the overall data flow graph of the execution. We leverage PoL-DFA to identify malicious data flows in data leakage and contamination forensics. In two mocked digital forensic scenarios, for data leakage and contamination respectively, we tested the ability of PoL-DFA to identify data flows among multiple inputs and outputs of server programs. Our results show that PoL-DFA can accurately determine whether the data (or the processed results) from a source file or socket flow to a certain output channel. Based on this information, security administrators can pinpoint the path of data leakage or data contamination. Different from existing dynamic DFA techniques that require excessive amount of instrumentation, PoL-DFA only requires logging the execution traces of the processes being monitored. The measured performance overhead for server programs is 4.24%, on average. The results indicate PoL-DFA is a lightweight DFA solution for data leakage and contamination forensics.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"129 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132561065","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Johannes Hoffmann, Teemu Rytilahti, Davide Maiorca, M. Winandy, G. Giacinto, Thorsten Holz
The recent past has shown that Android smartphones became the most popular target for malware authors. Malware families offer a variety of features that allow, among the others, to steal arbitrary data and to cause significant monetary losses. This circumstances led to the development of many different analysis methods that are aimed to assess the absence of potential harm or malicious behavior in mobile apps. In return, malware authors devised more sophisticated methods to write mobile malware that attempt to thwart such analyses. In this work, we briefly describe assumptions analysis tools rely on to detect malicious content and behavior. We then present results of a new obfuscation framework that aims to break such assumptions, thus modifying Android apps to avoid them being analyzed by the targeted systems. We use our framework to evaluate the robustness of static and dynamic analysis systems for Android apps against such transformations.
{"title":"Evaluating Analysis Tools for Android Apps: Status Quo and Robustness Against Obfuscation","authors":"Johannes Hoffmann, Teemu Rytilahti, Davide Maiorca, M. Winandy, G. Giacinto, Thorsten Holz","doi":"10.1145/2857705.2857737","DOIUrl":"https://doi.org/10.1145/2857705.2857737","url":null,"abstract":"The recent past has shown that Android smartphones became the most popular target for malware authors. Malware families offer a variety of features that allow, among the others, to steal arbitrary data and to cause significant monetary losses. This circumstances led to the development of many different analysis methods that are aimed to assess the absence of potential harm or malicious behavior in mobile apps. In return, malware authors devised more sophisticated methods to write mobile malware that attempt to thwart such analyses. In this work, we briefly describe assumptions analysis tools rely on to detect malicious content and behavior. We then present results of a new obfuscation framework that aims to break such assumptions, thus modifying Android apps to avoid them being analyzed by the targeted systems. We use our framework to evaluate the robustness of static and dynamic analysis systems for Android apps against such transformations.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"100 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115543846","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: