Data flow and heap analysis with application to privilege escalation vulnerability scanning and software theft detection

Abstract

Static and dynamic program analysis techniques are important research areas in software security. Static analysis helps us locate vulnerabilities in a software by looking at the source code. Dynamic analysis helps us reason about the behavior of the software from information gathered at run-time. In this thesis, we are focusing on data flow analysis and heap analysis which are key static and dynamic program analysis techniques respectively.

In the first part of this thesis, we aim at detecting vulnerabilities in Android applications which have capability leaks. The security of the Android platform relies mainly on sandboxing applications and restricting their capabilities such that no application, by default, can perform any operations that would adversely impact other applications, the operating system, or the user. However, a recent research reported that a genuine but vulnerable application may leak its capabilities. When being leveraged, other applications can gain extra capabilities which they are not granted originally. We present DroidChecker, an Android application analyzing tool which searches for the aforementioned vulnerability in Android applications. DroidChecker uses interprocedural control flow graph searching and static taint checking to detect exploitable data paths in an Android application. We analyzed more than 1100 Android applications using DroidChecker and found 6 previously unknown vulnerable applications including the renowned Adobe Photoshop Express application. We also developed a malicious application that exploits the previously unknown vulnerability found in the Adobe Photoshop Express application. We showed that the malicious application, which is not granted any permissions, can access contacts on the phone with just a few lines of code.

In the second part of this thesis, we explore the use of heap analysis to extract software birthmarks. There are techniques like code obfuscation and watermarking which can make the source code of a program difficult to understand by humans and prove the ownership of the program. However, code obfuscation cannot avoid the source code being copied and a watermark can be defaced. A birthmark is a group of unique characteristics a program possesses that can be used to identify the program. We propose two novel dynamic birthmark systems based on the run-time heap. A dynamic birthmark is one that is extracted when the program is executing. Since it is based on the run-time behavior of the program, semantics-preserving transformations of the code like obfuscation cannot defeat dynamic birthmarks. In this regard, dynamic birthmarks are more robust compared with static birthmarks.

To the best of our knowledge, these are the first birthmark systems using heap analysis as the underlying technique. The basic idea is to take snapshots of the heap while the program is running. From the snapshots, heap graphs are constructed to model the referencing structure between objects. After going through some filtering and referencing processes, they become the birthmarks. The two birthmark systems have been devised to extract birthmarks for Java programs and JavaScript programs respectively. While the underlying ideas of the two birthmark systems are similar, the differences in nature of the two programming languages led to different implementation designs.