Description Company: None


TSOPEN

Keywords: Logic bomb detection, Android Security

Functional Components Description

Logic bombs are mechanisms used by malicious apps to evade detection techniques. Typically, an attacker uses logic bomb to trigger the malicious code only under certain chosen circumstances (e.g. only at a given date) to avoid being detected by the analysis. The goal of TSOpen is to detect such logic bombs. The approach used to perform the detection is fully static and combine multiple techniques such as symbolic execution, path predicate reconstruction, path predicate minimization, and inter-procedural control-dependency analysis. In a first version, TSOpen will focus on detecting triggers related to time, location and SMS.TSOpen is developed over Flowdroid which provides a useful model of the Android Framework on which one can easily apply algorithms. Figure 3.16 provides an overview of the tool. First, an inter-procedural control flow graph from Flowdroid is retrieved on which TSOpen applies a symbolic execution in order to retrieve the semantic of objects of interest. Then simple predicates are retrieved during the block predicate recovery to annotate the ICFG. The annotated ICFG is then used to retrieve the full path predicate of every instructions. A predicate minimization algorithm is then applied in order to rule out false dependencies. Afterwards, a first decision is taken during the predicate classification step to get suspicious predicates. Finally, a control dependency step is applied in order to take the decision regarding the suspiciousness of the potential logic bomb under study.

Services Provided: