J.-F. Lalande

Experimenting with android malware requires to manipulate a large amount of samples and to chain multiple analyses. scripting such a sequence of analyses on a large malware dataset becomes a challenge: the analysis has to handle fails on the computer and crashes on the used smartphone, in case of dynamic analyses. we present a new tool, pymao, for handling such experiments on a regular desktop pc with the highest performance throughput. pymao helps to write sequences of analyses and handle partial experiments that should be restarted after a crash or continued with new unknown analyses. the tool also offers a post processing capability for generating number tables or bar graphs from the analyzed datasets.

Ten years ago, google released the first version of its new operating system: android. with an open market for third party applications, attackers started to develop malicious applications. researchers started new works too. inspired by previous techniques for windows or gnu/linux malware, a lot of papers introduced new ways of detecting, classifying, defeating android malware. in this paper, we propose to explore the technical difficulties of experimenting with android malware. these difficulties are encountered by researchers, each time they want to publish a solid experiment validating their approach. how to choose malware samples? how to process a large amount of malware? what happens if the experiment needs to execute dynamically a sample? the end of the paper presents the upcoming scientific challenges of the community interested in malware analysis.

Malicious android applications use clever techniques to hide their real intents from the user and avoid detection by security tools. they resort to code obfuscation and dynamic loading, or wait for special events on the system like reboot or wifi activation. therefore, promising approaches aim to locate, study and execute specific parts of android applications in order to monitor for suspicious behavior. they rely on control flow graphs (cfgs) to obtain execution paths towards sensitive codes. we claim here that these cfgs are incomplete because they do not take into consideration implicit control flow calls, i.e., those that occur when the android framework calls a method implemented in the application space. this article proposes a practical tool, gpfinder, exposing execution paths towards any piece of code considered as suspicious. gpfinder takes the android framework into account and considers explicit and implicit control flow calls to build cfgs. using gpfinder, we give global characteristics of application cfgs by studying a dataset of 14,224 malware and 2,311 goodware samples. we evaluate that 72.69\%of the analyzed malicious samples have at least one suspicious method reachable only through implicit calls.

Android malware authors use sophisticated techniques to hide the malicious intent of their applications. they use cryptography or obfuscation techniques to avoid detection during static analysis. they can also avoid detection during a dynamic analysis. frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. however, we believe that dynamic analysis methods give good results when they really monitor the malware execution. in this article, we propose a method to enhance the execution of the malicious code of unknown malware. we especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. in these cases, solely executing the malware is far from being sufficient. we propose to force the triggering of the malicious code by combining two contributions. first, we define an algorithm that automatically identifies potentially malicious code. second, we propose an enhanced monkey called grodddroid, that stimulates the gui of an application and forces the execution of some branching conditions if needed. the forcing is used by grodddroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. the source code for our experiments with grodddroid is released as free software. we have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by grodddroid. additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28\%.

Fault attacks can target smart card programs in order to disrupt an execution and gain an advantage over the data or the embedded functionalities. among all possible attacks, control flow attacks aim at disrupting the normal execution flow. identifying harmful control flow attacks as well as designing countermeasures at software level are tedious and tricky for developers. in this paper, we propose a methodology to detect harmful intra-procedural jump attacks at source code level and to automatically inject formally-proven countermeasures. the proposed software countermeasures defeat 100\%of attacks that jump over at least two c source code statements or beyond. experiments show that the resulting code is also hardened against unexpected function calls and jump attacks at assembly level.

Smart card software has to implement software countermeasures to face attacks. some of these attacks are physical disruptions of chip components that cause a misbehavior in the code execution. a successful functional attack may reveal a secret or grant an undesired authorization. in this paper, we propose to model fault attacks at source level and then simulate these attacks to find out which ones are harmful. after discussing the effects of physical attacks at assembly level and going back to their consequences at source code level, the paper focuses on control flow attacks. such attacks are good candidates for the proposed model that can be used to exhaustively test the robustness of the attacked program. on the bzip2 software, the paper's results show that up to 21\%of the assembly simulated control flow attacks are covered by the c model with 30 times less test cases.

Smart card programs are subject to physical attacks that disturb the execution of the embedded code. these attacks enable attackers to steal valuable information or to force a malicious behavior upon the attacked code. this paper proposes a methodology to check interval security properties on smart card source codes. the goal is to identify critical attacks that violate these security properties. the verification takes place at source-level and considers all possible attacks thanks to a proposed source-level model of physical attacks. the paper defines an equivalence relation between attacks and shows that a code can be divided into areas where attacks are equivalent. thus, verifying an interval security property considering all the possible attacks requires to verify as many codes as the number of equivalence classes. this paper provides a reduction algorithm to define the classes i.e. the minimal number of attacked codes that covers all possible attacks. the paper also proposes a solution to make the property verification possible for large codes or codes having unknown source parts.

Modern malware uses advanced techniques to hide from static and dynamic analysis tools. to achieve stealthiness when attacking a mobile device, an effective approach is the use of a covert channel built by two colluding applications to locally exchange data. since this process is tightly coupled with the used hiding method, its detection is a challenging task, also worsened by the very low transmission rates. as a consequence, it is important to investigate how to reveal the presence of malicious software by using general indicators such as the energy consumed by the device. in this perspective, the paper aims to spot malware covertly exchanging data by using two detection methods based on artificial intelligence tools such as neural networks and decision trees. to verify their effectiveness, seven covert channels have been implemented and tested over a measurement framework using android devices. experimental results show the feasibility and effectiveness of the proposed approach to detect the hidden data exchange between colluding applications.

Covert channels enable a policy-breaking communication not foreseen by a system's design. recently, covert channels in android were presented and it was shown that these channels can be used by malware to leak confidential information (e.g., contacts) between applications and to the internet. performance aspects as well as means to counter these covert channels were evaluated. in this paper, we present novel covert channel techniques linked to a minimized footprint to achieve a high covertness. therefore, we developed a malware that slowly leaks collected private information and sends it synchronously based on four covert channel techniques. we show that some of our covert channels do not require any extra permission and escape well know detection techniques like taintdroid. experimental results confirm that the obtained throughput is correlated to the user interaction and show that these new covert channels have a low energy consumption \textendash both aspects contribute to the stealthiness of the channels. finally, we discuss concepts for novel means capable to counter our covert channels and we also discuss the adaption of network covert channel features to android-based covert channels.

This paper presents a new monitoring tool called synema that helps to visualize different types of alerts from well-known security sensors. the architecture of the proposed tool is distributed and enables centralizing the collected information into a lightweight visualizer. the front-end proposes many display modes in order to give the ability to clearly see malicious activities and to be able to visually monitor information collected at system, network and user level in the hosts. the paper concludes with development perspectives about an auto-configurable plugin for visual correlation of attacks.

This technical report describes the implementation of exact and parametrized exponential algorithms, developed during the french anr agape during 2010-2012. the developed algorithms are distributed under the cecill license and have been written in java using the jung graph library.

This report introduces a java library whose objective is to provide tools for solving some network optimization problems and that may be used to write prototype software. we describe here the first step of the development which concerns algorithmic graph problems. this open source library named mascopt includes an implementation of a generic model of graph. this library has been designed with an object-oriented model and aims to be user friendly rather than focusing on speed of execution. we show how the model can be extended and dedicated to a user application by using simple object mechanism. we also present a basic description of the mascopt functionalities so that developers, who are familiar with objects, can use effectively for their own experimentations.