Visible to the public Operating Systems Security (2014 Year in Review), Part 3

SoS Newsletter- Advanced Book Block


SoS Logo

Operating Systems Security
(2014 Year in Review)
 Part 3


In a previous Newsletter, the editors offered a series of citations from late 2013 about operating systems.  In this set, we offer an update of publications and presentations from 2014, focused specifically upon security issues.  The general topic has produced prolific work.  We will present these in multiple parts.


Gadyatskaya, O.; Massacci, F.; Zhauniarovich, Y., "Security in the Firefox OS and Tizen Mobile Platforms," Computer, vol. 47, no.6, pp.57,63, June 2014. doi: 10.1109/MC.2014.165 Emerging mobile platforms Firefox OS and Tizen are learning from Android's security successes and trying to avoid its limitations. Although these platforms offer largely novel solutions, they can still learn from one another.
Keywords: Android (operating system) ;mobile computing; security of data; Android; Firefox OS; Tizen mobile platforms; security successes; Androids; Computer security; Humanoid robots; Linux; Mobile communication; Android; Firefox OS; Tizen; mobile; mobile platform security; security (ID#: 15-4355)


Xiao Xuan; Ye Wang; Shanping Li, "Privacy Requirements Patterns For Mobile Operating Systems," Requirements Patterns (RePa), 2014 IEEE 4th International Workshop on, pp.39, 42, 26-26 Aug. 2014. doi: 10.1109/RePa.2014.6894842 Nowadays mobile devices have rapidly developed. Privacy protection for mobile operating systems has become a hot topic in industry and research, which also brings new challenges. The scenarios in mobile operating systems are different from those in tradition systems. Users of mobile systems face more and more new risks in new scenarios. On the other hand, personal data is growing exponentially every day. It reminds us the importance of privacy protection is also increasing at the same time. In this paper, we study the privacy patterns for mobile operating systems. We elicit privacy-related requirements in three ways - knowledge from domain experts, literature review on public documents of existing mature systems and feedback from real users. Based on these requirements, we propose 7 privacy patterns which are presented with the RePa Requirements Pattern Template. All of these patterns were refined by professional business analysts which concrete the result of our work. We believe that our findings can help business analysts with the description for privacy requirements in future mobile operating system development projects.
Keywords: data privacy; formal specification; mobile computing; operating systems (computers);security of data; systems analysis; RePa Requirements Pattern Template; domain expert knowledge; feedback; mobile devices; mobile operating systems; personal data ;privacy patterns; privacy protection; privacy requirements patterns; privacy-related requirements elicitation; public document literature review; Data privacy; Mobile communication; Operating systems; Privacy; Security; Smart phones; Mobile Operating System; Privacy Protection; Privacy Requirements Pattern (ID#: 15-4356)


Yu Ding; Zhuo Peng; Yuanyuan Zhou; Chao Zhang, "Android Low Entropy Demystified," Communications (ICC), 2014 IEEE International Conference on, pp.659,664, 10-14 June 2014. doi: 10.1109/ICC.2014.6883394 We look into the issue that the amount of entropy kept by the pseudorandom number generator (PRNG) of Android is constantly low. We find that the accusation against this issue of causing poor performance and low frame rate experienced by users is ungrounded. We also investigate possible security vulnerabilities resulting from this issue. We find that this issue does not affect the quality of random numbers that are generated by the PRNG and used in Android applications because recent Android devices do not lack entropy sources. However, we identify a vulnerability in which the stack canary for all future Android applications is generated earlier than the PRNG is properly setup. This vulnerability makes stack overflow simpler and threats Android applications linked with native code (through NDK) as well as Dalvik VM instances. An attacker could nullify the stack protecting mechanism, given the knowledge of the time of boot or a malicious app running on the victim device. This vulnerability also affects the address space layout randomization (ASLR) mechanism on Android, and can turn it from a weak protection to void. We discuss in this paper several possible attacks against this vulnerability as well as ways of defending. As this vulnerability is rooted in an essential Android design choice since the very first version, it is difficult to fix.
Keywords: Android (operating system);random number generation; security of data; ASLR mechanism; Android applications; Android design choice; Android devices; Dalvik VM instances; NDK; PRNG; address space layout randomization mechanism; entropy demystification; entropy sources; native code; pseudorandom number generator; stack canary; stack protecting mechanism; Androids; Entropy; Humanoid robots; Kernel; Linux; Security; Smart phones (ID#: 15-4357)


Won Shin; Doo-Ho Park; Tae-Wan Kim; Chun-Hyon Chang, "Behavior-Based Portability Analysis Methodology For Android Applications," Software Engineering and Service Science (ICSESS), 2014 5th IEEE International Conference on, pp. 714, 717, 27-29 June 2014. doi: 10.1109/ICSESS.2014.6933667 As Android is an open-source operating system, numerous device-specific updates are frequently published by various developers. Thus, in order to increase the portability of an application, the development of an Android application requires an efficient porting process. However, many analytical time-consuming problems arise when developers convert the application for other versions of platform. In this paper, we propose a behavior-based portability analysis methodology for Android applications. Using this methodology, a developer can extract the ideal behavior of an application and use it to compare the similarity of application flows. We study Android applications to determine whether the proposed methodology can be adopted to detect potential errors. The principal contribution of this paper is to enable developers to use behavior-based analysis for detecting potential errors related to portability by utilizing the porting process easily and quickly.
Keywords: Android (operating system); public domain software; software portability; Android applications; application behavior; application flow similarity; behavior-based portability analysis; device-specific updates; open-source operating system; porting process; Androids; Data mining; Feature extraction; Humanoid robots; Security; Software; Testing; Android application; behavioral-analysis; fragmentation; portability (ID#: 15-4358)


Shi Pu; Zhouguo Chen; Chen Huang; Yiming Liu; Bing Zen, "Threat Analysis Of Smart Mobile Device," General Assembly and Scientific Symposium (URSI GASS), 2014 XXXIth URSI, pp. 1, 3, 16-23 Aug. 2014. doi: 10.1109/URSIGASS.2014.6929439 With the development of telecommunication and network bands, there is a great increase in the number of services and applications available for smart mobile devices while the population of malicious mobile software is growing rapidly. Most smart mobile devices do not run anti-malware programs to protect against threats, such as virus, trojan, ddos, malware and botnet, which give the chance for hackers to control the system. The paper mainly analyses the typical threats which smart mobile devices face.
Keywords: mobile computing; security of data; DDOS; anti-malware programs; botnet; malicious mobile software; malware; mobile security; network bands; smart mobile device; telecommunication network; threat analysis; trojan; virus; Market research; Mobile communication; Mobile handsets; Operating systems; Trojan horses (ID#: 15-4359)


Graa, M.; Boulahia, N.C.; Cuppens, F.; Cavalliy, A., "Protection against Code Obfuscation Attacks Based on Control Dependencies in Android Systems," Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, pp.149,157, June 30 2014-July 2 2014. doi: 10.1109/SERE-C.2014.33 In Android systems, an attacker can obfuscate an application code to leak sensitive information. TaintDroid is an information flow tracking system that protects private data in smartphones. But, TainDroid cannot detect control flows. Thus, it can be circumvented by an obfuscated code attack based on control dependencies. In this paper, we present a collection of obfuscated code attacks on TaintDroid system. We propose a technical solution based on a hybrid approach that combines static and dynamic analysis. We formally specify our solution based on two propagation rules. Finally, we evaluate our approach and show that we can avoid the obfuscated code attacks based on control dependencies by using these propagation rules.
Keywords: Android (operating system);data flow analysis; data protection; program control structures; Android systems; TaintDroid; code obfuscation attack protection; control dependencies; control flow detection; information flow tracking system; private data; sensitive information; smartphones; Androids; Context; Humanoid robots; Resists; Security; Smart phones; Android system; Code obfuscation attacks; Control dependencies; Information flow tracking; Leakage of sensitive information; Propagation rules (ID#: 15-4360)


Bartel, A.; Klein, J.; Monperrus, M.; Le Traon, Y., "Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android," Software Engineering, IEEE Transactions on, vol. 40, no. 6, pp.617,632, June 1 2014. doi: 10.1109/TSE.2014.2322867 A common security architecture is based on the protection of certain resources by permission checks (used e.g., in Android and Blackberry). It has some limitations, for instance, when applications are granted more permissions than they actually need, which facilitates all kinds of malicious usage (e.g., through code injection). The analysis of permission-based framework requires a precise mapping between API methods of the framework and the permissions they require. In this paper, we show that naive static analysis fails miserably when applied with off-the-shelf components on the Android framework. We then present an advanced class-hierarchy and field-sensitive set of analyses to extract this mapping. Those static analyses are capable of analyzing the Android framework. They use novel domain specific optimizations dedicated to Android.
Keywords: Android (operating system);optimisation; program diagnostics; security of data; API methods; Android framework; advanced class-hierarchy analysis; common security architecture; field-sensitive set analysis ;large scale framework; novel domain specific optimizations; permission checks; permission-based framework; static analysis; Androids; Cameras; Humanoid robots; Java; Security; Servers; Sparks; Android; Java; Large scale framework; Soot; call-graph; permissions; security; static analysis (ID#: 15-4361)


Hubbard, J.; Weimer, K.; Yu Chen, "A Study Of SSL Proxy Attacks On Android And iOS Mobile applications," Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, pp.86,91, 10-13 Jan. 2014. doi: 10.1109/CCNC.2014.6866553 According to recent articles in popular technology websites, some mobile applications function in an insecure manner when presented with untrusted SSL certificates. These non-browser based applications seem to, in the absence of a standard way of alerting a user of an SSL error, accept any certificate presented to it. This paper intends to research these claims and show whether or not an invisible proxy based SSL attack can indeed steal user's credentials from mobile applications, and which types applications are most likely to be vulnerable to this attack vector. To ensure coverage of the most popular platforms, applications on both Android 4.2 and iOS 6 are tested. The results of our study showed that stealing credentials is indeed possible using invisible proxy man in the middle attacks.
Keywords: Android (operating system);iOS (operating system); mobile computing; security of data; Android 4.2;SSL error; SSL proxy attacks; attack vector; iOS 6; iOS mobile applications; invisible proxy man; middle attacks; untrusted SSL certificates; user credentials; Androids; Humanoid robots; Mobile communication; Security; Servers; Smart phones; Android; Man-in-the-middle; Mobile Devices; Proxy; SSL; Security; TLS; iOS (ID#: 15-4362)


Savola, R.M.; Kylanpaa, M., "Security Objectives, Controls And Metrics Development For An Android Smartphone Application," Information Security for South Africa (ISSA), 2014pp.1, 8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950501 Security in Android smartphone platforms deployed in public safety and security mobile networks is a remarkable challenge. We analyse the security objectives and controls for these systems based on an industrial risk analysis. The target system of the investigation is an Android platform utilized for public safety and security mobile network. We analyse how a security decision making regarding this target system can be supported by effective and efficient security metrics. In addition, we describe implementation details of security controls for authorization and integrity objectives of a demonstration of the target system.
Keywords: Android (operating system); authorisation; data integrity; decision making; risk analysis; safety; smart phones; Android smartphone application; authorization objective; industrial risk analysis integrity objective; metrics development; public safety; security controls; security decision making; security metrics; security mobile networks; security objectives; Authorization; Libraries; Monitoring; Android; risk analysis; security effectiveness; security metrics; security objectives (ID#: 15-4363)


Mollus, K.; Westhoff, D.; Markmann, T., "Curtailing Privilege Escalation Attacks Over Asynchronous Channels on Android," Innovations for Community Services (I4CS), 2014 14th International Conference on, pp.87,94, 4-6 June 2014. doi: 10.1109/I4CS.2014.6860558 Recently we presented QuantDroid [7], a quantitative approach towards mitigating privilege escalation attacks on Android. By monitoring all synchronous IPC via overt channels on-the-fly, a so called flow-graph service detects an abnormal amount of traffic exchanged between DVMs running different Apps to indicate a potential horizontal privilege escalation attack. However, although certainly a valuable first step, our initial QuantDroid approach fails when dealing with asynchronous IPC via persistent storage containers on the Android system. To also address this issue, in this work we extend QuantDroid to QuantDroid++ by providing i) a central storage of taints when operating on system-internal databases of Android, ii) an extension of the SQL cursor object to preserve taints and link requested data with such taints, and, finally iii) an inspection of the information flow with such newly available taints for all relevant database operations.
Keywords: Android (operating system);SQL; security of data; Android system;DVM; QuantDroid; asynchronous channels; flow-graph service; privilege escalation attacks; synchronous IPC; system-internal databases; the SQL cursor object; Androids; Databases; Humanoid robots; Monitoring; Permission; Smart phones; Android; Horizontal Privilege Escalation; IPC (ID#: 15-4364)


Rastogi, V.; Yan Chen; Xuxian Jiang, "Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks," Information Forensics and Security, IEEE Transactions on, vol.9, no.1, pp.99, 108, Jan. 2014. doi: 10.1109/TIFS.2013.2290431 Mobile malware threats (e.g., on Android) have recently become a real concern. In this paper, we evaluate the state-of-the-art commercial mobile anti-malware products for Android and test how resistant they are against various common obfuscation techniques (even with known malware). Such an evaluation is important for not only measuring the available defense against mobile malware threats, but also proposing effective, next-generation solutions. We developed DroidChameleon, a systematic framework with various transformation techniques, and used it for our study. Our results on 10 popular commercial anti-malware applications for Android are worrisome: none of these tools is resistant against common malware transformation techniques. In addition, a majority of them can be trivially defeated by applying slight transformation over known malware with little effort for malware authors. Finally, in light of our results, we propose possible remedies for improving the current state of malware detection on mobile devices.
Keywords: invasive software; mobile computing; mobile handsets; operating systems (computers); Android antimalware; DroidChameleon; commercial mobile antimalware products; malware authors; malware detection; malware transformation; mobile devices; mobile malware threats; next-generation solutions; obfuscation techniques; transformation attacks; Androids; Encryption; Humanoid robots; Malware; Mobile communication; Android; Mobile; anti-malware; malware (ID#: 15-4365)


Xiong Ping; Wang Xiaofeng; Niu Wenjia; Zhu Tianqing; Li Gang, "Android Malware Detection With Contrasting Permission Patterns," Communications, China, vol.11, no.8, pp.1,14, Aug. 2014. doi: 10.1109/CC.2014.6911083 As the risk of malware is sharply increasing in Android platform, Android malware detection has become an important research topic. Existing works have demonstrated that required permissions of Android applications are valuable for malware analysis, but how to exploit those permission patterns for malware detection remains an open issue. In this paper, we introduce the contrasting permission patterns to characterize the essential differences between malwares and clean applications from the permission aspect. Then a framework based on contrasting permission patterns is presented for Android malware detection. According to the proposed framework, an ensemble classifier, Enclamald, is further developed to detect whether an application is potentially malicious. Every contrasting permission pattern is acting as a weak classifier in Enclamald, and the weighted predictions of involved weak classifiers are aggregated to the final result. Experiments on real-world applications validate that the proposed Enclamald classifier outperforms commonly used classifiers for Android Malware Detection.
Keywords: Android (operating system);invasive software; pattern classification; Android malware detection;  Enclamald ensemble classifier; contrasting permission patterns; weak classifiers; weighted predictions; Androids; Educational institutions; Humanoid robots; Internet; Malware; Smart phones; Training; Android; classification; contrast set; malware detection; permission pattern (ID#: 15-4366)


Kasmi, C.; Lopes-Esteves, J.; Picard, N.; Renard, M.; Beillard, B.; Martinod, E.; Andrieu, J.; Lalande, M., "Event Logs Generated by an Operating System Running on a COTS Computer During IEMI Exposure," Electromagnetic Compatibility, IEEE Transactions on, vol. PP, no.99, pp.1,4, 22 September 2014. doi: 10.1109/TEMC.2014.2357060 Many studies were devoted to the analysis and the detection of electromagnetic attacks against critical electronic systems at the system or the component levels. Some attempts have been made to correlate effects scenarios with events logged by the kernel of the operating system (OS) of commercial-off-the-shelf computer running Windows. Due to the closed principle of the last OS, we decided to perform such an analysis on a computer running a Linux distribution in which a complete access to logs is available. It will be demonstrated that a computer running such an open OS allows detecting the perturbations induced by intentional electromagnetic interferences at different levels of the targeted computer.
Keywords: Computers; Hardware; Kernel; Monitoring; Protocols; Sensors; Universal Serial Bus; Electromagnetic compatibility (EMC);electromagnetic interference; software engineering; system analysis and design (ID#: 15-4367)


Gilad, Y.; Herzberg, A.; Trachtenberg, A., "Securing Smartphones: A µTCB Approach," Pervasive Computing, IEEE, vol. 13, no. 4, pp. 72, 79, Oct.-Dec. 2014. doi: 10.1109/MPRV.2014.72 As mobile phones have evolved into smartphones, with complex operating systems running third-party software, they have become increasingly vulnerable to malicious applications (malware). The authors introduce a new design for mitigating malware attacks against smartphone users based on a small trusted computing base module, denoted μTCB. The μTCB manages sensitive data and sensors and provides core services to applications, independently of the operating system. The user invokes μTCB by pressing a simple secure attention key that validates physical possession of the device and authorizes a sensitive action. This approach protects private information even if the device is infected with malware. This article presents a proof-of-concept implementation of μTCB based on ARM's TrustZone, a secure execution environment increasingly found in smartphones. It also includes an evaluation of the implementation using simulations.
Keywords: invasive software; mobile computing; smart phones; trusted computing ;μTCB approach; ARM TrustZone; complex operating systems; core services; malicious applications; malware attacks ;mobile phones; operating system; physical possession; proof-of-concept implementation; securing smartphones; sensitive action; trusted computing base module; Computer architecture; Cryptography; Malware; Mobile communication; Mobile handsets; Smart phones; mobile; pervasive computing; security; security kernels; invasive software; smartphones; trusted physical interfaces (ID#: 15-4368)


Allix, K.; Jerome, Q.; Bissyande, T.F.; Klein, J.; State, R.; Le Traon, Y., "A Forensic Analysis of Android Malware -- How is Malware Written and How it Could Be Detected?," Computer Software and Applications Conference (COMPSAC), 2014 IEEE 38th Annual, pp.384,393, 21-25 July 2014. doi: 10.1109/COMPSAC.2014.61 We consider in this paper the analysis of a large set of malware and benign applications from the Android ecosystem. Although a large body of research work has dealt with Android malware over the last years, none has addressed it from a forensic point of view. After collecting over 500,000 applications from user markets and research repositories, we perform an analysis that yields precious insights on the writing process of Android malware. This study also explores some strange artifacts in the datasets, and the divergent capabilities of state-of-the-art antivirus to recognize/define malware. We further highlight some major weak usage and misunderstanding of Android security by the criminal community and show some patterns in their operational flow. Finally, using insights from this analysis, we build a naive malware detection scheme that could complement existing anti virus software.
Keywords: Android (operating system); digital forensics; invasive software; Android ecosystem; Android malware; Android security; antivirus software; criminal community; forensic analysis; malware detection; operational flow patterns; writing process; Androids; Bioinformatics; Genomics; Google; Humanoid robots; Malware; Software; Android Security; Digital Forensics; Malware Analysis; Malware development (ID#: 15-4369)


Schnarz, Pierre; Fischer, Clemens; Wietzke, Joachim; Stengel, Ingo, "On a Domain Block Based Mechanism To Mitigate Dos Attacks On Shared Caches In Asymmetric Multiprocessing Multi Operating Systems," Information Security for South Africa (ISSA), 2014, pp.1,8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950494 Asymmetric multiprocessing (AMP) based multi-OSs are going to be established in future to enable parallel execution of different functionalities while fulfilling requirements for real-time, reliability, trustworthiness and security. Especially for in-car multimedia systems, also known as In-Vehicle Infotainment (IVI) systems, the composition of different OS-types onto a system-on-chip (SoC) offers a wide variety of advantages in embedded system development. However, the asymmetric paradigm, which implies the division and assignment of every hardware resource to OS-domains, is not applicable to every part of a system-on-chip (SoC). Caches are often shared between multiple processors on multi processor SoCs (MP-SoC). According to their association to the main memory, OSs running on the processor cores are naturally vulnerable to DoS attacks. An adversary who has compromised one of the OS-domains is able to attack an arbitrary memory location of a co-OS-domain. This introduces performance degradations on victim's memory accesses. In this work a method is proposed which prohibits the surface for interference, introduced by the association of cache and main memory. Therefore, the contribution of this article is twofold. It introduces an attack vector, by deriving an algorithm from the cache way associativity, to affect the co-OSs running on the same platform. Using this vector it is shown that the mapping of contiguous memory blocks intensifies the effect. Subsequently, a memory mapping method is proposed which mitigates the interference effects of cache coherence. The approach is evaluated by a proof-of-concept implementation, which illustrates the performance impact of the attack and the countermeasure, respectively. The method enables a more reliable implementation of AMP-based multi-OSs on MP-SoCs using shared caches without the need to modify the hardware layout.
Keywords: Computer architecture; Computer crime; Hardware; Interference; Program processors; System-on-chip; Vectors (ID#: 15-4370)


Anh Nguyen-Tuong; Hiser, J.D.; Co, M.; Davidson, J.W.; Knight, J.C.; Kennedy, N.; Melski, D.; Ella, W.; Hyde, D., "To B or not to B: Blessing OS Commands with Software DNA Shotgun Sequencing," Dependable Computing Conference (EDCC), 2014 Tenth European, pp.238,249, 13-16 May 2014. doi: 10.1109/EDCC.2014.13 We introduce Software DNA Shotgun Sequencing (S3), a novel, biologically-inspired approach to combat OS Injection Attacks, the #2 most dangerous software error as identified by MITRE. To thwart such attacks, researchers have advocated various forms of taint-tracking techniques. Despite promising results, e.g., few missed attacks and few false alarms, taint-tracking has not seen widespread adoption. Impediments to adoption include high overhead and difficulty of deployment. S3 is based on a novel technique: positive taint inference which dynamically reassembles string fragments from a binary to infer blessed, i.e. trusted, parts of an OS command. S3 incurs negligible performance overhead and is easy to deploy as it operates directly on binary programs.
Keywords: DNA; biology computing; operating systems (computers); security of data; binary programs; biologically inspired approach; blessing OS commands; combat OS injection attacks; operating system; software DNA shotgun sequencing; software error; taint tracking techniques; Computer architecture; DNA; Operating systems; Security; Sequential analysis; Servers; command injection; injection; security; taint inference; taint tracking (ID#: 15-4371)


Xiang-Dong Qu; Ge Yu, "Coordinated Attack Research Between Android Applications And Solutions," Software Engineering and Service Science (ICSESS), 2014 5th IEEE International Conference on, pp.718,722, 27-29 June 2014. doi: 10.1109/ICSESS.2014.6933668 This article mainly discusses the the Android's security mechanism and the possibility of the coordinated attack caused by the android application's component structure. Then we put forward the data filtering solution and the implement for the data transfer of the android applications. This solution is based on the k-divided bloom filter. At the end we evaluate the experiment results. We could see that the solution can effectively resist the coordinated attack from the applications.
Keywords: Android (operating system);data structures; security of data; Android application component structure; Android security mechanism; coordinated attack research; data filtering solution; data transfer; k-divided bloom filter; Androids; Data transfer; Filtering; Filtering algorithms; Humanoid robots; Security; Vectors; Bloom Filter; android security; component structure; coordinated attack (ID#: 15-4372)


Longfei Wu; Xiaojiang Du; Jie Wu, "MobiFish: A Lightweight Anti-Phishing Scheme For Mobile Phones," Computer Communication and Networks (ICCCN), 2014 23rd International Conference on, pp.1,8, 4-7 Aug. 2014. doi: 10.1109/ICCCN.2014.6911743 Recent years have witnessed the increasing threat of phishing attacks on mobile platforms. In fact, mobile phishing is more dangerous due to the limitations of mobile phones and mobile user habits. Existing schemes designed for phishing attacks on computers/laptops cannot effectively address phishing attacks on mobile devices. This paper presents MobiFish, a novel automated lightweight anti-phishing scheme for mobile platforms. MobiFish verifies the validity of web pages and applications (Apps) by comparing the actual identity to the identity claimed by the web pages and Apps. MobiFish has been implemented on the Nexus 4 smartphone running the Android 4.2 operating system. We experimentally evaluate the performance of MobiFish with 100 phishing URLs and corresponding legitimate URLs, as well as fake Facebook Apps. The result shows that MobiFish is very effective in detecting phishing attacks on mobile phones.
Keywords: Android (operating system);smart phones; Android 4.2 operating system; MobiFish; Nexus 4 smartphone; Web pages; automated lightweight antiphishing scheme; fake Facebook Apps; mobile devices; mobile phishing ;mobile phones; mobile platforms; mobile user habits; phishing URL; phishing attacks; Browsers; HTML; Mobile communication; Mobile handsets; Optical character recognition software; Superluminescent diodes; Web pages; Android; Mobile phones; phishing attack; security (ID#: 15-4373)


Hu Ge; Li Ting; Dong Hang; Yu Hewei; Zhang Miao, "Malicious Code Detection for Android Using Instruction Signatures," Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on, pp.332,337, 7-11 April 2014. doi: 10.1109/SOSE.2014.48 This paper provides an overview of the current static analysis technology of Android malicious code, and a detailed analysis of the format of APK which is the application name of Android platform executable file (dex). From the perspective of binary sequence, Dalvik VM file is syncopated in method, and these test samples are analyzed by automated DEX file parsing tools and Levenshtein distance algorithm, which can detect the malicious Android applications that contain the same signatures effectively. Proved by a large number of samples, this static detection system that based on signature sequences can't only detect malicious code quickly, but also has a very low rate of false positives and false negatives.
Keywords: Android (operating system);digital signatures; program compilers; program diagnostics; APK format; Android malicious code detection; Android platform executable file;Dalvik VM file; Levenshtein distance algorithm; automated DEX file parsing tools; binary sequence; instruction signatures; malicious Android applications detection; signature sequences; static analysis technology; static detection system; Libraries; Malware; Mobile communication; Smart phones; Software; Testing; Android; DEX; Static Analysis; malicious code (ID#: 15-4374)


D'Orazio, C.; Ariffin, A.; Choo, K.-K.R., "iOS Anti-forensics: How Can We Securely Conceal, Delete and Insert Data?," System Sciences (HICSS), 2014 47th Hawaii International Conference on, pp.4838,4847, 6-9 Jan. 2014. doi: 10.1109/HICSS.2014.594 With increasing popularity of smart mobile devices such as iOS devices, security and privacy concerns have emerged as a salient area of inquiry. A relatively under-studied area is anti-mobile forensics to prevent or inhibit forensic investigations. In this paper, we propose a "Concealment" technique to enhance the security of non-protected (Class D) data that is at rest on iOS devices, as well as a "Deletion" technique to reinforce data deletion from iOS devices. We also demonstrate how our "Insertion" technique can be used to insert data into iOS devices surreptitiously that would be hard to pick up in a forensic investigation.
Keywords: data privacy; digital forensics; iOS (operating system); mobile computing; mobile handsets; antimobile forensics; concealment technique; data deletion; deletion technique; forensic investigations; iOS antiforensics; iOS devices; insertion technique; nonprotected data security; privacy concerns; security concerns; smart mobile devices; Cryptography; File systems; Forensics; Mobile handsets; Random access memory; Videos; iOS anti-forensics; iOS forensics; mobile anti-forensics; mobile forensics (ID#: 15-4375)


Junghwan Rhee; Riley, R.; Zhiqiang Lin; Xuxian Jiang; Dongyan Xu, "Data-Centric OS Kernel Malware Characterization," Information Forensics and Security, IEEE Transactions on, vol. 9, no. 1, pp.72,87, Jan. 2014. doi: 10.1109/TIFS.2013.2291964 Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures.
Keywords: data encapsulation; digital signatures; invasive software; operating system kernels; attack patterns; code-centric approach; data access patterns; data object manipulation; data-centric OS kernel malware characterization architecture; dynamic data object hiding; low level data access behavior modeling; malware attack characterization; malware signatures; real-world kernel rootkits; runtime kernel object mapping system; Data structures; Dynamic scheduling; Kernel; Malware; Monitoring; Resource management; Runtime; OS kernel malware characterization; data-centric malware analysis; virtual machine monitor (ID#: 15-4376)


Kishore, K.R.; Mallesh, M.; Jyostna, G.; Eswari, P.R.L.; Sarma, S.S., "Browser JS Guard: Detects and Defends Against Malicious Javascript Injection Based Drive By Download Attacks," Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the, pp.92, 100, 17-19 Feb. 2014. doi: 10.1109/ICADIWT.2014.6814705 In the recent times, most of the systems connected to Internet are getting infected with the malware and some of these systems are becoming zombies for the attacker. When user knowingly or unknowingly visits a malware website, his system gets infected. Attackers do this by exploiting the vulnerabilities in the web browser and acquire control over the underlying operating system. Once attacker compromises the users web browser, he can instruct the browser to visit the attackers website by using number of redirections. During the process, users web browser downloads the malware without the intervention of the user. Once the malware is downloaded, it would be placed in the file system and responds as per the instructions of the attacker. These types of attacks are known as Drive by Download attacks. Now-a-days, Drive by Download is the major channel for delivering the Malware. In this paper, Browser JS Guard an extension to the browser is presented for detecting and defending against Drive by Download attacks via HTML tags and JavaScript.
Keywords: Java; Web sites; authoring languages; invasive software; online front-ends; operating systems (computers); security of data; HTML tags; Internet; browser JS guard; download attacks; drive by download attacks; file system; malicious JavaScript injection; malware Web site; operating system; user Web browser; Browsers; HTML; Malware; Monitoring; Web pages; Web servers; DOM Change Methods; Drive by Download Attacks; HTML tags; JavaScript Functions; Malware; Web Browser; Web Browser Extensions (ID#: 15-4377)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.