Lingfeng Bao,Tien-Duy B. Le,David Lo

DOI: https://doi.org/10.1109/saner.2018.8330231

2018-01-01

Abstract:The popularity of Android platform on mobile devices has attracted much attention from many developers and researchers, as well as malware writers. Recently, Jamrozik et al. proposed a technique to secure Android applications referred to as mining sandboxes. They used an automated test case generation technique to explore the behavior of the app under test and then extracted a set of sensitive APIs that were called. Based on the extracted sensitive APIs, they built a sandbox that can block access to APIs not used during testing. However, they only evaluated the proposed technique with benign apps but not investigated whether it was effective in detecting malicious behavior of malware that infects benign apps. Furthermore, they only investigated one test case generation tool (i.e., Droidmate) to build the sandbox, while many others have been proposed in the literature. In this work, we complement Jamrozik et al.'s work in two ways: (1) we evaluate the effectiveness of mining sandboxes on detecting malicious behaviors; (2) we investigate the effectiveness of multiple automated test case generation tools to mine sandboxes. To investigate effectiveness of mining sandboxes in detecting malicious behaviors, we make use of pairs of malware and benign app it infects. We build a sandbox based on sensitive APIs called by the benign app and check if it can identify malicious behaviors in the corresponding malware. To generate inputs to apps, we investigate five popular test case generation tools: Monkey, Droidmate, Droidbot, GUIRipper, and PUMA. We conduct two experiments to evaluate the effectiveness and efficiency of these test case generation tools on detecting malicious behavior. In the first experiment, we select 10 apps and allow test case generation tools to run for one hour; while in the second experiment, we select 102 pairs of apps and allow the test case generation tools to run for one minute. Our experiments highlight that 75.5%-77.2% of malware in our dataset can be uncovered by mining sandboxes - showing its power to protect Android apps. We also find that Droidbot performs best in generating test cases for mining sandboxes, and its effectiveness can be further boosted when coupled with other test case generation tools.

Tien-Duy B. Le,Lingfeng Bao,David Lo,Debin Gao,Li

DOI: https://doi.org/10.1109/iceccs2018.2018.00014

2018-01-01

Abstract:Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase - occurring, for example, due to malicious code injection during an attack - can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

Sebastian Neuner,Victor van der Veen,Martina Lindorfer,Markus Huber,Georg Merzdovnik,Martin Mulazzani,Edgar Weippl

DOI: https://doi.org/10.48550/arXiv.1410.7749

2014-10-29

Abstract:Expecting the shipment of 1 billion Android devices in 2017, cyber criminals have naturally extended their vicious activities towards Google's mobile operating system. With an estimated number of 700 new Android applications released every day, keeping control over malware is an increasingly challenging task. In recent years, a vast number of static and dynamic code analysis platforms for analyzing Android applications and making decision regarding their maliciousness have been introduced in academia and in the commercial world. These platforms differ heavily in terms of feature support and application properties being analyzed. In this paper, we give an overview of the state-of-the-art dynamic code analysis platforms for Android and evaluate their effectiveness with samples from known malware corpora as well as known Android bugs like Master Key. Our results indicate a low level of diversity in analysis platforms resulting from code reuse that leaves the evaluated systems vulnerable to evasion. Furthermore the Master Key bugs could be exploited by malware to hide malicious behavior from the sandboxes.

Cryptography and Security

Rasmi-Vlad Mahmoud,Marios Anagnostopoulos,Sergio Pastrana,Jens Myrup Pedersen

DOI: https://doi.org/10.1109/access.2024.3400167

IF: 3.9

2024-05-22

IEEE Access

Abstract:In cybersecurity, adversaries employ a myriad of tactics to evade detection and breach defenses. Malware remains a formidable weapon in their arsenal. To counter this threat, researchers unceasingly pursue dynamic analysis, which aims to comprehend and thwart established malware strains. This paper introduces an innovative methodology for dynamic malware analysis while critically evaluating prevailing technologies and their limitations. The proposed approach hinges on harnessing the capabilities of an open-source Security Information and Event Management (SIEM) toolset, namely the Elastic-Stack. This toolset is utilized to capture, structure, and analyze the behavioral patterns of malware without relying on any pre-existing sandbox framework. This augmentation facilitates a profound understanding of the activities exhibited by malware samples. With the help of the proposed ecosystem, we compile the AAU_MalData dataset that encompasses distinctly the benign and malicious behavior. Specifically, we analyzed the behavior of the 2,800 malware within a realistic network topology and systematically collected Windows event logs, which serve as a comprehensive record of the malware's actions. These event logs are precious as they are organized in a timestamped format, providing a chronological list of system activities, such as event descriptions, process and file details, and registry modifications. These are pivotal in comprehending the malware's functionality and repercussions on the compromised system. Furthermore, by incorporating the MITRE ATT&CK framework, we leveraged the event logs to correlate the malware's mode of operation, delve into its Command and Control operations, and investigate its persistence mechanisms, enabling a structured and practical approach to malware analysis. The AAU_MalData dataset, organized in a JSON format data structure, is offered to the research community first as a proof of concept to demonstrate the toolset's feasibility for dynamic malware analysis and second as a potential training ground for anti-malware mechanisms based on host and network Indicators of Compromise (IoCs).

computer science, information systems,telecommunications,engineering, electrical & electronic

Chengyu Song,Chao Qin,Jianwei Zhuge,Zhiyin Liang,Zhiyuan Ye

2009-01-01

Abstract:Malware is a major threat to the cyber world and the number of unique malware samples captured by antivirus software venders is making an explosive growth in recent years. To improve the malware analysis efficiency, researchers have developed several automated coarse-grained dynamic malware analysis systems, including Norman Sandbox, CWSandbox and TTAnalyze, etc. However, these systems' analysis capabilities still cannot compare with the growth of malware, because they rely on heavy virtual machines to build malware execution environments. To further improve the efficiency, this paper analyzes the bottlenecks in these systems and proposes two mechanisms, flash revert and VM fork to reduce the found overheads. Experiments on an OS-level VMM based prototype implementation (MwSandbox) show that the efficiency is improved at least an order of magnitude without losing analysis quality.

Chenglin Xie,Yujie Guo,Shaosen Shi,Yu Sheng,Xiarun Chen,Chengyang Li,Weiping Wen

DOI: https://doi.org/10.1109/trustcom53373.2021.00099

2021-01-01

Abstract:Sandbox is an excellent tool for dynamic malware analysis. However, the sandbox detection techniques are increasingly adopted to develop malwares, which has been a significant threat to sandbox analysis. These malwares can detect the running environment and show different behaviors in corresponding environments. So far, there have been several studies about countermeasures, but most of them concentrate on Windows OS. Environmental features in Linux sandbox have not been summarized yet. Besides, existing popular sandboxes can hardly combat against sandbox detecting techniques. In this paper, we focus on Linux sandbox. We firstly propose Linux environmental features from six aspects and implement an effective tool to collect features from running environment to tell the discrepancy among physical machine, virtual machine and sandbox. More importantly, we present EnvFaker, an effective method to reinforce Linux sandbox against environmental-sensitive malware. This method uses tracer to track child process and injected process, filters to intercept sandbox detecting behaviors, and emulator to disguise wear-and-tear and network environment. The experimental results further demonstrate that our method is effective against detecting techniques for Linux sandbox.

Francisco Handrick da Costa,Ismael Medeiros,Thales Menezes,João Victor da Silva,Ingrid Lorraine da Silva,Rodrigo Bonifácio,Krishna Narasimhan,Márcio Ribeiro

DOI: https://doi.org/10.48550/arXiv.2109.06613

2021-09-14

Abstract:The Android mining sandbox approach consists in running dynamic analysis tools on a benign version of an Android app and recording every call to sensitive APIs. Later, one can use this information to (a) prevent calls to other sensitive APIs (those not previously recorded) or (b) run the dynamic analysis tools again in a different version of the app -- in order to identify possible malicious behavior. Although the use of dynamic analysis for mining Android sandboxes has been empirically investigated before, little is known about the potential benefits of combining static analysis with the mining sandbox approach for identifying malicious behavior. As such, in this paper we present the results of two empirical studies: The first is a non-exact replication of a previous research work from Bao et al., which compares the performance of test case generation tools for mining Android sandboxes. The second is a new experiment to investigate the implications of using taint analysis algorithms to complement the mining sandbox approach in the task to identify malicious behavior. Our study brings several findings. For instance, the first study reveals that a static analysis component of DroidFax (a tool used for instrumenting Android apps in the Bao et al. study) contributes substantially to the performance of the dynamic analysis tools explored in the previous work. The results of the second study show that taint analysis is also practical to complement the mining sandboxes approach, improve the performance of the later strategy in at most 28.57%.

Cryptography and Security,Software Engineering

A. Sachenko,O. Savenko,P. Rehida,George Markowsky

DOI: https://doi.org/10.1109/DESSERT61349.2023.10416467

2023-10-13

Abstract:This paper deals with the problem of detecting the malware by using emulation approach. Modern malware include various avoid techniques, to hide its anomaly actions. Advantages of using sandbox and emulation technologies are described. Various anti-emulation techniques that are used in modern malware considered. Obfuscation as one primary approach to hide malware malicious actions described and discussed. State of emulator is presented, and the advantages of its usage are covered. Distributed model for malware detection is considered. Basic emulator and its current capabilities presented. Prepared files that represent malware are described. Experimental results for developed files that differs with included avoid techniques are presented. Disadvantages of proposed approach is described. Future research and sandbox improvement are described.

Computer Science

Antonio Nappa,Panagiotis Papadopoulos,Matteo Varvello,Daniel Aceituno Gomez,Juan Tapiador,Andrea Lanzi

DOI: https://doi.org/10.48550/arXiv.2109.02979

2021-10-06

Abstract:Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to <a class="link-external link-http" href="http://detect.The" rel="external noopener nofollow">this http URL</a> most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

Cryptography and Security

Maysara Alhindi,Joseph Hallett

2024-05-14

Abstract:Sandboxing mechanisms allow developers to limit how much access applications have to resources, following the least-privilege principle. However, it's not clear how much and in what ways developers are using these mechanisms. This study looks at the use of Seccomp, Landlock, Capsicum, Pledge, and Unveil in all packages of four open-source operating systems. We found that less than 1% of packages directly use these mechanisms, but many more indirectly use them. Examining how developers apply these mechanisms reveals interesting usage patterns, such as cases where developers simplify their sandbox implementation. It also highlights challenges that may be hindering the widespread adoption of sandboxing mechanisms.

Software Engineering,Cryptography and Security

Yigitcan Kaya,Yizheng Chen,Shoumik Saha,Fabio Pierazzi,Lorenzo Cavallaro,David Wagner,Tudor Dumitras

2024-05-10

Abstract:Machine learning is widely used for malware detection in practice. Prior behavior-based detectors most commonly rely on traces of programs executed in controlled sandboxes. However, sandbox traces are unavailable to the last line of defense offered by security vendors: malware detection at endpoints. A detector at endpoints consumes the traces of programs running on real-world hosts, as sandbox analysis might introduce intolerable delays. Despite their success in the sandboxes, research hints at potential challenges for ML methods at endpoints, e.g., highly variable malware behaviors. Nonetheless, the impact of these challenges on existing approaches and how their excellent sandbox performance translates to the endpoint scenario remain unquantified.

Cryptography and Security

Olha Tarasova,P. Rehida,V. Orlenko,V. Martynyuk,T. Sochor

Abstract:The article proposes a model for distributed malware detection using sandbox technology. The analysis of modern malware detection tools and an overview of existing attacks were carried out. The justification of the selected detection method to be used by the model is carried out. Its main disadvantages are identified and the use of the distributed system as its solution is proposed. The key features of the use of heterogeneous computer systems for calculations and their adaptation to perform the task were considered. Detection of malware is proposed to be solved by analyzing the states of sandboxes, and evenly distributing these states among the computational elements of the system. Analysis how these states are changing will signal about potentially malicious software that uses anti-emulation techniques, thereby allowing the detection of malware. The basic set of levels of the proposed model is presented. The main tasks for the protection of calculations are defined, taking into account that the model will work in system with dynamical topology. The basic concept of load distribution between computing elements is proposed in order to ensure the synchronous operation of the system, taking into account the heterogeneity of the system. Two main strategies for protecting computing both at the level of computational elements and at the level of intermediate servers are defined. A basic algorithm for adding new elements to the system is proposed, and the use of a rating model is presented, which will ensure an appropriate level of protection of calculations.

Computer Science

Ahmed Alghamdi

DOI: https://doi.org/10.52783/cana.v31.1476

2024-09-02

Abstract:The growing sophistication of malware in exisiting environment poses tough demands on its detection methods of another kind. This paper introduces a framework for cyber security improvement, a means to solve strongly the probability issue of how to determine the behavior algorithmically in your system. This research is applied to malware detection systems based on methods (Support Vector Machines, Random Forest) and Neural Networks that are robust against deception. Statistical analysis of security threats and a review of current methods used for malware detection are given at its outset. The proposed framework, with its statistical framework analysis, looks for patterns and anomalies that indicate malice. It then integrates cryptographic techniques onto data transmission, computation processes; that the core of our system remains untouched by potential disturbances. The concept is further elaborated with open-source code from the field, Machine Learning (SVM, Random Forest, Neural Networks), As if with this variety of tools we can now detect and classify types of malware that generate irregular patterns but do not necessarily resemble known signatures at all. Such a hybrid security mechanism as described here, combining the best of statistics, cryptographic security, and machine learning, gives a precision of detection beyond compare to today's systems. The experiments show large gains in both detection accuracy and response speed, demonstrating this whole-element approach's potential to better safeguard cybersecurity in all manner of fields. It may be foreseen that this proposed line of research could well become a key new tool, capable of adaptation and expansion with the needs expanding around us.

Vasilis Vouvoutsis,Fran Casino,Constantinos Patsakis

DOI: https://doi.org/10.48550/arXiv.2204.04084

2022-04-08

Abstract:Malware authors are continuously evolving their code base to include counter-analysis methods that can significantly hinder their detection and blocking. While the execution of malware in a sandboxed environment may provide a lot of insightful feedback about what the malware actually does in a machine, anti-virtualisation and hooking evasion methods may allow malware to bypass such detection methods. The main objective of this work is to complement sandbox execution with the use of binary emulation frameworks. The core idea is to exploit the fact that binary emulation frameworks may quickly test samples quicker than a sandbox environment as they do not need to open a whole new virtual machine to execute the binary. While with this approach, we lose the granularity of the data that can be collected through a sandbox, due to scalability issues, one may need to simply determine whether a file is malicious or to which malware family it belongs. To this end, we record the API calls that are performed and use them to explore the efficacy of using them as features for binary and multiclass classification. Our extensive experiments with real-world malware illustrate that this approach is very accurate, achieving state-of-the art outcomes with a statistically robust set of classification experiments while simultaneously having a relatively low computational overhead compared to traditional sandbox approaches. In fact, we compare the binary analysis results with a commercial sandbox, and our classification outperforms it at the expense of the fine-grained results that a sandbox provides.

Cryptography and Security

Jinqian Liang,Xiaohong Guan

2007-01-01

Abstract:A widely used technique for detecting malicious code is to execute potential malicious applications inside protection domains that enforce established security policies. These containers often referred to as sandboxes, come in a variety of forms. This paper presents a novel sandbox that can protect computer system from destruction while malicious code running. Our solution provides a general-purpose virtual environment for executing the untrusted applications. In this environment, malicious code has no opportunity to destroy the data in the storage devices or propagate itself through the network. Algorithms for protecting the disk data and simulating the network are given, and the experimental results of the sandbox are discussed.

Patrick Stöckle,Michael Sammereier,Bernd Grobauer,Alexander Pretschner

DOI: https://doi.org/10.1109/AST58925.2023.00013

2023-03-10

Abstract:Insecure default values in software settings can be exploited by attackers to compromise the system that runs the software. As a countermeasure, there exist security-configuration guides specifying in detail which values are secure. However, most administrators still refrain from hardening existing systems because the system functionality is feared to deteriorate if secure settings are applied. To foster the application of security-configuration guides, it is necessary to identify those rules that would restrict the functionality. This article presents our approach to use combinatorial testing to find problematic combinations of rules and machine learning techniques to identify the problematic rules within these combinations. The administrators can then apply only the unproblematic rules and, therefore, increase the system's security without the risk of disrupting its functionality. To demonstrate the usefulness of our approach, we applied it to real-world problems drawn from discussions with administrators at Siemens and found the problematic rules in these cases. We hope that this approach and its open-source implementation motivate more administrators to harden their systems and, thus, increase their systems' general security.

Software Engineering

Bjorn De Sutter,Sebastian Schrittwieser,Bart Coppens,Patrick Kochberger

2024-05-01

Abstract:Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 571 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks and formulate a number of concrete recommendations for improving the evaluations reported in future research papers.

Cryptography and Security

Jungwon Lim,Yonghwi Jin,Mansour Alharthi,Xiaokuan Zhang,Jinho Jung,Rajat Gupta,Kuilin Li,Daehee Jang,Taesoo Kim

DOI: https://doi.org/10.48550/arXiv.2112.15561

2022-01-01

Abstract:Web browsers are integral parts of everyone's daily life. They are commonly used for security-critical and privacy sensitive tasks, like banking transactions and checking medical records. Unfortunately, modern web browsers are too complex to be bug free (e.g., 25 million lines of code in Chrome), and their role as an interface to the cyberspace makes them an attractive target for attacks. Accordingly, web browsers naturally become an arena for demonstrating advanced exploitation techniques by attackers and state-of-the-art defenses by browser vendors. Web browsers, arguably, are the most exciting place to learn the latest security issues and techniques, but remain as a black art to most security researchers because of their fast-changing characteristics and complex code bases. To bridge this gap, this paper attempts to systematize the security landscape of modern web browsers by studying the popular classes of security bugs, their exploitation techniques, and deployed defenses. More specifically, we first introduce a unified architecture that faithfully represents the security design of four major web browsers. Second, we share insights from a 10-year longitudinal study on browser bugs. Third, we present a timeline and context of mitigation schemes and their effectiveness. Fourth, we share our lessons from a full-chain exploit used in 2020 Pwn2Own competition. and the implication of bug bounty programs to web browser security. We believe that the key takeaways from this systematization can shed light on how to advance the status quo of modern web browsers, and, importantly, how to create secure yet complex software in the future.

Cryptography and Security

Duc-Ly Vu,Trevor Dunlap,Karla Obermeier-Velazquez,Paul Gilbert,John Speed Meyers,Santiago Torres-Arias

2024-11-17

Abstract:Malicious attacks on open source software packages are a growing concern. This concern morphed into a panic-inducing crisis after the revelation of the XZ Utils backdoor, which would have provided the attacker with, according to one observer, a "skeleton key" to the internet. This study therefore explores the challenges of preventing and detecting malware in Linux distribution package repositories. To do so, we ask two research questions: (1) What measures have Linux distributions implemented to counter malware, and how have maintainers experienced these efforts? (2) How effective are current malware detection tools at identifying malicious Linux packages? To answer these questions, we conduct interviews with maintainers at several major Linux distributions and introduce a Linux package malware benchmark dataset. Using this dataset, we evaluate the performance of six open source malware detection scanners. Distribution maintainers, according to the interviews, have mostly focused on reproducible builds to date. Our interviews identified only a single Linux distribution, Wolfi OS, that performs active malware scanning. Using this new benchmark dataset, the evaluation found that the performance of existing open-source malware scanners is underwhelming. Most studied tools excel at producing false positives but only infrequently detect true malware. Those that avoid high false positive rates often do so at the expense of a satisfactory true positive. Our findings provide insights into Linux distribution package repositories' current practices for malware detection and demonstrate the current inadequacy of open-source tools designed to detect malicious Linux packages.

Cryptography and Security,Software Engineering