Framework for efficient security coverage of mobile software applications

US 10,296,437 B2
Filed: 10/16/2017
Issued: 05/21/2019
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A system for automatically analyzing an application instance for improperly behaving code, the system comprising:

one or more hardware processors; and

a memory coupled to the one or more hardware processors, the memory including a central intelligence engine that, when executed by the one or more hardware processors, (a) identifies a region of interest of the application instance by identifying a portion of code of the application instance that, when executed by the one or more hardware processors, triggers one or more processes of the application instance and causes the one or more processes to appear to be invoked by a user, (b) determines specific stimuli that causes transitions within the application instance to reach the region of interest, and (c) applies the stimuli to the application instance and performs subsequent monitoring of one or more behaviors resulting from execution of the portion of the code of the application instance at the region of interest.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described that includes receiving an application and generating a representation of the application that describes specific states of the application and specific state transitions of the application. The method further includes identifying a region of interest of the application based on rules and observations of the application'"'"'s execution. The method further includes determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest. The method further includes enabling one or more monitors within the application'"'"'s run time environment and applying the stimuli. The method further includes generating monitoring information from the one or more monitors. The method further includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

582 Citations

28 Claims

1. A system for automatically analyzing an application instance for improperly behaving code, the system comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, the memory including a central intelligence engine that, when executed by the one or more hardware processors, (a) identifies a region of interest of the application instance by identifying a portion of code of the application instance that, when executed by the one or more hardware processors, triggers one or more processes of the application instance and causes the one or more processes to appear to be invoked by a user, (b) determines specific stimuli that causes transitions within the application instance to reach the region of interest, and (c) applies the stimuli to the application instance and performs subsequent monitoring of one or more behaviors resulting from execution of the portion of the code of the application instance at the region of interest.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the central intelligence engine, when executed by the one or more hardware processors, identifies the region of interest by at least analyzing the portion of code of the application instance to determine if the portion of the code would artificially generate Application Programming Interface (API) related actions to appear as if user invoked.
  - 3. The system of claim 1, wherein the central intelligence engine, when executed by the one or more hardware processors, further identifies the region of interest by at least analyzing the portion of code of the application instance to determine if the portion of the code will attempt to cause data to be read out of a predetermined storage location.
  - 4. The system of claim 1, wherein the central intelligence engine, when executed by the one or more hardware processors, determines the specific stimuli by at least determining a data value that, when processed by the application instance, drives execution of the application instance within a run-time environment including one or more virtual machines to the portion of code of the application instance representing the region of interest.
  - 5. The system of claim 1, wherein the central intelligence engine, when executed by the one or more hardware processors, identifying whether the portion of code of the application instance would attempt to cause certain application actions by accessing various graphic user interface (GUI) triggers.
  - 6. The system of claim 1, wherein the central intelligence engine, when executed by the one or more hardware processors, further enables or disables monitoring logic that is configured to monitor the one or more behaviors during processing of the portion of the code of the application instance.
  - 7. The system of claim 6, wherein the monitoring logic is deployed in at least one of (i) the one or more virtual machines and (ii) an operating system operating with the application instance.
  - 8. The system of claim 6, wherein the monitoring logic includes at least one monitor in any of:
    - a virtual machine of the one or more virtual machines; and
      
      an operating system instance that operates in combination with the application instance.
  - 9. The system of claim 1, wherein the memory further comprises the one or more virtual machines that including monitoring logic that, when enabled by the central intelligence engine and during execution of the portion of the code of the application software at the region of interest, monitors one or more behaviors occurring during the execution of the portion of the code to determine if the portion of the code is improperly behaving code.
  - 10. The system of claim 8, wherein the enabling of the monitoring logic includes enabling a first monitor operating in cooperation with the virtual machine or a second monitor operating in cooperation with the operating system instance.
  - 11. The system of claim 8, wherein the enabling of the monitoring logic includes enabling a system call monitoring function implemented within the operating system instance.
  - 12. The system of claim 11, wherein the region of interest is determined from one or more machine learned rules produced from data by a machine learning system and the data provides details as to specific low level code structures of the improperly behaving code in order to identify the region of interest of the application.

13. A method for automatically analyzing an application instance by one or more hardware processors executing software that perform operations comprising:
- identifying a region of interest of the application instance based on an analysis of code of the application instance in response to execution of the software by the one or more hardware processors, the region of interest corresponds to one or more parts of the code of the application instance that are considered to potentially include improperly behaving code that triggers one or more processes of the application instance and causes the one or more processes to appear to be invoked by a user;
  
  determining, during execution of the software by the one or more hardware processors, specific stimuli and applying, the stimuli to the application instance so that the application instance commences processing of the one or more parts of code of the application instance that is associated with the region of interest;
  
  monitoring, during execution of the software by the one or more hardware processors, one or more behaviors of the application instance during processing of the one or more parts of code of the application instance that is associated with the region of interest within one or more virtual machines in response to the applied stimuli; and
  
  determining, during execution of the software by the one or more hardware processors, whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the identifying of the region of interest includes an analysis of a first part of the one or more parts of code of the application instance to determine if the first part of the code generates Application Programming Interface (API) related actions to appear as if user invoked.
  - 15. The method of claim 13, wherein the identifying of the region of interest further includes an analysis of a first part of the one or more parts of code of the application instance to determine if the first part of the code will attempt to cause data to be read out of a predetermined storage location.
  - 16. The method of claim 13, wherein the determining the specific stimuli comprises determining a data value that, when processed by the application instance, drives processing of the application instance by the one or more virtual machines to a first part of the one or more parts of code of the application instance representing the region of interest.
  - 17. The method of claim 13, wherein the determining the specific stimuli comprises determining an event that causes an operating system used in the processing of the application instance to report the event to the application instance or provide state information to hardware observable by the application instance.
  - 18. The method of claim 13, wherein prior to monitoring the one or more behaviors, the method further comprisesenabling one or more monitors associated with the application instance;
    - andgenerating monitoring information from the one or more monitors.
  - 19. The method of claim 18 wherein the enabling of said one or more monitors includes enabling at least one monitor embedded within or operating in association with an operating system instance.
  - 20. The method of claim 19, wherein the enabling of the one or more monitors includes enabling a system call monitoring function embedded within or operating in association with the operating system instance.

21. A method for automatically analyzing an application instance for improperly behaving code, the method comprising:
- identifying a region of interest of an application instance by identifying whether a portion of code of the application instance that, when executed, triggers one or more processes of the application instance and causes the one or more processes to appear to be invoked by a user;
  
  determining specific stimuli that causes transitions within the application instance to reach the region of interest; and
  
  applying the stimuli to the application instance and performing subsequent monitoring of one or more behaviors resulting from execution of the portion of the code of the application instance at the region of interest.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21, wherein the region of interest corresponds to one or more parts of the code of the application instance that are considered to potentially include improperly behaving code.
  - 23. The method of claim 21, wherein the identifying of the region of interest includes an analysis of a first part of one or more parts of code of the application instance to determine if the first part of the code generates Application Programming Interface (API) related actions to appear as if user invoked.
  - 24. The method of claim 21, wherein the identifying of the region of interest further includes an analysis of a first part of one or more parts of code of the application instance to determine if the first part of the code will attempt to cause data to be read out of a predetermined storage location.
  - 25. The method of claim 21, wherein the determining the specific stimuli comprises determining a data value that, when processed by the application instance, drives processing of the application instance by one or more virtual machines to a first part of one or more parts of code of the application instance representing the region of interest.
  - 26. The method of claim 21, wherein the determining the specific stimuli comprises determining an event that causes an operating system used in the processing of the application instance to report the event to the application instance.
  - 27. The method of claim 21, wherein the determining the specific stimuli comprises determining an event that causes an operating system used in the processing of the application instance to provide state information to hardware observable by the application instance.
  - 28. The method of claim 21, further comprising:
    - determining, in response to applying the stimuli, whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code based on the monitoring of the one or more behaviors of the application instance resulting from the execution of the portion of the code of the application instance at the region of interest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Song, Dawn, Aziz, Ashar, Johnson, Noah, Mohan, Prashanth, Xue, Hui
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US15/785,208
Publication Number

US 20180121316A1
Time in Patent Office

582 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 11/36   Preventing errors by testin...

G06F 11/3604   Software analysis for verif...

G06F 11/3612   by runtime analysis perform...

G06F 11/362   Software debugging

G06F 11/3664   Environments for testing or...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

Framework for efficient security coverage of mobile software applications

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

582 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Framework for efficient security coverage of mobile software applications

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

582 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links