Lei Xue,Yuxiao Yan,Luyi Yan,Muhui Jiang,Xiapu Luo,Dinghao Wu,Yajin Zhou

DOI: https://doi.org/10.1145/3460319.3464839

2021-01-01

Abstract:Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.

Dong-Hoon Shin,Shibo He,Junshan Zhang

DOI: https://doi.org/10.1109/tnet.2015.2403862

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:Cyber-Physical Systems (CPS) are emerging as the underpinning technology for major industries in this century. Wide-area monitoring and control is an essential ingredient of CPS to ensure reliability and security. Traditionally, a hierarchical system has been used to monitor and control remote devices deployed in a large geographical region. However, a general consensus is that such a hierarchical system can be highly vulnerable to component (i.e., nodes and links) failures, calling for a robust and cost-effective communication system for CPS. To this end, we consider a middleware approach to leverage the existing commercial communication infrastructure (e.g., Internet and cellular networks) with abundant connectivity. In this approach, a natural question is how to use the middleware to cohesively "glue" the physical system and the commercial communication infrastructure together, in order to enhance robustness and cost-effectiveness. We tackle this problem while taking into consideration two different cases of middleware deployment: single-stage and multi-stage deployments. We design offline and online algorithms for these two cases, respectively. We show that the offline algorithm achieves the best possible approximation ratio while the online algorithm attains the order-optimal competitive ratio. We also demonstrate the performance of our proposed algorithms through simulations.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

GUAN Yun-tao,DUAN Hai-xin

2009-01-01

Abstract:With the application of polymorphism,metamorphism and packing techniques,the analysis and detection of modern malware becomes more difficult.Manual malware analysis fails to handle this situation due to its unacceptable cost and human force involvement.The author design and implement an automated malware dynamic analysis system named MwDAS using kernel hooking and filter driver technologies,which can automatically analyze malware sample,extract and detail malware's behaviors into a well-organized report.The experiment shows that MwDAS can dramatically improve the analysis efficiency.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Dong-Hoon Shin,Shibo He,Junshan Zhang

DOI: https://doi.org/10.1109/INFOCOM.2014.6848232

2014-01-01

Abstract:Wide-area monitoring, protection and control (WAMPAC) plays a critical role in smart grid, for protection against possible contingencies, by using the Supervisory Control and Data Acquisition (SCADA) system. However, a general consensus is that such a hierarchical system can be highly vulnerable to component (i.e., nodes and links) failures, calling for a robust and cost-effective communication system for smart grid. To this end, we consider a middleware approach to leverage the existing commercial communication infrastructure with abundant connectivity. In this approach, a natural question is how to use the middleware to cohesively “glue” the power grid and the commercial communication infrastructure together, in order to enhance robustness and cost-effectiveness. We tackle this problem while taking into consideration the multi-stage deployment of power devices and their redundant connections. We show that this problem can be cast as a minimum-cost middleware design under incremental deployment-an “online” problem where the input is provided gradually due to the incremental deployment. We design a randomized “online” algorithm, and show that it achieves the order-optimal average competitive ratio. Simulation results demonstrate the performance of our proposed algorithm, compared to the optimal offline solution.

Jens Van den Broeck,Bart Coppens,Bjorn De Sutter

DOI: https://doi.org/10.48550/arXiv.1907.01445

2019-07-03

Abstract:To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well-known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an elaborate experimental evaluation and an extensive sensitivity analysis on realistic use cases and state-of-the-art tools, we demonstrate our technique's potency and resilience to advanced attacks. All relevant code is publicly available online.

Cryptography and Security

Gang Huang,Weihu Wang,Tiancheng Liu,Hong Mei

DOI: https://doi.org/10.1016/j.jss.2011.02.008

2013-01-01

Quality Engineering

Abstract:Being a popular runtime infrastructure in the era of Internet, middleware provides more and more services to support the development, deployment and management of distributed systems. At the same time, the reliability of middleware services has a significant impact on the overall reliability of the system. Different services have different impacts and different service fault-tolerance solutions have different costs and risks. Therefore, the identification of the services that greatly affect the whole system reliability is the major obstacle to achieving reliable middleware-based systems. In this paper, we present an analytical framework to automatically reason and quantify such impacts when deploying the target system. In this framework, faults are represented by exceptions in modern programming languages; service failures are simulated by software fault injection; reliability impacts are measured by scenarios. This framework is demonstrated on multiple JEE application servers, including JBoss, JonAS and PKUAS. The experiments on two JEE blueprint applications, namely JPS and ECperf, show the feasibility, the applicability and the usability of this framework.

Gang Huang,Weihu Wang,Tiancheng Liu,Hong Mei

2013-01-01

Quality Engineering

Abstract:Being a popular runtime infrastructure in the era of Internet, middleware provides more and more services to support the development, deployment and management of distributed systems. At the same time, the reliability of middleware services has a significant impact on the overall reliability of the system. Different services have different impacts and different service fault-tolerance solutions have different costs and risks. Therefore, the identification of the services that greatly affect the whole system reliability is the major obstacle to achieving reliable middleware-based systems. In this paper, we present an analytical framework to automatically reason and quantify such impacts when deploying the target system. In this framework, faults are represented by exceptions in modern programming languages; service failures are simulated by software fault injection; reliability impacts are measured by scenarios. This framework is demonstrated on multiple JEE application servers, including JBoss, JonAS and PKUAS. The experiments on two JEE blueprint applications, namely JPS and ECperf, show the feasibility, the applicability and the usability of this framework.

Pingyan Wang,Shaoying Liu

DOI: https://doi.org/10.1142/s0218194024500013

IF: 1.007

2024-02-23

International Journal of Software Engineering and Knowledge Engineering

Abstract:International Journal of Software Engineering and Knowledge Engineering, Ahead of Print. Pointer analysis is the underlying technique of many static analysis tools for vulnerability discovery. It has proved to be effective in identifying a variety of vulnerabilities, such as buffer overflow vulnerabilities and injection vulnerabilities. However, most existing pointer analysis approaches require whole-program availability, i.e. the program to be analyzed should be complete, which may hinder a timely analysis during the coding phase. In this paper, we present two approaches, exhaustive and demand-driven pointer analyses, both of which are applied to a paradigm known as Human–Machine Pair Programming. The ideas enable us to discover security flaws as early as in the coding phase. In this paper, we describe in detail how our approaches maintain flow sensitivity and propagate points-to and taint information in an incremental fashion. We conduct an evaluation of our approaches on SecuriBench Micro and show that the approaches can capture all the potential vulnerabilities in the test cases, though several false alarms are reported.

computer science, artificial intelligence,engineering, electrical & electronic, software engineering

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Yu-jia ZHANG,Jian-min PANG,Zheng ZHANG,Jiang-xing WU

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.02.037

2018-01-01

Abstract:With the development of reverse engineering,the software industry has suffered a great loss from the software piracy and malicious attack for a long time.Code obfuscation techniques which can hide specific function of a program from malicious analysis for malware is thus frequently employed to mitigate this risk.However,most of the existing obfuscation methods are language embedded and depend on the target architecture,this paper proposed a method of compile-time obfuscation,and further presented a prototype implementedation based on the LLVM compiler infrastructure.Furthermore,this paper implemented a mimic security defence system which is free from malicious attack with the software diversity method.

Yong-gang LIU,Min LI,Qian-xiang WANG,Hong MEI

2007-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Runtime software monitoring and analyzing is not only the approach to improve the quality of software, but also the basis of adaptive software. This paper proposes a pattern-based declarative approach to specify constraints. Based on this approach we implemented a runtime monitoring and analyzing framework on J2EE middleware PKUAS. The most special points of the framework are the flexibility of deploying probes and business logic oriented monitoring. In the end, the paper describes the implementation details and evaluation result of the framework.

Oliver Schranz,Sebastian Weisgerber,Erik Derr,Michael Backes,Sven Bugiel

DOI: https://doi.org/10.48550/arXiv.2110.05619

2021-10-12

Abstract:The Android middleware, in particular the so-called systemserver, is a crucial and central component to Android's security and robustness. To understand whether the systemserver provides the demanded security properties, it has to be thoroughly tested and analyzed. A dedicated line of research focuses exclusively on this task. While static analysis builds on established tools, dynamic testing approaches lack a common foundation, which prevents the community from comparing, reproducing, or even re-using existing results from related work. This raises questions about whether the underlying approach of any proposed solution is the only possible or optimal one, if it can be re-used as a building block for future analyses, or whether results generalize. In this work, we argue that in order to steer away from incompatible custom toolchains and towards having comparable analyses with reproducible results, a more principled approach to dynamically analyzing the Android system is required. As an important first step in this direction, we propose a unified dynamic analysis platform that provides re-usable solutions for common challenges as the building blocks for future analyses and allows to compare different approaches under the same assumptions.

Cryptography and Security

Hung-Min Sun,Hsun Wang,King-Hang Wang,Chien-Ming Chen

DOI: https://doi.org/10.1109/tc.2011.46

IF: 3.183

2011-01-01

IEEE Transactions on Computers

Abstract:As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

Wenqi Bu,Minhui Xue,Lihua Xu,Yajin Zhou,Zhushou Tang,Tao Xie

DOI: https://doi.org/10.1145/3106237.3117764

2017-08-21

Abstract:Despite recent progress in program analysis techniques to identify vulnerabilities in Android apps, significant challenges still remain for applying these techniques to large-scale industrial environments. Modern software-security providers, such as Qihoo 360 and Pwnzen (two leading companies in China), are often required to process more than 10 million mobile apps at each run. In this work, we focus on effectively and efficiently identifying vulnerable usage of Internet sockets in an industrial setting. To achieve this goal, we propose a practical hybrid approach that enables lightweight yet precise detection in the industrial setting. In particular, we integrate the process of categorizing potential vulnerable apps with analysis techniques, to reduce the inevitable human inspection effort. We categorize potential vulnerable apps based on characteristics of vulnerability signatures, to reduce the burden on static analysis. We flexibly integrate static and dynamic analyses for apps in each identified family, to refine the family signatures and hence target on precise detection. We implement our approach in a practical system and deploy the system on the Pwnzen platform. By using the system, we identify and report potential vulnerabilities of 24 vulnerable apps (falling into 3 vulnerability families) to their developers, and some of these reported vulnerabilities are previously unknown. The apps of each vulnerability family in total have over 50 million downloads. We also propose countermeasures and highlight promising directions for technology transfer.

CHEN Hao,SUN Hui,XU Chang,MA Xiao-xing

DOI: https://doi.org/10.3969/j.issn.1002-137X.2012.10.026

2012-01-01

Computer Science

Abstract:Robot middleware systems facilitate the development of self-adaptive robot applications by providing a set of high-level sensor/actuator APIs that Abstract and hide the heterogeneity of different hardware platforms.We presented a middleware infrastructure supporting self-adaptive programming on mobile robot systems.It aims to cope with cross-platform issues and provide guarantee for the service quality in terms of a set of Abstracted and quality-guaranteed APIs.We used this middleware infrastructure to support the development of self-adaptive applications on mobile robot systems,so that it could provide a consistent level of QoS guarantee despite of the varying physical differences among different robot car systems.Our experimental evaluation reports promising results that the middleware can effectively support quality-guaranteed self-adaptive programming.

Zhilong Wang,Xuhua Ding,Chengbin Pang,Jian Guo,Jun Zhu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2018.00035

2018-01-01

Abstract:Stack Smashing Protection (SSP) is a simple and highly efficient technique widely used in practice as the front line defense against stack buffer overflow attacks. Unfortunately, SSP is known to be vulnerable to the so-called byte-by-byte attack. Although several remedy schemes are proposed in the recent literature, their security is achieved at the price of practicality, because their complex logics ruin SSP's simplicity and high-efficiency. In this paper, we present an elegant solution named as Polymorphic SSP (P-SSP) that attains the same security without sacrificing SSP's strengths. We also propose three extensions of the basic scheme for better compatibility, stronger security, and local variable protection, respectively. We have implemented both a compiler plugin and a binary instrumentation tool for deploying P-SSP. Their respective runtime overheads are only 0.24% and 1.01%. We have also experimented with our extensions and compared their pros and cons with the basic scheme.

Bhargava Shastry,Fabian Yamaguchi,Konrad Rieck,Jean-Pierre Seifert

DOI: https://doi.org/10.48550/arXiv.1508.04627

2016-04-07

Abstract:Eliminating vulnerabilities from low-level code is vital for securing software. Static analysis is a promising approach for discovering vulnerabilities since it can provide developers early feedback on the code they write. But, it presents multiple challenges not the least of which is understanding what makes a bug exploitable and conveying this information to the developer. In this paper, we present the design and implementation of a practical vulnerability assessment framework, called Melange. Melange performs data and control flow analysis to diagnose potential security bugs, and outputs well-formatted bug reports that help developers understand and fix security bugs. Based on the intuition that real-world vulnerabilities manifest themselves across multiple parts of a program, Melange performs both local and global analyses. To scale up to large programs, global analysis is demand-driven. Our prototype detects multiple vulnerability classes in C and C++ code including type confusion, and garbage memory reads. We have evaluated Melange extensively. Our case studies show that Melange scales up to large codebases such as Chromium, is easy-to-use, and most importantly, capable of discovering vulnerabilities in real-world code. Our findings indicate that static analysis is a viable reinforcement to the software testing tool set.

Cryptography and Security,Programming Languages

Sanghoon Lee,James Tuck

DOI: https://doi.org/10.1145/2541228.2541237

IF: 1.444

2013-12-01

ACM Transactions on Architecture and Code Optimization

Abstract:Due to the importance of reliability and security, prior studies have proposed inlining metafunctions into applications for detecting bugs and security vulnerabilities. However, because these software techniques add frequent, fine-grained instrumentation to programs, they often incur large runtime overheads. In this work, we consider an automatic thread extraction technique for removing these fine-grained checks from a main application and scheduling them on helper threads. In this way, we can leverage the resources available on a CMP to reduce the latency and overhead of fine-grained checking codes. Our parallelization strategy extracts metafunctions from a single threaded application and executes them in customized helper threads—threads constructed to mirror relevant fragments of the main program’s behavior in order to keep communication and overhead low. To get good performance, we consider optimizations that reduce communication and balance work among many threads. We evaluate our parallelization strategy on Mudflap, a pointer-use checking tool in GCC. To show the benefits of our technique, we compare it to a manually parallelized version of Mudflap. We run our experiments on an architectural simulator with support for fast queueing operations. On a subset of SPECint 2000, our automatically parallelized code using static load balance is only 19% slower, on average, than the manually parallelized version on a simulated eight-core system. In addition, our automatically parallelized code using dynamic load balance is competitive, on average, to the manually parallelized version on a simulated eight-core system. Furthermore, all the applications except parser achieve better speedups with our automatic algorithms than with the manual approach. Also, our approach introduces very little overhead in the main program—it is kept under 100%, which is more than a 5.3× reduction compared to serial Mudflap.

computer science, theory & methods, hardware & architecture