research-article

Mining sandboxes

Authors:
Konrad Jamrozik

Center for IT-Security, Privacy and Accountability (CISPA), Saarbrücken, Germany

Center for IT-Security, Privacy and Accountability (CISPA), Saarbrücken, Germany
View Profile

,
Philipp von Styp-Rekowsky

Center for IT-Security, Privacy and Accountability (CISPA), Saarbrücken, Germany

Center for IT-Security, Privacy and Accountability (CISPA), Saarbrücken, Germany
View Profile

,
Andreas Zeller

Center for IT-Security, Privacy and Accountability (CISPA), Saarbrücken, Germany

Center for IT-Security, Privacy and Accountability (CISPA), Saarbrücken, Germany
View Profile

ICSE '16: Proceedings of the 38th International Conference on Software EngineeringMay 2016Pages 37–48https://doi.org/10.1145/2884781.2884782

Published:14 May 2016Publication History

ICSE '16: Proceedings of the 38th International Conference on Software Engineering

Pages 37–48

ABSTRACT

We present sandbox mining, a technique to confine an application to resources accessed during automatic testing. Sandbox mining first explores software behavior by means of automatic test generation, and extracts the set of resources accessed during these tests. This set is then used as a sandbox, blocking access to resources not used during testing. The mined sandbox thus protects against behavior changes such as the activation of latent malware, infections, targeted attacks, or malicious updates.

The use of test generation makes sandbox mining a fully automatic process that can be run by vendors and end users alike. Our BOXMATE prototype requires less than one hour to extract a sandbox from an Android app, with few to no confirmations required for frequently used functionality.

References

Android 6 permission system. https://developer.android.com/preview/features/runtime-permissions.html. Retrieved 2015-08-27.Google Scholar
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., and McDaniel, P. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (New York, NY, USA, 2014), PLDI '14, ACM, pp. 259--269. Google ScholarDigital Library
Au, K. W. Y., Zhou, Y. F., Huang, Z., Gill, P., and Lie, D. Short paper: A look at smartphone permission models. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (New York, NY, USA, 2011), SPSM '11, ACM, pp. 63--68. Google ScholarDigital Library
Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. PScout: Analyzing the Android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 217--228. Google ScholarDigital Library
Backes, M., Bugiel, S., Hammer, C., Schranz, O., and von Styp-Rekowsky, P. Boxify: Full-fledged app sandboxing for stock android. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015. (2015), pp. 691--706. Google ScholarDigital Library
Backes, M., Gerling, S., Hammer, C., Maffei, M., and von Styp-Rekowsky, P. AppGuard--fine-grained policy enforcement for untrusted Android applications. In Data Privacy Management and Autonomous Spontaneous Security, J. Garcia-Alfaro, G. Lioudakis, N. Cuppens-Boulahia, S. Foley, and W. M. Fitzgerald, Eds., Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2014, pp. 213--231. Google ScholarDigital Library
Baliga, A., Ganapathy, V., and Iftode, L. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 2008 Annual Computer Security Applications Conference (Washington, DC, USA, 2008), ACSAC '08, IEEE Computer Society, pp. 77--86. Google ScholarDigital Library
Bartel, A., Klein, J., Le Traon, Y., and Monperrus, M. Automatically securing permission-based software by reducing the attack surface: An application to Android. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (New York, NY, USA, 2012), ASE 2012, ACM, pp. 274--277. Google ScholarDigital Library
Bhoraskar, R., Han, S., Jeon, J., Azim, T., Chen, S., Jung, J., Nath, S., Wang, R., and Wetherall, D. Brahmastra: Driving apps to test the security of third-party components. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014. (2014), pp. 1021--1036. Google ScholarDigital Library
Bierma, M., Gustafson, E., Erickson, J., Fritz, D., and Choe, Y. R. Andlantis: Large-scale Android dynamic analysis. CoRR abs/1410.7751 (2014).Google Scholar
Bläsing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S., and Albayrak, S. An Android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on (Oct 2010), pp. 55--62.Google ScholarCross Ref
Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. Crowdroid: Behavior-based malware detection system for Android. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (New York, NY, USA, 2011), SPSM '11, ACM, pp. 15--26. Google ScholarDigital Library
Chandola, V., Banerjee, A., and Kumar, V. Anomaly detection: A survey. ACM Comput. Surv. 41, 3 (July 2009), 15:1--15:58. Google ScholarDigital Library
Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (Berkeley, CA, USA, 2010), OSDI'10, USENIX Association, pp. 1--6. Google ScholarDigital Library
Engler, D., Chen, D. Y., Hallem, S., Chou, A., and Chelf, B. Bugs as deviant behavior: A general approach to inferring errors in systems code. SIGOPS Oper. Syst. Rev. 35, 5 (Oct. 2001), 57--72. Google ScholarDigital Library
Ernst, M. D., Cockrell, J., Griswold, W. G., and Notkin, D. Dynamically discovering likely program invariants to support program evolution. In Proceedings of the 21st International Conference on Software Engineering (New York, NY, USA, 1999), ICSE '99, ACM, pp. 213--224. Google ScholarDigital Library
Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (New York, NY, USA, 2011), CCS '11, ACM, pp. 627--638. Google ScholarDigital Library
Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (New York, NY, USA, 2012), SOUPS '12, ACM, pp. 3:1--3:14. Google ScholarDigital Library
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (Washington, DC, USA, 1996), SP '96, IEEE Computer Society, pp. 120--. Google ScholarDigital Library
Godefroid, P., Levin, M. Y., and Molnar, D. Automated whitebox fuzz testing. In Proceedings of Network and Distributed Systems Security (NDSS 2008) (July 2008), pp. 151--166.Google Scholar
Godefroid, P., Levin, M. Y., and Molnar, D. Sage: Whitebox fuzzing for security testing. Queue 10, 1 (Jan. 2012), 20:20--20:27. Google ScholarDigital Library
Gorla, A., Tavecchia, I., Gross, F., and Zeller, A. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering (New York, NY, USA, 2014), ICSE 2014, ACM, pp. 1025--1035. Google ScholarDigital Library
Hao, S., Liu, B., Nath, S., Halfond, W. G., and Govindan, R. PUMA: Programmable UI-automation for large-scale dynamic analysis of mobile apps. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services (New York, NY, USA, 2014), MobiSys '14, ACM, pp. 204--217. Google ScholarDigital Library
Hu, C., and Neamtiu, I. Automating GUI testing for Android applications. In Proceedings of the 6th International Workshop on Automation of Software Test (New York, NY, USA, 2011), AST '11, ACM, pp. 77--83. Google ScholarDigital Library
Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., and Platzer, C. Andrubis -- 1,000,000 apps later: A view on current Android malware behaviors. In Proc. 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014), ACM. Google ScholarDigital Library
Lu, L., Li, Z., Wu, Z., Lee, W., and Jiang, G. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 229--240. Google ScholarDigital Library
Machiry, A., Tahiliani, R., and Naik, M. Dynodroid: An input generation system for Android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (New York, NY, USA, 2013), ESEC/FSE 2013, ACM, pp. 224--234. Google ScholarDigital Library
Mahmood, R., Esfahani, N., Kacem, T., Mirzaei, N., Malek, S., and Stavrou, A. A whitebox approach for automated security testing of Android applications on the cloud. In Proceedings of the 7th International Workshop on Automation of Software Test (Piscataway, NJ, USA, 2012), AST '12, IEEE Press, pp. 22--28. Google ScholarDigital Library
Miller, B. P., Fredriksen, L., and So, B. An empirical study of the reliability of UNIX utilities. Commun. ACM 33, 12 (Dec. 1990), 32--44. Google ScholarDigital Library
Monkey: UI/Application exerciser. http://developer.android.com/tools/help/monkey.html. Retrieved 2015-02-01.Google Scholar
Neuner, S., van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., and Weippl, E. R. Enter sandbox: Android sandbox comparison. CoRR abs/1410.7749 (2014).Google Scholar
Provos, N. Improving host security with system call policies. In Proc. USENIX Security (2003), USENIX Association, pp. 18--32. Google ScholarDigital Library
Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H. J., and Cowan, C. User-driven access control: Rethinking permission granting in modern operating systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 224--238. Google ScholarDigital Library
Saltzer, J., and Schroeder, M. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (Sept 1975), 1278--1308.Google ScholarCross Ref
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., and Weiss, Y. "Andromaly": a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems 38, 1 (2012), 161--190. Google ScholarDigital Library
Shirley, J., and Evans, D. The user is not the enemy: Fighting malware by tracking user intentions. In Proceedings of the 2008 Workshop on New Security Paradigms (New York, NY, USA, 2008), NSPW '08, ACM, pp. 33--45. Google ScholarDigital Library
Sommer, R., and Paxson, V. Outside the closed world: On using machine learning for network intrusion detection. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2010), SP '10, IEEE Computer Society, pp. 305--316. Google ScholarDigital Library
Zeller, A. Test complement exclusion: Guarantees from dynamic analysis. In Proc. International Conference on Program Comprehension (ICPC) (2015). Abstract of invited keynote. Google ScholarDigital Library

Mining sandboxes
1. Security and privacy
  1. Security services
  2. Systems security

Recommendations

Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering
UCC'19: Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing

Malware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes'' and are often virtualized replicas of a regular system. ...
Read More
Enhancing malware analysis sandboxes with emulated user behavior
Abstract
Cybersecurity teams have widely used malware analysis sandboxes to investigate the threat of malware. Correspondingly, armored malware adopts various anti-sandbox techniques to evade analysis, from simple environment-specific traits ...
Read More
On the interplay between static and dynamic analysis for mining sandboxes
ICSE '21: Proceedings of the 43rd International Conference on Software Engineering: Companion Proceedings

Due to the popularization of Android and the full range of applications (apps) targeting this platform, many security issues have emerged, attracting researchers and practitioners' attention. As such, many techniques for addressing security Android ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '16: Proceedings of the 38th International Conference on Software Engineering
May 2016
1235 pages
ISBN:9781450339001
DOI:10.1145/2884781
General Chair:
Laura Dillon
Michigan State University
,
Program Chairs:
Willem Visser
Stellenbosch University, South Africa
,
Laurie Williams
North Carolina State University
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 May 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 28
  Total Citations
  View Citations
- 609
  Total Downloads
- Downloads (Last 12 months)30
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Mining sandboxes

ICSE '16: Proceedings of the 38th International Conference on Software Engineering

ABSTRACT

References

Cited By

Recommendations

Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering

Enhancing malware analysis sandboxes with emulated user behavior

On the interplay between static and dynamic analysis for mining sandboxes