2019 - License

PyMaO is a python software that helps to develop reliable experiments with Android smartphones.

  • Orchestrating Android Malware Experiments
    Jean-François Lalande, Pierre Graux, Tomás Miranda Concepción
    27th IEEE International Symposium on the Modeling, Analysis, and Simulation of Computer and Telecommunication Systems MASCOTS 2019 IEEE Computer Society 433-4342019 doi
    Experimenting with android malware requires to manipulate a large amount of samples and to chain multiple analyses. scripting such a sequence of analyses on a large malware dataset becomes a challenge: the analysis has to handle fails on the computer and crashes on the used smartphone, in case of dynamic analyses. we present a new tool, pymao, for handling such experiments on a regular desktop pc with the highest performance throughput. pymao helps to write sequences of analyses and handle partial experiments that should be restarted after a crash or continued with new unknown analyses. the tool also offers a post processing capability for generating number tables or bar graphs from the analyzed datasets.



GroddDroid is a framework for executing automatically malware on a smartphone. GroddDroid tries to identify the suspicious code by scoring the methods of the malware. Then, GroddDroid executes the malware and triggers the graphical elements of the user interface. If the suspicious code has not not been triggered, GroddDroid can modify the bytecode in order to force the control flow to reach the suspicious code.

  • Android Malware Analysis: from technical difficulties to scientific challenges
    Jean-François Lalande
    International Conference on Information Technology and Communications Security SecITC 2018 LNCS 17-212018 doi url
    Ten years ago, google released the first version of its new operating system: android. with an open market for third party applications, attackers started to develop malicious applications. researchers started new works too. inspired by previous techniques for windows or gnu/linux malware, a lot of papers introduced new ways of detecting, classifying, defeating android malware. in this paper, we propose to explore the technical difficulties of experimenting with android malware. these difficulties are encountered by researchers, each time they want to publish a solid experiment validating their approach. how to choose malware samples? how to process a large amount of malware? what happens if the experiment needs to execute dynamically a sample? the end of the paper presents the upcoming scientific challenges of the community interested in malware analysis.
  • GPFinder: Tracking the Invisible in Android Malware
    Mourad Leslous, Valérie Viet Triem Tong, Jean-François Lalande, Thomas Genet
    12th International Conference on Malicious and Unwanted Software MALWARE 2017 IEEE Conputer Society 39-462017 doi url
    Malicious android applications use clever techniques to hide their real intents from the user and avoid detection by security tools. they resort to code obfuscation and dynamic loading, or wait for special events on the system like reboot or wifi activation. therefore, promising approaches aim to locate, study and execute specific parts of android applications in order to monitor for suspicious behavior. they rely on control flow graphs (cfgs) to obtain execution paths towards sensitive codes. we claim here that these cfgs are incomplete because they do not take into consideration implicit control flow calls, i.e., those that occur when the android framework calls a method implemented in the application space. this article proposes a practical tool, gpfinder, exposing execution paths towards any piece of code considered as suspicious. gpfinder takes the android framework into account and considers explicit and implicit control flow calls to build cfgs. using gpfinder, we give global characteristics of application cfgs by studying a dataset of 14,224 malware and 2,311 goodware samples. we evaluate that 72.69\%of the analyzed malicious samples have at least one suspicious method reachable only through implicit calls.
  • GroddDroid: A gorilla for triggering malicious behaviors
    A. Abraham, R. Andriatsimandefitra, A. Brunelat, J. F. Lalande, V. Viet Triem Tong
    2015 10th International Conference on Malicious and Unwanted Software, MALWARE 2015 MALWARE 2015 IEEE Computer Society 119-1272015 doi url
    Android malware authors use sophisticated techniques to hide the malicious intent of their applications. they use cryptography or obfuscation techniques to avoid detection during static analysis. they can also avoid detection during a dynamic analysis. frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. however, we believe that dynamic analysis methods give good results when they really monitor the malware execution. in this article, we propose a method to enhance the execution of the malicious code of unknown malware. we especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. in these cases, solely executing the malware is far from being sufficient. we propose to force the triggering of the malicious code by combining two contributions. first, we define an algorithm that automatically identifies potentially malicious code. second, we propose an enhanced monkey called grodddroid, that stimulates the gui of an application and forces the execution of some branching conditions if needed. the forcing is used by grodddroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. the source code for our experiments with grodddroid is released as free software. we have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by grodddroid. additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28\%.
    (best paper award)

CFI for C codes

2015 - License

CFI-C is a set of python programs that helps to inject control flow countermeasures into a C source code. These countermeasures enforce the flow of execution of the program and can defeat any jump attack of 2 C lines that would disrupt the normal flow of execution.

  • Software countermeasures for control flow integrity of smart card c codes
    Jean François Lalande, Karine Heydemann, Pascal Berthomé
    vol. 8713 European Symposium on Research in Computer Security ESORICS 2014 Springer International Publishing LNCS 200-2182014 doi url
    Fault attacks can target smart card programs in order to disrupt an execution and gain an advantage over the data or the embedded functionalities. among all possible attacks, control flow attacks aim at disrupting the normal execution flow. identifying harmful control flow attacks as well as designing countermeasures at software level are tedious and tricky for developers. in this paper, we propose a methodology to detect harmful intra-procedural jump attacks at source code level and to automatically inject formally-proven countermeasures. the proposed software countermeasures defeat 100\%of attacks that jump over at least two c source code statements or beyond. experiments show that the resulting code is also hardened against unexpected function calls and jump attacks at assembly level.
  • High Level Model of Control Flow Attacks for Smart Card Functional Security
    Pascal Berthome, Karine Heydemann, X. Kauffmann-Tourkestansky, Jean-Francois Lalande
    Seventh International Conference on Availability, Reliability and Security AReS 2012 IEEE Computer Society 224-2292012 doi url
    Smart card software has to implement software countermeasures to face attacks. some of these attacks are physical disruptions of chip components that cause a misbehavior in the code execution. a successful functional attack may reveal a secret or grant an undesired authorization. in this paper, we propose to model fault attacks at source level and then simulate these attacks to find out which ones are harmful. after discussing the effects of physical attacks at assembly level and going back to their consequences at source code level, the paper focuses on control flow attacks. such attacks are good candidates for the proposed model that can be used to exhaustively test the robustness of the attacked program. on the bzip2 software, the paper's results show that up to 21\%of the assembly simulated control flow attacks are covered by the c model with 30 times less test cases.
  • Attack model for verification of interval security properties for smart card C codes
    Pascal Berthomé, Karine Heydemann, Xavier Kauffmann-Tourkestansky, Jean-François Lalande
    5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security PLAS 2010 ACM 1-122010 doi url
    Smart card programs are subject to physical attacks that disturb the execution of the embedded code. these attacks enable attackers to steal valuable information or to force a malicious behavior upon the attacked code. this paper proposes a methodology to check interval security properties on smart card source codes. the goal is to identify critical attacks that violate these security properties. the verification takes place at source-level and considers all possible attacks thanks to a proposed source-level model of physical attacks. the paper defines an equivalence relation between attacks and shows that a code can be divided into areas where attacks are equivalent. thus, verifying an interval security property considering all the possible attacks requires to verify as many codes as the number of equivalence classes. this paper provides a reduction algorithm to define the classes i.e. the minimal number of attacked codes that covers all possible attacks. the paper also proposes a solution to make the property verification possible for large codes or codes having unknown source parts.


2015 - License

SteganoCC is a set of programs that helps to experiment with covert channels between two Android colluding applications. Additionally, it also provides a way to collect energy measurements for all Android processes using a modified version of PowerTutor.

  • Seeing the unseen: Revealing mobile malware hidden communications via energy consumption and artificial intelligence
    Luca Caviglione, Mauro Gaggero, Jean François Lalande, Wojciech Mazurczyk, Marcin Urbański
    IEEE Transactions on Information Forensics and Security vol. 11 4 TIFS IEEE Computer Society 799-8102016 doi url
    Modern malware uses advanced techniques to hide from static and dynamic analysis tools. to achieve stealthiness when attacking a mobile device, an effective approach is the use of a covert channel built by two colluding applications to locally exchange data. since this process is tightly coupled with the used hiding method, its detection is a challenging task, also worsened by the very low transmission rates. as a consequence, it is important to investigate how to reveal the presence of malicious software by using general indicators such as the energy consumed by the device. in this perspective, the paper aims to spot malware covertly exchanging data by using two detection methods based on artificial intelligence tools such as neural networks and decision trees. to verify their effectiveness, seven covert channels have been implemented and tested over a measurement framework using android devices. experimental results show the feasibility and effectiveness of the proposed approach to detect the hidden data exchange between colluding applications.
  • Hiding privacy leaks in Android applications using low-attention raising covert channels
    Jean-François Lalande, Steffen Wendzel
    First International Workshop on Emerging Cyberthreats and Countermeasures ECTCM 2014 IEEE Computer Society 701-7102013 doi url
    Covert channels enable a policy-breaking communication not foreseen by a system's design. recently, covert channels in android were presented and it was shown that these channels can be used by malware to leak confidential information (e.g., contacts) between applications and to the internet. performance aspects as well as means to counter these covert channels were evaluated. in this paper, we present novel covert channel techniques linked to a minimized footprint to achieve a high covertness. therefore, we developed a malware that slowly leaks collected private information and sends it synchronously based on four covert channel techniques. we show that some of our covert channels do not require any extra permission and escape well know detection techniques like taintdroid. experimental results confirm that the obtained throughput is correlated to the user interaction and show that these new covert channels have a low energy consumption – both aspects contribute to the stealthiness of the channels. finally, we discuss concepts for novel means capable to counter our covert channels and we also discuss the adaption of network covert channel features to android-based covert channels.


2011 - License

Synema is a lightweight SIEM that collects alerts from classical security sensors (Snort, P0f, SELinux, GRSecurity). A correlation plugin helps to detect attacks that trigger both system and networks alerts.

  • SYNEMA: visual monitoring of network and system security sensors
    Aline Bousquet, Patrice Clemente, Jean-François Lalande
    International Conference on Security and Cryptography SECRYPT 2011 SciTePress 375-3782011 doi url
    This paper presents a new monitoring tool called synema that helps to visualize different types of alerts from well-known security sensors. the architecture of the proposed tool is distributed and enables centralizing the collected information into a lightweight visualizer. the front-end proposes many display modes in order to give the ability to clearly see malicious activities and to be able to visually monitor information collected at system, network and user level in the hosts. the paper concludes with development perspectives about an auto-configurable plugin for visual correlation of attacks.

Graph algorithms

2012 - License

I have also contributed to development projects related to optimization in graphs:

  • Agape Library: an open source Java implementation of exponential or parametrized graph algorithms of the literature and developed during the French ANRAgape.
  • Mascopt Library: a set of tools for network optimization problems.

Two technical reports help to use these libraries:

  • Implementation of exponential and parametrized algorithms in the AGAPE project
    Pascal Berthomé, Jean-François Lalande, Vincent Levorato
    2012 url
    This technical report describes the implementation of exact and parametrized exponential algorithms, developed during the french anr agape during 2010-2012. the developed algorithms are distributed under the cecill license and have been written in java using the jung graph library.
  • Mascopt - A Network Optimization Library: Graph Manipulation
    Jean-François Lalande, Michel Syska, Yann Verhoeven
    2004 url
    This report introduces a java library whose objective is to provide tools for solving some network optimization problems and that may be used to write prototype software. we describe here the first step of the development which concerns algorithmic graph problems. this open source library named mascopt includes an implementation of a generic model of graph. this library has been designed with an object-oriented model and aims to be user friendly rather than focusing on speed of execution. we show how the model can be extended and dedicated to a user application by using simple object mechanism. we also present a basic description of the mascopt functionalities so that developers, who are familiar with objects, can use effectively for their own experimentations.

About Me

Nullam turpis vestibulum et sed dolore. Nulla facilisi. Sed tortor. lobortis commodo. More ...