Article

FlowMiner: Automatic Summarization of Library Data-Flow for Malware Analysis

Authors:

Ganesh Ram Santhanam,

Suresh KothariAuthors Info & Claims

ICISS 2015: Proceedings of the 11th International Conference on Information Systems Security - Volume 9478

Pages 171 - 191

https://doi.org/10.1007/978-3-319-26961-0_11

Published: 16 December 2015 Publication History

Abstract

Malware often conceal their malicious behavior by making unscrupulous use of library APIs. Hence any accurate malware analysis must track data-flows not only through the application but also through the library. Libraries like Android 2 mLOC are too large to be analyzed repeatedly with each application, hence we need to compute data-flow summaries of libraries that are expressive enough to reveal possible malicious flows, and compact to be included in malware analysis along with each application.

We present FlowMiner, a novel approach to automatically extract the data-flow summary of a Java library, given its source or bytecode. FlowMiner's summaries are fine-grained, i.e., preserve key artifacts from the original library to enable accurate context, object, field, flow and type-sensitive malware analysis of applications in conjunction with the library. Unlike prior summarization techniques, FlowMiner resolves method calls to anonymous classesto a single target, making it more precise. FlowMiner's summaries are compact, e.g., contain only about a third fourth of the nodes edges, resp. in the data-flow semantics of recent versions of Android. FlowMiner's summaries are stored in XML, allowing any analysis tool to use them for analysis.

References

[1]

Automated program analysis for cybersecurity apac, July 2011. https://www.fbo.gov/index?s=opportunity&mode=form&id=a14e4533c2a44c3288b6a29fa6fc5841&tab=core&_cview=1

[2]

Android 4.4.4 kitkat, May 2015. http://www.android.com/versions/kit-kat-4-4/

[3]

Extensible common software graph, March 2015. http://ensoftatlas.com/wiki/Extensible_Common_Software_Graph

[4]

Ali, K., Lhoták, O.: Application-only call graph construction. In: Noble, J. ed. ECOOP 2012. LNCS, vol. 7313, pp. 688---712. Springer, Heidelberg 2012

Digital Library

[5]

Ali, K., Lhoták, O.: Averroes: whole-program analysis without the whole program. In: Castagna, G. ed. ECOOP 2013. LNCS, vol. 7920, pp. 378---400. Springer, Heidelberg 2013

Digital Library

[6]

Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. SIGPLAN Not. 496, 259---269 2014

Digital Library

[7]

Burnette, E.: Hello, Android: introducing Google's mobile development platform. Pragmatic Bookshelf 2009

Digital Library

[8]

Callahan, D.: The program summary graph and flow-sensitive interprocedual data flow analysis, vol. 23. ACM 1988

Digital Library

[9]

Cao, Y., Fratantonio, Y., Bianchi, A., Egele, M., Kruegel, C., Vigna, G., Chen, Y.: Edgeminer: Automatically detecting implicit control flow transitions through the android framework. 22nd Annual Network and Distributed System Security Symposium, NDSS San Diego, California, USA 2015

[10]

Chatterjee, R., Ryder, B.G., Landi, W.A.: Relevant context inference. In: ACM Symposium on Principles of Programming Languages, pp. 133---146. ACM 1999

Digital Library

[11]

Clapp, L., Anand, S., Aiken, A.: Modelgen: mining explicit information flow specifications from concrete executions. In: International Symposium on Software Testing and Analysis, pp. 129---140. ACM 2015

Digital Library

[12]

Deering, T.: April 2015. http://powerofpi.github.io/FlowMiner/

[13]

Deering, T., Kothari, S., Sauceda, J., Mathews, J.: Atlas: a new way to explore software, build analysis tools. In: Companion Proceedings of the International Conference on Software Engineering, pp. 588---591. ACM 2014

Digital Library

[14]

Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 3---14. ACM 2011

Digital Library

[15]

Grove, D., Chambers, C.: A framework for call graph construction algorithms. ACM Trans. Prog. Lang. Syst. TOPLAS 236, 685---746 2001

Digital Library

[16]

LaToza, T., Myers, B.: Visualizing call graphs. In: Visual Languages and Human-Centric Computing VL/HCC, Symposium on, pp. 117---124. IEEE 2011

[17]

Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Computer security applications conference, pp. 421---430. IEEE 2007

[18]

Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 49---61. ACM 1995

Digital Library

[19]

Rogers, R., Lombardo, J., Mednieks, Z., Meike, B.: Android Application Development: Programming with the Google SDK. O'Reilly Media, Inc., Sebastopol 2009

Digital Library

[20]

Rosen, S., Qian, Z., Mao, Z.M.: Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In: Proceedings of the ACM conference on Data and application security and privacy, pp. 221---232. ACM 2013

Digital Library

[21]

Rountev, A., Kagan, S., Marlowe, T.: Interprocedural dataflow analysis in the presence of large libraries. In: Mycroft, A., Zeller, A. eds. CC 2006. LNCS, vol. 3923, pp. 2---16. Springer, Heidelberg 2006

Digital Library

[22]

Rountev, A., Sharp, M., Xu, G.: IDE dataflow analysis in the presence of large object-oriented libraries. In: Hendren, L. ed. CC 2008. LNCS, vol. 4959, pp. 53---68. Springer, Heidelberg 2008

Digital Library

[23]

Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Muchnick, S.S., Jones, N.D. eds. Program Flow Analysis: Theory and Applications, pp. 189---234. Prentice Hall, New York 1981

[24]

Yan, D., Xu, G., Rountev, A.: Rethinking soot for summary-based whole-program analysis. In: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, pp. 9---14. ACM 2012

Digital Library

[25]

Zhang, W., Ryder, B.: Constructing accurate application call graphs for java to model library callbacks. In: Sixth IEEE International Workshop on Source Code Analysis and Manipulation, SCAM 2006, pp. 63---74. IEEE 2006

Digital Library

[26]

Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy SP, pp. 95---109. IEEE 2012

Digital Library

Cited By

Salehnamadi NAlshayban AAhmed IMalek SGrundy JLe Goues CLo D(2020)ER catcherProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416639(324-335)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416639
Yu XJin GChaudron MCrnkovic IChechik MHarman M(2018)Dataflow tunnelingProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180171(586-597)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180171

Recommendations

Interprocedural pointer alias analysis

We present practical approximation methods for computing and representing interprocedural aliases for a program written in a language that includes pointers, reference parameters, and recursion. We present the following contributions: (1) a framework ...
Side-effect analysis with fast escape filter
SOAP '12: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis

Side-effect analysis is a fundamental static analysis used to determine the memory locations modified or used by each program entity. For the programs with pointers, the analysis can be very imprecise. To improve the precision of side-effect analysis, ...
Practical pointer aliasing analysis

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ICISS 2015: Proceedings of the 11th International Conference on Information Systems Security - Volume 9478

December 2015

562 pages

ISBN:9783319269603

Editors:
Sushil Jajodia
Center for Secure Information Systems, Fairfax, USA
,
Chandan Mazumdar
Jadavpur University, Kolkata, India

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 16 December 2015

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Salehnamadi NAlshayban AAhmed IMalek SGrundy JLe Goues CLo D(2020)ER catcherProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416639(324-335)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416639
Yu XJin GChaudron MCrnkovic IChechik MHarman M(2018)Dataflow tunnelingProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180171(586-597)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180171

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents