Framework For Efficient Security Coverage Of Mobile Software Applications

US 20180121316A1
Filed: 10/16/2017
Published: 05/03/2018
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A system for automatically analyzing an application instance for improperly behaving code, the system comprising:

one or more hardware processors; and

a memory coupled to the one or more hardware processors, the memory including a central intelligence engine that, when executed by the one or more hardware processors, (a) identifies a region of interest of application instance that includes code by analyzing a portion of the code of the application instance and identifying whether the portion of the code either (i) represents an inappropriate code structure or (ii) would cause an improper state transition when executed, (b) determine specific stimuli that will cause one or more state transitions within the application instance to reach the region of interest, and (c) apply the stimuli to the application instance to allow for subsequent monitoring of one or more behaviors resulting from execution of the code of the application instance at the region of interest within a run-time environment including one or more virtual machines.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described that includes receiving an application and generating a representation of the application that describes specific states of the application and specific state transitions of the application. The method further includes identifying a region of interest of the application based on rules and observations of the application'"'"'s execution. The method further includes determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest. The method further includes enabling one or more monitors within the application'"'"'s run time environment and applying the stimuli. The method further includes generating monitoring information from the one or more monitors. The method further includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

136 Citations

20 Claims

1. A system for automatically analyzing an application instance for improperly behaving code, the system comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, the memory including a central intelligence engine that, when executed by the one or more hardware processors, (a) identifies a region of interest of application instance that includes code by analyzing a portion of the code of the application instance and identifying whether the portion of the code either (i) represents an inappropriate code structure or (ii) would cause an improper state transition when executed, (b) determine specific stimuli that will cause one or more state transitions within the application instance to reach the region of interest, and (c) apply the stimuli to the application instance to allow for subsequent monitoring of one or more behaviors resulting from execution of the code of the application instance at the region of interest within a run-time environment including one or more virtual machines.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 12)
- - 3. The system of claim 1, wherein the central intelligence engine, upon execution by the one or more hardware processors, identifies the region of interest by at least analyzing the portion of code of the application instance to determine if the portion of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 4. The system of claim 1, wherein the central intelligence engine, upon execution by the one or more hardware processors, determines the specific stimuli by at least determining a data value that, when processed by the application instance, drives execution of the application instance within the run-time environment including the one or more virtual machines to the portion of code of the application instance representing the region of interest.
  - 5. The system of claim 1, wherein the central intelligence engine, upon execution by the one or more hardware processors, determines the specific stimuli by at least determining an event that causes an operating system operating with the application instance to report the event to the application instance or provide state information to hardware observable by the application instance.
  - 6. The system of claim 1, wherein the central intelligence engine, when executed by the one or more hardware processors, further enables or disables monitoring logic that is configured to monitor the one or more behaviors during processing of the code of the application instance.
  - 7. The system of claim 6, wherein the monitoring logic is deployed in at least one of (i) the one or more virtual machines and (ii) an operating system operating with the application instance.
  - 8. The system of claim 6, wherein the monitoring logic includes at least one monitor in any of:
    - a virtual machine of the one or more virtual machines; and
      
      an operating system instance that operates in combination with the application instance.
  - 9. The system of claim 1, wherein the memory further comprises the one or more virtual machines that including monitoring logic that, when enabled by the central intelligence engine and during execution of the code of the application software at the region of interest, monitors one or more behaviors occurring during the execution of the code to determine if the code is improperly behaving code.
  - 10. The system of claim 8, wherein the enabling of the one or more monitoring logic includes enabling a first monitor operating in cooperation with the virtual machine or a second monitor operating in cooperation with the operating system instance.
  - 11. The system of claim 8, wherein the enabling of the one or more monitors includes enabling a system call monitoring function implemented within the operating system instance.
  - 11-1. The system of claim 1, wherein the rules include one or more of (i) rules from a first database, (ii) rules from a machine learning platform, or (iii) user provided rules.
  - 12. The system of claim 11, wherein the region of interest is determined from one or more machine learned rules produced from data by a machine learning system and the data provides details as to specific low level code structures of the improperly behaving code in order to identify the region of interest of the application.

2. The system of claim 2, wherein the central intelligence engine, upon execution by the one or more hardware processors, identifies the region of interest by at least analyzing the portion of code of the application instance to determine if the portion of the code violates one or more rules.

13. A method for automatically analyzing an application instance by one or more hardware processors executing software that perform operations comprising:
- identifying a region of interest of the application instance based on an analysis of code of the application instance in response to execution of the software by the one or more hardware processors, the region of interest corresponds to one or more parts of the code of the application instance that, are considered to potentially include improperly behaving code that either (i) represents an inappropriate code structure or (ii) causes an improper state transition when executed;
  
  determining, during execution of the software by the one or more hardware processors, specific stimuli that causes one or more state transitions to occur;
  
  applying, during execution of the software by the one or more hardware processors, the stimuli to the application instance so that the application instance commences processing of the one or more parts of code of the application instance that is associated with the region of interest;
  
  monitoring, during execution of the software by the one or more hardware processors, one or more behaviors of the application instance during processing of the one or more parts of code of the application instance that is associated with the region of interest within one or more virtual machines in response to the applied stimuli; and
  
  determining, during execution of the software by the one or more hardware processors, whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the identifying of the region of interest includes an analysis of a first part of the one or more parts of code of the application instance to determine if the first part of the code violates one or more rules.
  - 15. The method of claim 13, wherein the identifying of the region of interest includes an analysis of a first part of the one or more parts of code of the application instance to determine if the first part of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 16. The method of claim 13, wherein the determining the specific stimuli comprises determining a data value that, when processed by the application instance, drives processing of the application instance by the one or more virtual machines to a first part of the one or more parts of code of the application instance representing the region of interest.
  - 17. The method of claim 13, wherein the determining the specific stimuli comprises determining an event that causes an operating system used in the processing of the application instance to report the event to the application instance or provide state information to hardware observable by the application instance.
  - 18. The method of claim 13, wherein prior to monitoring the one or more behaviors, the method further comprisesenabling one or more monitors associated with the application instance;
    - andgenerating monitoring information from the one or more monitors.
  - 19. The method of claim 18 wherein the enabling of said one or more monitors includes enabling at least one monitor embedded within or operating in association with an operating system instance.
  - 20. The method of claim 19, wherein the enabling of the one or more monitors includes enabling a system call monitoring function embedded within or operating in association with the operating system instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Song, Dawn, Aziz, Ashar, Johnson, Noah, Mohan, Prashanth, Xue, Hui

Granted Patent

US 10,296,437 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 11/36   Preventing errors by testin...

G06F 11/3604   Software analysis for verif...

G06F 11/3612   by runtime analysis perform...

G06F 11/362   Software debugging

G06F 11/3664   Environments for testing or...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

Framework For Efficient Security Coverage Of Mobile Software Applications

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Framework For Efficient Security Coverage Of Mobile Software Applications

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links