Framework for efficient security coverage of mobile software applications installed on mobile devices

US 9,009,823 B1
Filed: 02/23/2013
Issued: 04/14/2015
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a hardware platform that comprises resources, one of the resources including a system memory;

a virtual machine monitor (VMM) layer to partition and allocate resources of the hardware platform;

at least one run time test process that comprises a first run time test process that includes at least a first virtual machine and a first application instance under observation; and

a second virtual machine that includes one or more monitoring functions that monitor calls made by one of the first application instance or the first virtual machine directly to the hardware platform circumventing operations with a first operating system instance that is supporting the first virtual machine and the first application instance under observation.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described that includes generating a representation of an application that describes specific states of the application and specific state transitions of the application. The method also includes identifying a region of interest of the application based on rules and observations of the application'"'"'s execution. The method also includes determining specific stimuli that will cause one or more state transitions within the application to reach said region of interest. The method also includes enabling one or more monitors within the application'"'"'s run time environment and applying the stimuli within the application'"'"'s run time environment, where, the application'"'"'s run time environment is existing on a mobile device that the application is installed on. The method also includes generating monitoring information from said one or more monitors. The method also includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

Citations

31 Claims

1. A system, comprising:
- a hardware platform that comprises resources, one of the resources including a system memory;
  
  a virtual machine monitor (VMM) layer to partition and allocate resources of the hardware platform;
  
  at least one run time test process that comprises a first run time test process that includes at least a first virtual machine and a first application instance under observation; and
  
  a second virtual machine that includes one or more monitoring functions that monitor calls made by one of the first application instance or the first virtual machine directly to the hardware platform circumventing operations with a first operating system instance that is supporting the first virtual machine and the first application instance under observation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein the at least one run time test process comprises a plurality of run time test processes that operate at least partially concurrent in time, the plurality of run time test processes comprises (i) the first run time test process and (ii) a second run time test process that includes a third virtual machine and a second application instance under observation, the second application instance is supported by a second operating system instance.
  - 3. The system of claim 2, wherein the plurality of run time test processes are isolated from each other.
  - 4. The system of claim 2, wherein the second virtual machine is in communication with the VMM layer and supporting the first operating system instance.
  - 5. The system of claim 4 further comprising:
    - a fourth virtual machine in communication with the VMM layer and supporting the second operating system instance, the second operating system instance supporting the third virtual machine and the second application instance under observation and is directed to a type of operating system different than the first operating system instance.
  - 6. The system of claim 2, wherein the second application instance under observance is a different version and a same application as the first application instance under observance.
  - 7. The system of claim 2, wherein the second application instance under observance is a different type of application than the first application instance under observance.
  - 8. The system of claim 2, wherein the first virtual machine includes one or more monitoring functions that monitor movement of a specific item of data and report suspicious movement of the specific item of data.
  - 9. The system of claim 8, wherein the movement of the specific item of data includes detection of an attempt by the first application instance to cause the specific item of data item to be directed out of the system.
  - 10. The system of claim 2, wherein the first operating system instance includes a first operating system instance for a mobile device and the second operating system instance includes a second operating system instance for a mobile device that is different from the first operating system instance for the mobile device.
  - 11. The system of claim 10, wherein the first operating system instance for the mobile device includes an iOS®
    - operating system.
  - 12. The system of claim 11, wherein the second operating system instance for the mobile device includes an ANDROID®
    - operating system.
  - 13. The system of claim 12, wherein the mobile device is a smartphone.
  - 14. The system of claim 1, wherein the first operating system instance includes one or more monitoring functions that monitor run time execution of executable code associated with the first application instance, detect an event, and output information associated with the event.
  - 15. The system of claim 14, wherein the event includes detection of a system call.
  - 16. The system of claim 15, wherein the system call is a process control system call.
  - 17. The system of claim 1, wherein each of the one or more monitoring functions is operable when enabled by a central intelligence engine and is inoperable when disabled by the central intelligence engine.

18. A system, comprising:
- a hardware platform that comprises resources, the resources including at least one processor supporting a plurality of processor threads;
  
  at least one run time test process that comprises (i) a first run time test process that includes at least a first virtual machine and a first application instance under observation; and
  
  a second virtual machine that includes one or more monitoring functions that monitor calls made by one of the first application instance or the first virtual machine directly to the hardware platform circumventing operations with a first operating system instance that is supporting the first virtual machine and the first application instance under observation.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The system of claim 18, wherein the second virtual machine is in communication with a virtual machine monitor (VMM) layer that partitions and allocates resources of the hardware platform, the second virtual machine supporting the first operating system instance.
  - 20. The system of claim 18, wherein the first virtual machine includes one or more monitoring functions that monitor movement of a specific item of data and report suspicious movement of the specific item of data, the movement of the specific item of data includes detection of an attempt by the first application instance to cause the specific item of data item to be directed out of the system.
  - 21. The system of claim 18, wherein the first operating system instance includes one or more monitoring functions that monitor run time execution of executable code associated with the first application instance, detect an event, and output information associated with the event.
  - 22. The system of claim 21, wherein the event includes detection of a system call.
  - 23. The system of claim 22, wherein the system call is a process control system call.
  - 24. The system of claim 18, wherein each of the one or more monitoring functions is operable when enabled by a central intelligence engine and is inoperable when disabled by the central intelligence engine.
  - 25. The system of claim 18, wherein the at least one run time test process comprises a plurality of run time test processes that operate at least partially concurrent in time, the plurality of run time test processes comprises (i) the first run time test process and (ii) a second run time test process that includes a third virtual machine and a second application instance under observation, the second application instance is supported by a second operating system instance.
  - 26. The system of claim 25, further comprising:
    - a fourth virtual machine in communication with a virtual machine monitor (VMM) layer and supporting the second operating system instance, the second operating system instance is directed to a type of operating system different than the first operating system instance.
  - 27. The system of claim 26, wherein the first operating system instance includes an iOS®
    - operating system and the second operating system instance includes an ANDROID®
      
      operating system.
  - 28. The system of claim 25, wherein the second application instance under observance is a different version and a same application as the first application instance under observance.

29. A framework, comprising:
- a central intelligence engine to control testing of one or more application instances; and
  
  a dynamic run time environment in communication with the central intelligence engine, the dynamic run time environment comprisesa hardware platform that comprises resources, the resources including at least one processor;
  
  at least one run time test process that comprises a first run time test process that includes at least a first virtual machine and a first application instance;
  
  a second virtual machine that, upon execution by the at least one processor, includes one or more monitoring functions that monitor calls made by one of the first application instance or the first virtual machine directly to the hardware platform that attempts to circumvent operations with a first operating system instance associated with the first virtual machine and the first application instance under observation.
- View Dependent Claims (30, 31)
- - 30. The framework of claim 29, wherein the dynamic run time environment further comprises:
    - a second run time test process that operates at least partially concurrent in time with the first run time test process, the second run time test process includes a third virtual machine and a second application instance under observation;
      
      a second operating system instance supporting the third virtual machine and the second application instance; and
      
      a fourth virtual machine that, upon execution by the at least one processor, includes one or more monitoring functions that monitor calls made by one of the second application instance or the third virtual machine directly to the hardware platform that attempts to circumvent operations with the second operating system instance.
  - 31. The framework of claim 29, wherein the second operating system instance is directed to a type of operating system that is different from the first operating system instance and the second application instance is different from the first application instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Ismael, Osman Abdoul, Song, Dawn
Primary Examiner(s)
Jeudy, Josnel
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US13/775,169
Time in Patent Office

780 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

Framework for efficient security coverage of mobile software applications installed on mobile devices

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Framework for efficient security coverage of mobile software applications installed on mobile devices

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links