Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Rasthofer, Siegfried; Arzt, Steven; Miltenberger, Marc; Bodden, Eric

doi:10.14722/ndss.2016.23066

Cited by 114 publications

(74 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Harvester [74] combines static and dynamic analyses to combat malware obfuscation. Resolution of reflective calls is done by the dynamic analysis.…”

Section: Related Workmentioning

confidence: 99%

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

Landman

Serebrenik

Vinju

2017

2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Abstract-The behavior of software that uses the Java Reflection API is fundamentally hard to predict by analyzing code. Only recent static analysis approaches can resolve reflection under unsound yet pragmatic assumptions. We survey what approaches exist and what their limitations are. We then analyze how realworld Java code uses the Reflection API, and how many Java projects contain code challenging state-of-the-art static analysis.Using a systematic literature review we collected and categorized all known methods of statically approximating reflective Java code. Next to this we constructed a representative corpus of Java systems and collected descriptive statistics of the usage of the Reflection API. We then applied an analysis on the abstract syntax trees of all source code to count code idioms which go beyond the limitation boundaries of static analysis approaches. The resulting data answers the research questions. The corpus, the tool and the results are openly available.We conclude that the need for unsound assumptions to resolve reflection is widely supported. In our corpus, reflection can not be ignored for 78 % of the projects. Common challenges for analysis tools such as non-exceptional exceptions, programmatic filtering meta objects, semantics of collections, and dynamic proxies, widely occur in the corpus. For Java software engineers prioritizing on robustness, we list tactics to obtain more easy to analyze reflection code, and for static analysis tool builders we provide a list of opportunities to have significant impact on real Java code.Keywords-Java; Reflection; Static Analysis; Systematic Literature Review; Empirical Study I. I Static analysis techniques are applied to support the efficiency and quality of software engineering tasks. Be it for understanding, validating, or refactoring source code, pragmatic static analysis tools exist to reduce error-prone manual labor and to increase the comprehension of complex software artefacts.Static analysis of object-oriented code is an exciting, ongoing and challenging research area, made especially challenging by dynamic language features (a.k.a. reflection). The Java Reflection API allows programmers to dynamically inspect and interact with otherwise static language concepts such as classes, fields and methods, e.g., to dynamically instantiate objects, set fields and invoke methods. These dynamic language features are useful, but their usage also wreaks havoc on the accuracy of static analysis results. This is due to the undecidability of resolving dynamic names and dynamic types.Until 2005, the analysis of code which uses the Reflection API was considered to be out of bounds for static analysis, and handled via user annotations or dynamic analysis; handling reflection would inherently be either unsound (due to unverified assumptions) or highly inaccurate (due to over-approximation) and render the contemporary static analysis tools impractical. Then, in 2005 Livshits et al. [1] published an analysis of how reflection was used in six large Java projects...

show abstract

“…Harvester [74] combines static and dynamic analyses to combat malware obfuscation. Resolution of reflective calls is done by the dynamic analysis.…”

Section: Related Workmentioning

confidence: 99%

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

Landman

Serebrenik

Vinju

2017

2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…Runtime values extraction Harvester [32] is a new system intended to dynamically extract runtime values. Since it is based on a cyclical combination of slicing and code execution, it can extract values regardless of any possible encryption, obfuscation or other anti-analysis techniques applied to them.…”

Section: Related Workmentioning

confidence: 99%

GreatEatlon: Fast, Static Detection of Mobile Ransomware

Zheng

Dellarocca

Andronio

et al. 2017

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Ransomware is a class of malware that aim at preventing victims from accessing valuable data, typically via data encryption or device locking, and ask for a payment to release the target. In the past year, instances of ransomware attacks have been spotted on mobile devices too. However, despite their relatively low infection rate, we notice that the techniques used by mobile ransomware are quite sophisticated, and di↵erent from those used by ransomware against traditional computers.Through an in-depth analysis of about 100 samples of currently active ransomware apps, we conclude that most of them pass undetected by state-of-the-art tools, which are unable to recognize the abuse of benign features for malicious purposes. The main reason is that such tools rely on an inadequate and incomplete set of features. The most notable examples are the abuse of reflection and device-administration APIs, appearing in modern ransomware to evade analysis and detection, and to elevate their privileges (e.g., to lock or wipe the device). Moreover, current solutions introduce several false positives in the naïve way they detect cryptographic-APIs abuse, flagging goodware apps as ransomware merely because they rely on cryptographic libraries. Last but not least, the performance overhead of current approaches is unacceptable for appstore-scale workloads.In this work, we tackle the aforementioned limitations and propose GreatEatlon, a next-generation mobile ransomware detector. We foresee GreatEatlon deployed on the appstore side, as a preventive countermeasure. At its core, GreatEatlon uses static program-analysis techniques to "resolve" reflection-based, anti-analysis attempts, to recognize abuses of the device administration API, and extract accurate data-flow information required to detect truly malicious uses of cryptographic APIs. Given the significant resources utilized by GreatEatlon, we prepend to its core a fast pre-filter that quickly discards obvious goodware, in order to avoid wasting computer cycles.We tested GreatEatlon on thousands of samples of goodware, generic malware and ransomware applications, and showed that it surpasses current approaches both in speed and detection capabilities, while keeping the false negative rate below 1.3%.

show abstract

“…As indicated by [11], some sensitive runtime data (or parameter values of API methods) in Android apps can actually be used for identifying malicious apps. Indeed, as shown in Section III-C, many sensitive parameter values are actually used in many samples, making them good candidates for blacklisting.…”

Section: E Parameter Values For Malware Identificationmentioning

confidence: 99%

“…One of the most sophisticated ones is Harvester [11], which is dedicated to extract runtime values from any position in the Android code. Although it is not the focus, Harvester could be also leveraged to extract the parameter values from all the Android API methods in Android apps.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Parameter Values of Android APIs: A Preliminary Study on 100,000 Apps

Bissyandé

Klein

et al. 2016

2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER)

View full text Add to dashboard Cite

Abstract-Parameter values are important elements for understanding how Application Programming Interfaces (APIs) are used in practice. In the context of Android, a few number of API methods are used pervasively by millions of apps, where these API methods provide app core functionality. In this paper, we present preliminary insights from ParamHarver, a purely static analysis approach for automatically extracting parameter values from Android apps. Investigations on 100,000 apps illustrate how an in-depth study of parameter values can be leveraged in various scenarios (e.g., to recommend relevant parameter values, or even, to some extent, to identify malicious apps).

show abstract

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Cited by 114 publications

References 47 publications

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study

GreatEatlon: Fast, Static Detection of Mobile Ransomware

Parameter Values of Android APIs: A Preliminary Study on 100,000 Apps

Contact Info

Product

Resources

About