ABSTRACT
We present sandbox mining, a technique to confine an application to resources accessed during automatic testing. Sandbox mining first explores software behavior by means of automatic test generation, and extracts the set of resources accessed during these tests. This set is then used as a sandbox, blocking access to resources not used during testing. The mined sandbox thus protects against behavior changes such as the activation of latent malware, infections, targeted attacks, or malicious updates.
The use of test generation makes sandbox mining a fully automatic process that can be run by vendors and end users alike. Our BOXMATE prototype requires less than one hour to extract a sandbox from an Android app, with few to no confirmations required for frequently used functionality.
- Android 6 permission system. https://developer.android.com/preview/features/runtime-permissions.html. Retrieved 2015-08-27.Google Scholar
- Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., and McDaniel, P. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (New York, NY, USA, 2014), PLDI '14, ACM, pp. 259--269. Google ScholarDigital Library
- Au, K. W. Y., Zhou, Y. F., Huang, Z., Gill, P., and Lie, D. Short paper: A look at smartphone permission models. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (New York, NY, USA, 2011), SPSM '11, ACM, pp. 63--68. Google ScholarDigital Library
- Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. PScout: Analyzing the Android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 217--228. Google ScholarDigital Library
- Backes, M., Bugiel, S., Hammer, C., Schranz, O., and von Styp-Rekowsky, P. Boxify: Full-fledged app sandboxing for stock android. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015. (2015), pp. 691--706. Google ScholarDigital Library
- Backes, M., Gerling, S., Hammer, C., Maffei, M., and von Styp-Rekowsky, P. AppGuard--fine-grained policy enforcement for untrusted Android applications. In Data Privacy Management and Autonomous Spontaneous Security, J. Garcia-Alfaro, G. Lioudakis, N. Cuppens-Boulahia, S. Foley, and W. M. Fitzgerald, Eds., Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2014, pp. 213--231. Google ScholarDigital Library
- Baliga, A., Ganapathy, V., and Iftode, L. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 2008 Annual Computer Security Applications Conference (Washington, DC, USA, 2008), ACSAC '08, IEEE Computer Society, pp. 77--86. Google ScholarDigital Library
- Bartel, A., Klein, J., Le Traon, Y., and Monperrus, M. Automatically securing permission-based software by reducing the attack surface: An application to Android. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (New York, NY, USA, 2012), ASE 2012, ACM, pp. 274--277. Google ScholarDigital Library
- Bhoraskar, R., Han, S., Jeon, J., Azim, T., Chen, S., Jung, J., Nath, S., Wang, R., and Wetherall, D. Brahmastra: Driving apps to test the security of third-party components. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014. (2014), pp. 1021--1036. Google ScholarDigital Library
- Bierma, M., Gustafson, E., Erickson, J., Fritz, D., and Choe, Y. R. Andlantis: Large-scale Android dynamic analysis. CoRR abs/1410.7751 (2014).Google Scholar
- Bläsing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S., and Albayrak, S. An Android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on (Oct 2010), pp. 55--62.Google ScholarCross Ref
- Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. Crowdroid: Behavior-based malware detection system for Android. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (New York, NY, USA, 2011), SPSM '11, ACM, pp. 15--26. Google ScholarDigital Library
- Chandola, V., Banerjee, A., and Kumar, V. Anomaly detection: A survey. ACM Comput. Surv. 41, 3 (July 2009), 15:1--15:58. Google ScholarDigital Library
- Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (Berkeley, CA, USA, 2010), OSDI'10, USENIX Association, pp. 1--6. Google ScholarDigital Library
- Engler, D., Chen, D. Y., Hallem, S., Chou, A., and Chelf, B. Bugs as deviant behavior: A general approach to inferring errors in systems code. SIGOPS Oper. Syst. Rev. 35, 5 (Oct. 2001), 57--72. Google ScholarDigital Library
- Ernst, M. D., Cockrell, J., Griswold, W. G., and Notkin, D. Dynamically discovering likely program invariants to support program evolution. In Proceedings of the 21st International Conference on Software Engineering (New York, NY, USA, 1999), ICSE '99, ACM, pp. 213--224. Google ScholarDigital Library
- Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (New York, NY, USA, 2011), CCS '11, ACM, pp. 627--638. Google ScholarDigital Library
- Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (New York, NY, USA, 2012), SOUPS '12, ACM, pp. 3:1--3:14. Google ScholarDigital Library
- Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (Washington, DC, USA, 1996), SP '96, IEEE Computer Society, pp. 120--. Google ScholarDigital Library
- Godefroid, P., Levin, M. Y., and Molnar, D. Automated whitebox fuzz testing. In Proceedings of Network and Distributed Systems Security (NDSS 2008) (July 2008), pp. 151--166.Google Scholar
- Godefroid, P., Levin, M. Y., and Molnar, D. Sage: Whitebox fuzzing for security testing. Queue 10, 1 (Jan. 2012), 20:20--20:27. Google ScholarDigital Library
- Gorla, A., Tavecchia, I., Gross, F., and Zeller, A. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering (New York, NY, USA, 2014), ICSE 2014, ACM, pp. 1025--1035. Google ScholarDigital Library
- Hao, S., Liu, B., Nath, S., Halfond, W. G., and Govindan, R. PUMA: Programmable UI-automation for large-scale dynamic analysis of mobile apps. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services (New York, NY, USA, 2014), MobiSys '14, ACM, pp. 204--217. Google ScholarDigital Library
- Hu, C., and Neamtiu, I. Automating GUI testing for Android applications. In Proceedings of the 6th International Workshop on Automation of Software Test (New York, NY, USA, 2011), AST '11, ACM, pp. 77--83. Google ScholarDigital Library
- Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., and Platzer, C. Andrubis -- 1,000,000 apps later: A view on current Android malware behaviors. In Proc. 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014), ACM. Google ScholarDigital Library
- Lu, L., Li, Z., Wu, Z., Lee, W., and Jiang, G. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 229--240. Google ScholarDigital Library
- Machiry, A., Tahiliani, R., and Naik, M. Dynodroid: An input generation system for Android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (New York, NY, USA, 2013), ESEC/FSE 2013, ACM, pp. 224--234. Google ScholarDigital Library
- Mahmood, R., Esfahani, N., Kacem, T., Mirzaei, N., Malek, S., and Stavrou, A. A whitebox approach for automated security testing of Android applications on the cloud. In Proceedings of the 7th International Workshop on Automation of Software Test (Piscataway, NJ, USA, 2012), AST '12, IEEE Press, pp. 22--28. Google ScholarDigital Library
- Miller, B. P., Fredriksen, L., and So, B. An empirical study of the reliability of UNIX utilities. Commun. ACM 33, 12 (Dec. 1990), 32--44. Google ScholarDigital Library
- Monkey: UI/Application exerciser. http://developer.android.com/tools/help/monkey.html. Retrieved 2015-02-01.Google Scholar
- Neuner, S., van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., and Weippl, E. R. Enter sandbox: Android sandbox comparison. CoRR abs/1410.7749 (2014).Google Scholar
- Provos, N. Improving host security with system call policies. In Proc. USENIX Security (2003), USENIX Association, pp. 18--32. Google ScholarDigital Library
- Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H. J., and Cowan, C. User-driven access control: Rethinking permission granting in modern operating systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 224--238. Google ScholarDigital Library
- Saltzer, J., and Schroeder, M. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (Sept 1975), 1278--1308.Google ScholarCross Ref
- Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., and Weiss, Y. "Andromaly": a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems 38, 1 (2012), 161--190. Google ScholarDigital Library
- Shirley, J., and Evans, D. The user is not the enemy: Fighting malware by tracking user intentions. In Proceedings of the 2008 Workshop on New Security Paradigms (New York, NY, USA, 2008), NSPW '08, ACM, pp. 33--45. Google ScholarDigital Library
- Sommer, R., and Paxson, V. Outside the closed world: On using machine learning for network intrusion detection. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2010), SP '10, IEEE Computer Society, pp. 305--316. Google ScholarDigital Library
- Zeller, A. Test complement exclusion: Guarantees from dynamic analysis. In Proc. International Conference on Program Comprehension (ICPC) (2015). Abstract of invited keynote. Google ScholarDigital Library
- Mining sandboxes
Recommendations
Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering
UCC'19: Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud ComputingMalware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes'' and are often virtualized replicas of a regular system. ...
Enhancing malware analysis sandboxes with emulated user behavior
AbstractCybersecurity teams have widely used malware analysis sandboxes to investigate the threat of malware. Correspondingly, armored malware adopts various anti-sandbox techniques to evade analysis, from simple environment-specific traits ...
On the interplay between static and dynamic analysis for mining sandboxes
ICSE '21: Proceedings of the 43rd International Conference on Software Engineering: Companion ProceedingsDue to the popularization of Android and the full range of applications (apps) targeting this platform, many security issues have emerged, attracting researchers and practitioners' attention. As such, many techniques for addressing security Android ...
Comments