Android Malware Analysis using Targeted Execution
COM2 Level 4
Executive Classroom, COM2-04-02
Abstract:
Smartphone malware currently poses a serious threat to the security and safety of smartphone users. Mobile malware may target a user's financial accounts, hold data on their device for ransom, or secretly spy on their activities. In this talk, we examine two systems we have been working on that enable automated analysis of malware. A current challenge to malware analysis is scalability, as even trivial programs can have an enormous number of paths. Intellidroid addresses this by statically selecting paths likely to contain malicious activity and then generating "targeted" inputs that will drive execution down those paths. With this Intellidroid is able to reduce the amount of work a dynamic analysis tool must do to analyze an Android application for malware by a factor of 20x. Our second system, TIRO, builds on Intellidroid to target paths that contain obfuscated code, and drive execution to obtain a fully deobfuscated version of the Android malware. In building TIRO, we discover a new form of obfuscation used by Android malware and modern packers, which we call "runtime-based obfuscation", where the malware exploits the fact that it is running in the ART runtime and modifies the ART's state to further frustrate standard malware analysis efforts. On a corpus of malware labelled by human experts, TIRO is able to automatically reverse all malware obfuscation. When run on a corpus of 2000 malware samples form the wild, TIRO detects runtime-based obfuscation being used in 80% of the samples.
Biodata:
David Lie received his BASc from the University of Toronto in 1998, and his MS and PhD from Stanford University in 2001 and 2004 respectively. He is currently Professor in the Department of Electrical and Computer Engineering at the University of Toronto. He is known for his seminal work on the XOM architecture, which was an early precursor to modern trusted execution processor architectures such as ARM Trustzone and Intel SGX. He was the recipient of a best paper award at SOSP for this work. David is also a recipient of the MRI Early Researcher Award, Connaught Global Challenge Award and previous holder of a Canada Research Chair. He developed the PScout Android Permission mapping tool, whose datasets have been downloaded over 10,000 times and used in dozens of subsequent papers. David has served on various program committees including OSDI, Usenix Security.