A Fine-Grained Dynamic Information Flow Analysis for Android Apps

Sankaran, Shyam

January 2017

Android has been steadily gaining popularity ever since its launch in 2008. One of the major factors for this is the easy availability of a large variety of apps. They range from simple apps such as calculator apps to apps which can help people maintain their schedules and thus man-age many aspects of their lives. In addition, a lot of free apps are available to the user thanks to the power of in-app purchases and advertisements. However, these also raise many security concerns. Apps are privy to a lot of private information regarding the user, such as his contacts, location, etc. It is essential to ascertain that apps do not leak such information to untrustworthy entities. In order to solve this problem, there have been many static and dynamic analyses which aim to track private data accessed or generated by the app to its destination. Such analyses are commonly known as Information Flow analyses. Dynamic analysis techniques, such as TaintDroid, tracks private information and alerts the user when it is accessed by speci c API calls. However, they do not track the path taken by the information, which can be useful in debugging and validation scenarios. The first key contribution of this thesis is a model to perform dynamic information ow analysis, inspired by FlowDroid and TaintDroid, which can retain path information of sensitive data in an efficient manner. The model instruments the app and uses path-edges to track the information flows during a dynamic run. We describe the data structure and transfer functions used, and the reasons for its design based on the challenges posed by the Android programming model and efficiency requirements. The second key contribution is the capability to trace the path taken by the sensitive information based on the information obtained during the analysis, as well as the capability to compliment static analyses such as FlowDroid with the output of this analysis. The tests conducted on the implemented model using DroidBench and GeekBench 3 show the precision and soundness of the analysis, and a performance overhead of 25% while real-world apps show negligible lag. All leaks seen in DroidBench where successfully tracked and were verified to be true positives. We tested the model on 10 real-world apps where we find on average about 16.4% of the total path-edges found by FlowDroid.

Android Apps

FlowDroid

TaintDroid

Computer Science

Caractérisation et détection de malware Android basées sur les flux d'information. / Characterization and detection of Android malware based on information flows

Andriatsimandefitra Ratsisahanana, Radoniaina

15 December 2014

Les flux d’information sont des transferts d’information entre les objets d’un environnement donné. À l’échelle du système, pour toute information appartenant à une application donnée, les flux impliquant cette information décrivent comment l’application propage ses données dans le système et l’ensemble de ces flux peut ainsi être considéré comme un profil comportemental de l’application. À cause du nombre croissant d’applications malveillantes, il est devenu nécessaire d’explorer des nouvelles techniques permettant de faciliter voir automatiser l’analyse et la détection de malware. Dans cette thèse, nous proposons ainsi une méthode pour caractériser et détecter les malware Android en nous basant sur les flux d’information qu’ils causent dans le système. Cette méthode repose sur deux autres contributions de la thèse : AndroBlare, la version Android d’un moniteur de flux d’information du nom de Blare, et les graphes de flux système, une structure de donnée représentant de manière compacte et humainement compréhensible les flux d’information observés. Nous avons évalué avec succès notre approche en construisant le profil de 4 malware différents et avons montré que ces profils permettaient de détecter l’exécution d’applications infectées par les malware dont on a un profil. / : Information flows are information exchanges between objects in a given environment. At system level, information flows involving data belonging to a given application describe how this application disseminates its data in the system and can be considered as behaviour based profile of the application. Because of the increasing number of Android malware, there is an urgent need to explore new approaches to analyse and detect Android malware. In this thesis, we thus propose an approach to characterize and detect Android malware based on information flows they cause in the system. This approach leverages two other contributions of the thesis which are AndroBlare, the Android version of an information flow monitor named Blare, and the system flow graph, a data structure to represent in a compact and human readable way the information flows observed by AndroBlare. We successfully evaluated our approach by building the profile of 4 different malware and showed that these profiles permitted to detect the execution of applications infected by malware for which we have computed a profile.

Malware Android

Analyse dynamique de malware

Sécurité Android

Suivi de flux d’information

Détection de malware

Android malware

Dynamic analysis of Android malware

Android security

Dynamic information flow tracking

Malware detection

378.242

Architectural Support For Improving Computer Security

Kong, Jingfei

01 January 2010

Computer security and privacy are becoming extremely important nowadays. The task of protecting computer systems from malicious attacks and potential subsequent catastrophic losses is, however, challenged by the ever increasing complexity and size of modern hardware and software design. We propose several methods to improve computer security and privacy from architectural point of view. They provide strong protection as well as performance efficiency. In our first approach, we propose a new dynamic information flow method to protect systems from popular software attacks such as buffer overflow and format string attacks. In our second approach, we propose to deploy encryption schemes to protect the privacy of an emerging non-volatile main memory technology - phase change memory (PCM). The negative impact of the encryption schemes on PCM lifetime is evaluated and new methods including a new encryption counter scheme and an efficient error correct code (ECC) management are proposed to improve PCM lifetime. In our third approach, we deconstruct two previously proposed secure cache designs against software data-cache-based side channel attacks and demonstrate their weaknesses. We propose three hardware-software integrated approaches as secure protections against those data cache attacks. Also we propose to apply them to protect instruction caches from similar threats. Furthermore, we propose a simple change to the update policy of Branch Target Buffer (BTB) to defend against BTB attacks. Our experiments show that our proposed schemes are both security effective and performance efficient.

dynamic information flow

buffer overflow

phase change memory

counter-mode encryption

wear leveling

secure cache designs

informing loads

Computer Sciences

Engineering