ABSTRACT
Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing undesirable data leaks are mostly high-overhead and have not been practical enough for smartphones. In this paper, we show that simply monitoring just some instructions (only memory loads and stores) it is possible to achieve low overhead, highly accurate information flow tracking. Our method achieves 98% accuracy (0% false positive and 2% false negative) over DroidBench and was able to successfully catch seven real-world malware instances that steal phone number, location, and device ID using SMS messages and HTTP connections.
- Run-time ABI for the ARM architecture. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0043d/IHI0043D_rtabi.pdf.Google Scholar
- Bbench-gem5. http://www.m5sim.org/BBench-gem5.Google Scholar
- Dalvik bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html.Google Scholar
- DroidBench Version 1.1. http://sseblog.ec-spride.de/tools/droidbench/.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI, 2014.Google ScholarDigital Library
- N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39 (2): 1--7, Aug. 2011.Google ScholarDigital Library
- Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. Edgeminer: Automatically detecting implicit control flow transitions through the android framework. In Proceedings of the 22nd Network and Distributed System Security Symposium, NDSS, 2015.Google ScholarCross Ref
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th Annual International Symposium on Computer Architecture, ISCA, 2007.Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI, 2010.Google Scholar
- C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST, 2012.Google ScholarDigital Library
- A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, EuroSys, 2006.Google ScholarDigital Library
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta+: Dynamic taint analysis with targeted control-flow propagation. In phProceedings of the 18th Network and Distributed System Security Symposium, NDSS, 2011.Google Scholar
- K. Lu, Z. Li, V. Kemerlis, Z. Wu, L. Lu, C. Zheng, Z. Qian, W. Lee, and G. Jiang. Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting. In Proceedings of the 22nd Network and Distributed System Security Symposium, NDSS, 2015.Google ScholarCross Ref
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Network and Distributed System Security Symposium, NDSS, 2005.Google Scholar
- F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO, 2006.Google ScholarDigital Library
- G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2004.Google ScholarDigital Library
- M. Tiwari, B. Agrawal, S. Mysore, J. Valamehr, and T. Sherwood. A small cache of large ranges: Hardware methods for efficiently searching, storing, and updating big dataflow tags. In Proceedings of the 41st Annual IEEE/ACM International Symposium on Microarchitecture, MICRO, 2008.Google ScholarDigital Library
- M. Tiwari, H. M. Wassel, B. Mazloom, S. Mysore, F. T. Chong, and T. Sherwood. Complete information flow tracking from the gates up. In Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2009.Google ScholarDigital Library
- G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In Proceedings of the 14th IEEE International Symposium on High Performance Computer Architecture, HPCA, 2008.Google ScholarCross Ref
- E. Witchel, J. Cates, and K. Asanović. Mondrian memory protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2002.Google ScholarDigital Library
- L. K. Yan and H. Yin. Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX Conference on Security Symposium, Security, 2012.Google ScholarDigital Library
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS, 2007.Google ScholarDigital Library
- D. Y. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. Tainteraser: Protecting sensitive data leaks using application-level taint tracking. SIGOPS Oper. Syst. Rev., 45 (1): 142--154, 2011.Google ScholarDigital Library
Index Terms
PIFT: Predictive Information-Flow Tracking
Recommendations
PIFT: Predictive Information-Flow Tracking
ASPLOS '16Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing ...
PIFT: Predictive Information-Flow Tracking
ASPLOS'16Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing ...
iPanda: A comprehensive malware analysis tool
ICOIN '13: Proceedings of the 2013 International Conference on Information Networking (ICOIN)Malware analysis is the process of dissecting a given malware sample in order to determine its purpose and functionality. It is a necessary step to develop effective detection techniques of malicious code and removal tools. The public malware analysis ...
Comments