-
Light up that Droid! On the Effectiveness of Static Analysis Features against App Obfuscation for Android Malware Detection
Authors:
Borja Molina-Coronado,
Antonio Ruggia,
Usue Mori,
Alessio Merlo,
Alexander Mendiburu,
Jose Miguel-Alonso
Abstract:
Malware authors have seen obfuscation as the mean to bypass malware detectors based on static analysis features. For Android, several studies have confirmed that many anti-malware products are easily evaded with simple program transformations. As opposed to these works, ML detection proposals for Android leveraging static analysis features have also been proposed as obfuscation-resilient. Therefor…
▽ More
Malware authors have seen obfuscation as the mean to bypass malware detectors based on static analysis features. For Android, several studies have confirmed that many anti-malware products are easily evaded with simple program transformations. As opposed to these works, ML detection proposals for Android leveraging static analysis features have also been proposed as obfuscation-resilient. Therefore, it needs to be determined to what extent the use of a specific obfuscation strategy or tool poses a risk for the validity of ML malware detectors for Android based on static analysis features. To shed some light in this regard, in this article we assess the impact of specific obfuscation techniques on common features extracted using static analysis and determine whether the changes are significant enough to undermine the effectiveness of ML malware detectors that rely on these features. The experimental results suggest that obfuscation techniques affect all static analysis features to varying degrees across different tools. However, certain features retain their validity for ML malware detection even in the presence of obfuscation. Based on these findings, we propose a ML malware detector for Android that is robust against obfuscation and outperforms current state-of-the-art detectors.
△ Less
Submitted 24 October, 2023;
originally announced October 2023.
-
Automatic Security Assessment of GitHub Actions Workflows
Authors:
Giacomo Benedetti,
Luca Verderame,
Alessio Merlo
Abstract:
The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved i…
▽ More
The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.
△ Less
Submitted 10 November, 2022; v1 submitted 7 August, 2022;
originally announced August 2022.
-
Attacking (and defending) the Maritime Radar System
Authors:
G. Longo,
E. Russo,
A. Armando,
A. Merlo
Abstract:
Operation of radar equipment is one of the key facilities used by navigators to gather situational awareness about their surroundings. With an ever increasing need for always-running logistics and tighter shipping schedules, operators are relying more and more on computerized instruments and their indications. As a result, modern ships have become a complex cyber-physical system in which sensors a…
▽ More
Operation of radar equipment is one of the key facilities used by navigators to gather situational awareness about their surroundings. With an ever increasing need for always-running logistics and tighter shipping schedules, operators are relying more and more on computerized instruments and their indications. As a result, modern ships have become a complex cyber-physical system in which sensors and computers constantly communicate and coordinate. In this work, we discuss novel threats related to the radar system, which is one of the most security-sensitive component on a ship. In detail, we first discuss some new attacks capable of compromising the integrity of data displayed on a radar system, with potentially catastrophic impacts on the crew' situational awareness or even safety itself. Then, we present a detection system aimed at highlighting anomalies in the radar video feed, requiring no modifications to the target ship configuration. Finally, we stimulate our detection system by performing the attacks inside of a simulated environment. The experimental results clearly indicate that the attacks are feasible, rather easy to carry out, and hard-to-detect. Moreover, they prove that the proposed detection technique is effective.
△ Less
Submitted 12 July, 2022;
originally announced July 2022.
-
LiDiTE: a Full-Fledged and Featherweight Digital Twin Framework
Authors:
Enrico Russo,
Gabriele Costa,
Giacomo Longo,
Alessandro Armando,
Alessio Merlo
Abstract:
The rising of the Cyber-Physical System (CPS) and the Industry 4.0 paradigms demands the design and the implementation of Digital Twin Frameworks (DTFs) that may support the quick build of reliable Digital Twins (DTs) for experimental and testing purposes. Most of the current DTF proposals allow generating DTs at a good pace but affect generality, scalability, portability, and completeness. As a c…
▽ More
The rising of the Cyber-Physical System (CPS) and the Industry 4.0 paradigms demands the design and the implementation of Digital Twin Frameworks (DTFs) that may support the quick build of reliable Digital Twins (DTs) for experimental and testing purposes. Most of the current DTF proposals allow generating DTs at a good pace but affect generality, scalability, portability, and completeness. As a consequence, current DTF are mostly domain-specific and hardly span several application domains (e.g., from simple IoT deployments to the modeling of complex critical infrastructures). Furthermore, the generated DTs often requires a high amount of computational resource to run. In this paper, we present LiDiTE, a novel DTF that overcomes the previous limitations by, on the one hand, supporting the building of general-purpose DTs at a fine-grained level, but, on the other hand, with a reduced resource footprint w.r.t. the current state of the art. We show the characteristics of the LiDiTE by building the DT of a complex and real critical infrastructure (i.e., the Smart Poligeneration Microgrid of the Savona Campus) and evaluating its resource consumption. The source code of LiDiTE, as well as the experimental dataset, is publicly available.
△ Less
Submitted 14 February, 2022;
originally announced February 2022.
-
PARIOT: Anti-Repackaging for IoT Firmware Integrity
Authors:
Luca Verderame,
Antonio Ruggia,
Alessio Merlo
Abstract:
IoT repackaging refers to an attack devoted to tampering with a legitimate firmware package by modifying its content (e.g., injecting some malicious code) and re-distributing it in the wild. In such a scenario, the firmware delivery and update processes play a central role in ensuring firmware integrity. Unfortunately, several existing solutions lack proper integrity verification, exposing firmwar…
▽ More
IoT repackaging refers to an attack devoted to tampering with a legitimate firmware package by modifying its content (e.g., injecting some malicious code) and re-distributing it in the wild. In such a scenario, the firmware delivery and update processes play a central role in ensuring firmware integrity. Unfortunately, several existing solutions lack proper integrity verification, exposing firmware to repackaging attacks. If this is not the case, they still require an external trust anchor (e.g., signing keys or secure storage technologies), which could limit their adoption in resource-constrained environments. In addition, state-of-the-art frameworks do not cope with the entire firmware production and delivery process, thereby failing to protect the content generated by the firmware producers through the whole supply chain. To mitigate such a problem, in this paper, we introduce PARIOT, a novel self-protecting scheme for IoT that allows the injection of integrity checks, called anti-tampering (AT) controls, directly into the firmware. The AT controls enable the runtime detection of repackaging attempts without needing external trust anchors or computationally expensive systems. PARIOT can be adopted on top of existing state-of-the-art solutions ensuring the widest compatibility with current IoT ecosystems and update frameworks. Also, we have implemented this scheme into PARIOTIC, a prototype to automatically protect C/C++ IoT firmware. The evaluation phase of 50 real-world firmware samples demonstrated the feasibility of the proposed methodology and its robustness against practical repackaging attacks without altering the firmware behavior or severe overheads.
△ Less
Submitted 10 July, 2023; v1 submitted 9 September, 2021;
originally announced September 2021.
-
Understanding Fuchsia Security
Authors:
Francesco Pagano,
Luca Verderame,
Alessio Merlo
Abstract:
Fuchsia is a new open-source operating system created at Google that is currently under active development. The core architectural principles guiding the design and development of the OS include high system modularity and a specific focus on security and privacy. This paper analyzes the architecture and the software model of Fuchsia, giving a specific focus on the core security mechanisms of this…
▽ More
Fuchsia is a new open-source operating system created at Google that is currently under active development. The core architectural principles guiding the design and development of the OS include high system modularity and a specific focus on security and privacy. This paper analyzes the architecture and the software model of Fuchsia, giving a specific focus on the core security mechanisms of this new operating system.
△ Less
Submitted 9 August, 2021;
originally announced August 2021.
-
You can't always get what you want: towards user-controlled privacy on Android
Authors:
Davide Caputo,
Francesco Pagano,
Giovanni Bottino,
Luca Verderame,
Alessio Merlo
Abstract:
Mobile applications (hereafter, apps) collect a plethora of information regarding the user behavior and his device through third-party analytics libraries. However, the collection and usage of such data raised several privacy concerns, mainly because the end-user - i.e., the actual owner of the data - is out of the loop in this collection process. Also, the existing privacy-enhanced solutions that…
▽ More
Mobile applications (hereafter, apps) collect a plethora of information regarding the user behavior and his device through third-party analytics libraries. However, the collection and usage of such data raised several privacy concerns, mainly because the end-user - i.e., the actual owner of the data - is out of the loop in this collection process. Also, the existing privacy-enhanced solutions that emerged in the last years follow an "all or nothing" approach, leaving the user the sole option to accept or completely deny the access to privacy-related data.
This work has the two-fold objective of assessing the privacy implications on the usage of analytics libraries in mobile apps and proposing a data anonymization methodology that enables a trade-off between the utility and privacy of the collected data and gives the user complete control over the sharing process. To achieve that, we present an empirical privacy assessment on the analytics libraries contained in the 4500 most-used Android apps of the Google Play Store between November 2020 and January 2021. Then, we propose an empowered anonymization methodology, based on MobHide, that gives the end-user complete control over the collection and anonymization process. Finally, we empirically demonstrate the applicability and effectiveness of such anonymization methodology thanks to HideDroid, a fully-fledged anonymization app for the Android ecosystem.
△ Less
Submitted 29 January, 2022; v1 submitted 4 June, 2021;
originally announced June 2021.
-
Gotta CAPTCHA 'Em All: A Survey of Twenty years of the Human-or-Computer Dilemma
Authors:
Meriem Guerar,
Luca Verderame,
Mauro Migliardi,
Francesco Palmieri,
Alessio Merlo
Abstract:
A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [100]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, etc. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel and financial…
▽ More
A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [100]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, etc. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel and financial services. One of the most common defense mechanisms against bots abusing online services is the introduction of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), so it is extremely important to understand which CAPTCHA schemes have been designed and their actual effectiveness against the ever-evolving bots. To this end, this work provides an overview of the current state-of-the-art in the field of CAPTCHA schemes and defines a new classification that includes all the emerging schemes. In addition, for each identified CAPTCHA category, the most successful attack methods are summarized by also describing how CAPTCHA schemes evolved to resist bot attacks, and discussing the limitations of different CAPTCHA schemes from the security, usability and compatibility point of view. Finally, an assessment of the open issues, challenges, and opportunities for further study is provided, paving the road toward the design of the next-generation secure and user-friendly CAPTCHA schemes.
△ Less
Submitted 22 January, 2022; v1 submitted 2 March, 2021;
originally announced March 2021.
-
Deep Adversarial Learning on Google Home devices
Authors:
Andrea Ranieri,
Davide Caputo,
Luca Verderame,
Alessio Merlo,
Luca Caviglione
Abstract:
Smart speakers and voice-based virtual assistants are core components for the success of the IoT paradigm. Unfortunately, they are vulnerable to various privacy threats exploiting machine learning to analyze the generated encrypted traffic. To cope with that, deep adversarial learning approaches can be used to build black-box countermeasures altering the network traffic (e.g., via packet padding)…
▽ More
Smart speakers and voice-based virtual assistants are core components for the success of the IoT paradigm. Unfortunately, they are vulnerable to various privacy threats exploiting machine learning to analyze the generated encrypted traffic. To cope with that, deep adversarial learning approaches can be used to build black-box countermeasures altering the network traffic (e.g., via packet padding) and its statistical information. This letter showcases the inadequacy of such countermeasures against machine learning attacks with a dedicated experimental campaign on a real network dataset. Results indicate the need for a major re-engineering to guarantee the suitable protection of commercially available smart speakers.
△ Less
Submitted 25 February, 2021;
originally announced February 2021.
-
Deep Reinforcement Learning for Black-Box Testing of Android Apps
Authors:
Andrea Romdhana,
Alessio Merlo,
Mariano Ceccato,
Paolo Tonella
Abstract:
The state space of Android apps is huge and its thorough exploration during testing remains a major challenge. In fact, the best exploration strategy is highly dependent on the features of the app under test. Reinforcement Learning (RL) is a machine learning technique that learns the optimal strategy to solve a task by trial and error, guided by positive or negative reward, rather than by explicit…
▽ More
The state space of Android apps is huge and its thorough exploration during testing remains a major challenge. In fact, the best exploration strategy is highly dependent on the features of the app under test. Reinforcement Learning (RL) is a machine learning technique that learns the optimal strategy to solve a task by trial and error, guided by positive or negative reward, rather than by explicit supervision. Deep RL is a recent extension of RL that takes advantage of the learning capabilities of neural networks. Such capabilities make Deep RL suitable for complex exploration spaces such as the one of Android apps. However, state of the art, publicly available tools only support basic, tabular RL. We have developed ARES, a Deep RL approach for black-box testing of Android apps. Experimental results show that it achieves higher coverage and fault revelation than the baselines, which include state of the art RL based tools, such as TimeMachine and Q-Testing. We also investigated qualitatively the reasons behind such performance and we have identified the key features of Android apps that make Deep RL particularly effective on them to be the presence of chained and blocking activities.
△ Less
Submitted 15 January, 2021; v1 submitted 7 January, 2021;
originally announced January 2021.
-
ARMAND: Anti-Repackaging through Multi-pattern Anti-tampering based on Native Detection
Authors:
Alessio Merlo,
Antonio Ruggia,
Luigi Sciolla,
Luca Verderame
Abstract:
App repackaging refers to the practice of customizing an existing mobile app and redistributing it in the wild to fool the final user into installing the repackaged app instead of the original one. In this way, an attacker can embed malicious payload into a legitimate app for different aims, such as access to premium features, redirect revenue, or access to user's private data. In the Android ecos…
▽ More
App repackaging refers to the practice of customizing an existing mobile app and redistributing it in the wild to fool the final user into installing the repackaged app instead of the original one. In this way, an attacker can embed malicious payload into a legitimate app for different aims, such as access to premium features, redirect revenue, or access to user's private data. In the Android ecosystem, apps are available on public stores, and the only requirement for an app to execute properly is to be digitally signed. Due to this, the repackaging threat is widely spread. Anti-repackaging techniques aim to make harder the repackaging process for an attack adding logical controls - called detection node - in the app at compile-time. Such controls check the app integrity at runtime to detect tampering. If tampering is recognized, the detection nodes lead the repackaged app to fail (e.g., throwing an exception). From an attacker's standpoint, she must detect and bypass all controls to repackage safely. In this work, we propose a novel anti-repackaging scheme - called ARMAND - which aims to overcome the limitations of the current protection schemes. We have implemented this scheme into a prototype - named ARMANDroid - which leverages multiple protection patterns and relies on native code. The evaluation phase of ARMANDroid on 30.000 real-world Android apps showed that the scheme is robust against the common attack vectors and efficient in terms of time and space overhead.
△ Less
Submitted 18 December, 2020; v1 submitted 16 December, 2020;
originally announced December 2020.
-
You Shall not Repackage! Demystifying Anti-Repackaging on Android
Authors:
Alessio Merlo,
Antonio Ruggia,
Luigi Sciolla,
Luca Verderame
Abstract:
App repackaging refers to the practice of customizing an existing mobile app and redistributing it in the wild. In this way, the attacker aims to force some mobile users to install the repackaged(likely malicious) app instead of the original one. This phenomenon strongly affects Android, where apps are available on public stores, and the only requirement for an app to execute properly is to be dig…
▽ More
App repackaging refers to the practice of customizing an existing mobile app and redistributing it in the wild. In this way, the attacker aims to force some mobile users to install the repackaged(likely malicious) app instead of the original one. This phenomenon strongly affects Android, where apps are available on public stores, and the only requirement for an app to execute properly is to be digitally signed. Anti-repackaging techniques try counteracting this attack by adding logical controls in the app at compile-time. Such controls activate in case of repackaging and lead the repackaged app to fail at runtime. On the other side, the attacker must detect and bypass the controls to repackage safely. The high-availability of working repackaged apps in the Android ecosystem suggests that the attacker's side is winning. In this respect, this paper aims to bring out the main issues of the current anti-repackaging approaches. The contribution of the paper is three-fold: 1) analyze the weaknesses of the current state-of-the-art anti-repackaging schemes (i.e., Self-Protection through Dex Encryption, AppIS, SSN, SDC, BombDroid, and NRP), 2) summarize the main attack vectors to anti-repackaging techniques composing those schemes, and 3) show how such attack vectors allow circumventing the current proposals. The paper will also show a full-fledged attack to NRP, the only publicly-available anti repackaging tool to date.
△ Less
Submitted 8 January, 2021; v1 submitted 10 September, 2020;
originally announced September 2020.
-
On the (Un)Reliability of Privacy Policies in Android Apps
Authors:
Luca Verderame,
Davide Caputo,
Andrea Romdhana,
Alessio Merlo
Abstract:
Access to privacy-sensitive information on Android is a growing concern in the mobile community. Albeit Google Play recently introduced some privacy guidelines, it is still an open problem to soundly verify whether apps actually comply with such rules. To this aim, in this paper, we discuss a novel methodology based on a fruitful combination of static analysis, dynamic analysis, and machine learni…
▽ More
Access to privacy-sensitive information on Android is a growing concern in the mobile community. Albeit Google Play recently introduced some privacy guidelines, it is still an open problem to soundly verify whether apps actually comply with such rules. To this aim, in this paper, we discuss a novel methodology based on a fruitful combination of static analysis, dynamic analysis, and machine learning techniques, which allows assessing such compliance. More in detail, our methodology checks whether each app i) contains a privacy policy that complies with the Google Play privacy guidelines, and ii) accesses privacy-sensitive information only upon the acceptance of the policy by the user. Furthermore, the methodology also allows checking the compliance of third-party libraries embedded in the apps w.r.t. the same privacy guidelines. We implemented our methodology in a tool, 3PDroid, and we carried out an assessment on a set of recent and most-downloaded Android apps in the Google Play Store. Experimental results suggest that more than 95% of apps access user's privacy-sensitive information, but just a negligible subset of them (around 1%) fully complies with the Google Play privacy guidelines.
△ Less
Submitted 18 April, 2020;
originally announced April 2020.
-
Security Issues in the Android Cross-Layer Architecture
Authors:
Alessandro Armando,
Alessio Merlo,
Luca Verderame
Abstract:
The security of Android has been recently challenged by the discovery of a number of vulnerabilities involving different layers of the Android stack. We argue that such vulnerabilities are largely related to the interplay among layers composing the Android stack. Thus, we also argue that such interplay has been underestimated from a security point-of-view and a systematic analysis of the Android i…
▽ More
The security of Android has been recently challenged by the discovery of a number of vulnerabilities involving different layers of the Android stack. We argue that such vulnerabilities are largely related to the interplay among layers composing the Android stack. Thus, we also argue that such interplay has been underestimated from a security point-of-view and a systematic analysis of the Android interplay has not been carried out yet. To this aim, in this paper we provide a simple model of the Android cross-layer interactions based on the concept of flow, as a basis for analyzing the Android interplay. In particular, our model allows us to reason about the security implications associated with the cross-layer interactions in Android, including a recently discovered vulnerability that allows a malicious application to make Android devices totally unresponsive. We used the proposed model to carry out an empirical assessment of some flows within the Android cross-layered architecture. Our experiments indicate that little control is exercised by the Android Security Framework (ASF) over cross-layer interactions in Android. In particular, we observed that the ASF lacks in discriminating the originator of a flow and sensitive security issues arise between the Android stack and the Linux kernel, thereby indicating that the attack surface of the Android platform is wider than expected.
△ Less
Submitted 4 September, 2012;
originally announced September 2012.