Posts by Collection


AuthScan: Automatic Extraction of Web Authentication Protocols from Implementations

Published in Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS), 2013

It is a work of protocol verifcation to detect vulnerabilities in web protocols

Recommended citation: Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. (2013). "AuthScan: Automatic Extraction of Web Authentication Protocols from Implementations." Proceedings of the 20th Annual Network and Distributed System Security Symposium


Mystique: Evolving Android Malware for Auditing Anti-Malware Tools

Published in Xi'an, China, 2016

In the arms race of attackers and defenders, the defense is usually more challenging than the attack due to the unpredicted vulnerabilities and newly emerging attacks every day. Currently, most of existing malware detection solutions are individually proposed to address certain types of attacks or certain evasion techniques. Thus, it is desired to conduct a systematic investigation and evaluation of anti-malware solutions and tools based on different attacks and evasion techniques. In this paper, we first propose a meta model for Android malware to capture the common attack features and evasion features in the malware. Based on this model, we develop a framework, MYSTIQUE, to automatically generate malware covering four attack features and two evasion features, by adopting the software product line engineering approach. With the help of MYSTIQUE, we conduct experiments to 1) understand Android malware and the associated attack features as well as evasion techniques; 2) evaluate and compare the 57 off-the-shelf anti-malware tools, 9 academic solutions and 4 App market vetting processes in terms of accuracy in detecting attack features and capability in addressing evasion. Last but not least, we provide a benchmark of Android malware with proper labeling of contained attack and evasion features.

Semantic Modelling of Android Malware for Malware Comprehension, Detection, and Classification

Published in Saarland University, Germany, 2016

Malware has posed a major threat to the Android ecosystem. Existing malware detection tools mainly rely on signature- or feature- based approaches, failing to provide detailed information beyond the mere detection. In this work, we propose a precise semantic model of Android malware based on Deterministic Symbolic Automaton (DSA) for the purpose of malware comprehension, detection and classification. It shows that DSA can capture the common malicious behaviors of a malware family, as well as the malware variants. Based on DSA, we develop an automatic analysis framework, named SMART, which learns DSA by detecting and summarizing semantic clones from malware families, and then extracts semantic features from the learned DSA to classify malware according to the attack patterns. We conduct the experiments in both malware benchmark and 223,170 real-world apps. The results show that SMART builds meaningful semantic models and outperforms both state-of-the-art approaches and anti-virus tools in malware detection. SMART identifies 4583 new malware in real-world apps that are missed by most anti-virus tools. The classification step further identifies new malware variants and unknown families.

Ensuring Android Security: From Malware Detection, Anvirus Software Assessment, to Android Security Testing

Published in University of Beihang, Beijing, China, 2017

Due to the wide use of mobile devices, the security issues existing on mobile devices become more serious and harmful. It is a non-trival task to improve the security in Android such as malware detection, vulnerability detection. This talk will explain three key works dedicted to address security problems in Android: malware detection, performance assessment of anti-malware tools and Android security testing. This talk starts with the study of malware detection, in which we propose a sematic model to represent malicious behaviors in Android malware, and combine static analysia and machine learning to detect malware in an accurate and efficient manner. Then, we conducted another work to assess the performance of existing anti-malware tools by automatically generating a large number of Android malware. We identified many weaknesses of these anti-malware tools, and proposed several advices for improving their performance. Last, we propose a dynamic analysis based approach to explore bugs hidden deep in the code of Android apps.

Guided, Stochastic Model-based GUI Testing of Android Apps

Published in University of Luxembourg, Luxembourg, 2017

Mobile apps are ubiquitous, operate in complex environments and are developed under the time-to-market pressure. Ensuring their correctness and reliability thus becomes an important challenge. This paper introduces Stoat, a novel guided approach to perform stochastic model-based testing on Android apps. Stoat operates in two phases: (1) Given an app as input, it uses dynamic analysis enhanced by a weighted UI exploration strategy and static analysis to reverse engineer a stochastic model of the app’s GUI interactions; and (2) it adapts Gibbs sampling to iteratively mutate/refine the stochastic model and guides test generation from the mutated models toward achieving high code and model coverage and exhibiting diverse sequences. During testing, system-level events are randomly injected to further enhance the testing effectiveness.

Taming the Stubbon in Android Apps: Malware, Crashes, and Vulnerabilities

Published in Tianjin University & Southern University of Science and Technology, Shenzhen, Guangdong, 2017

Mobile apps are now ubiquitous, and they have penetrated into every life corner of end users. However, security issues within these apps may incur more serious damages than ever. Researchers and practitioners have been striving to improve the security of mobile apps, and reduce security risks. However, the obtained results are still far from satisfaction. This talk will introduce our recent work aiming to achieve this target. First, this talk starts with our research on Android malware, in which we studied the semantic representation of malware, detection technologies, and evaluation on contemporary anti-malware tools. Second, this talk will brief recent work on automated app testing, including our dynamic app testing technique, crash analysis and root cause identification. Third, this talk will introduce our work on app vulnerability analysis and detection. Last but not least, I would like to share ongoing work for potential collaboration.