Framework for efficient security coverage of mobile software applications

US 9,176,843 B1
Filed: 02/23/2013
Issued: 11/03/2015
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method for automatically analyzing an application by one or more hardware processors executing instructions that perform operations comprising:

receiving the application that includes code;

identifying a region of interest of the application based on rules or analysis of the application, the identifying of the region of interest includes analyzing a portion of the code of the application and identifying whether the portion of the code either (i) represents an inappropriate code structure or (ii) would cause an improper state transition when executed;

determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest;

applying the stimuli to the application; and

monitoring one or more behaviors of the application by a central intelligence engine during virtual execution of the application in response to the applied stimuli to determine whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code, wherein the central intelligence engine being processed by a hardware processor of the one or more hardware processors.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described that includes receiving an application and generating a representation of the application that describes specific states of the application and specific state transitions of the application. The method further includes identifying a region of interest of the application based on rules and observations of the application'"'"'s execution. The method further includes determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest. The method further includes enabling one or more monitors within the application'"'"'s run time environment and applying the stimuli. The method further includes generating monitoring information from the one or more monitors. The method further includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

Citations

48 Claims

1. A method for automatically analyzing an application by one or more hardware processors executing instructions that perform operations comprising:
- receiving the application that includes code;
  
  identifying a region of interest of the application based on rules or analysis of the application, the identifying of the region of interest includes analyzing a portion of the code of the application and identifying whether the portion of the code either (i) represents an inappropriate code structure or (ii) would cause an improper state transition when executed;
  
  determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest;
  
  applying the stimuli to the application; and
  
  monitoring one or more behaviors of the application by a central intelligence engine during virtual execution of the application in response to the applied stimuli to determine whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code, wherein the central intelligence engine being processed by a hardware processor of the one or more hardware processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the identifying of the region of interest includes analysis of the portion of code of the application to determine if the portion of the code violates one or more rules.
  - 3. The method of claim 1, wherein the identifying of the region of interest includes analysis of the portion of code of the application to determine if the portion of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 4. The method of claim 1, wherein the determining the specific stimuli comprises determining a data value that, when processed by the application, drives the virtual execution of the application to the portion of code of the application representing the region of interest.
  - 5. The method of claim 1, wherein the determining the specific stimuli comprises determining an event that causes an operating system used in the virtual execution of the application to report the event to the application or provide state information to hardware observable by the application.
  - 6. The method of claim 1, wherein prior to monitoring the one or more behaviors, the method further comprisesenabling one or more monitors within the run time environment associated with the application;
    - andgenerating monitoring information from the one or more monitors.
  - 7. The method of claim 6 wherein the enabling of said one or more monitors includes enabling at least one monitor in any of:
    - a virtual machine operating within the run time environment in cooperation with the application and an operating system instance; and
      
      the operating system instance.
  - 8. The method of claim 7, wherein the enabling of the one or more monitors includes enabling a first monitor operating in cooperation with the virtual machine and a second monitor operating in cooperation with the operating system instance.
  - 9. The method of claim 6, wherein the enabling of the one or more monitors includes enabling one or more of (i) a system calls monitoring function or (ii) a device operation monitoring function.
  - 10. The method of claim 9, wherein the system calls monitoring function is at least a portion of an operating system instance.
  - 11. The method of claim 1, wherein the rules include one or more of (i) rules from a first database, (ii) rules from a machine learning platform, or (iii) user provided rules.
  - 12. The method of claim 11, wherein the region of interest is determined from one or more machine learned rules produced from data by a machine learning system and the data provides details as to specific low level code structures of the improperly behaving code in order to identify the region of interest of the application.
  - 13. The method of claim 11, wherein a determination as to whether the one or more behaviors of one or more improperly behaving forms of code comprises providing details as to specific behaviors of one or more improperly behaving forms of code as observed by a machine learning system.

14. A method for automatically analyzing an application by one or more hardware processors executing instructions that perform operations comprising:
- identifying a region of interest of the application, the region of interest corresponds to one or more parts of code of the application that are considered to potentially include improperly behaving code that either (i) represents an inappropriate code structure or (ii) causes an improper state transition when executed;
  
  determining specific stimuli that will cause one or more state transitions to occur for the application so that the application commences processing of code associated with the region of interest;
  
  applying the stimuli to the application;
  
  monitoring one or more behaviors of the application during virtual execution of the code associated with the region of interest in response to the applied stimuli; and
  
  determining, by a central intelligence engine, whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The method of claim 14, wherein the identifying of the region of interest includes an analysis of a first part of the one or more parts of code of the application to determine if the first part of the code violates one or more rules.
  - 19. The method of claim 14, wherein the identifying of the region of interest includes an analysis of a first part of the one or more parts of code of the application to determine if the first part of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 20. The method of claim 14, wherein the determining the specific stimuli comprises determining a data value that, when processed by the application, drives the virtual execution of the application to a first part of the one or more parts of code of the application representing the region of interest.
  - 21. The method of claim 14, wherein the determining the specific stimuli comprises determining an event that causes an operating system used in the virtual execution of the application to report the event to the application or provide state information to hardware observable by the application.
  - 22. The method of claim 14, wherein prior to monitoring the one or more behaviors, the method further comprisesenabling one or more monitors within the run time environment associated with the application;
    - andgenerating monitoring information from the one or more monitors.
  - 23. The method of claim 22 wherein the enabling of said one or more monitors includes enabling at least one monitor embedded within or operating in association with at least one of:
    - a virtual machine operating within the run time environment in cooperation with the application and an operating system instance; and
      
      the operating system instance.
  - 24. The method of claim 23, wherein the enabling of the one or more monitors includes enabling at least one monitor embedded within or operating in association with the virtual machine and at least one monitor embedded within or operating in association with the operating system instance.
  - 25. The method of claim 22, wherein the enabling of the one or more monitors includes enabling one or more of (i) a system calls monitoring function and (ii) a device operation monitoring function.
  - 26. The method of claim 25, wherein the system calls monitoring function is at least a portion of an operating system instance.
  - 27. The method of claim 14, wherein the identifying of the region of interest comprises determining the region of interest from one or more machine learned rules produced from data by a machine learning system and the data provides details as to specific low level code structures of the improperly behaving code.
  - 28. The method of claim 14, wherein the monitoring of the one or more behaviors of the application is conducted during virtual execution of the code associated with the region of interest within a virtual machine executed by the one or more hardware processors.
  - 29. The method of claim 14, wherein the central intelligence engine comprises instructions executed by the one or more hardware processors for determining whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code.

15. A system comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, the memory comprisesa static instrumentation engine that, when executed by the one or more hardware processors, is configured to (i) identify a region of interest for an application under test that includes a portion of code that represents an inappropriate code structure or would cause an improper state transition, (ii) determine specific stimuli that causes one or more state transitions within the application to reach the region of interest, and (iii) applying the stimuli to the application,a dynamic run time environment that, when executed by the one or more hardware processors, is configured to conduct virtual execution of the application and monitoring one or more behaviors of the application during virtual execution of the application in response to the applied stimuli, anda central intelligence engine that, when executed by the one or more hardware processors, is configured to determine, in response to information associated with the one or more behaviors monitored during virtual execution of the application, whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 30. The system of claim 15, wherein the static instrumentation engine to identify the region of interest from at least an analysis of the portion of code of the application to determine if the portion of the code violates one or more rules.
  - 31. The system of claim 15, wherein the static instrumentation engine to identify the region of interest from at least an analysis of the portion of code of the application to determine if the portion of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 32. The system of claim 15, wherein the static instrumentation engine to determine the specific stimuli by at least determining a data value that, when processed by the application, drives the virtual execution of the application to the portion of code of the application representing the region of interest.
  - 33. The system of claim 15, wherein the static instrumentation engine to determine the specific stimuli by at least determining an event that causes an operating system used in the virtual execution of the application to report the event to the application or provide state information to hardware observable by the application.
  - 34. The system of claim 15, wherein prior to monitoring the one or more behaviors, the dynamic run time environment, when executed by the one or more hardware processors, furtherenables one or more monitors within the run time environment associated with the application;
    - andgenerates monitoring information from the one or more monitors.
  - 35. The system of claim 34, wherein the dynamic run time environment enables the one or more monitors by at least enabling a monitor in a virtual machine in communication with both the application and an operating system instance within the dynamic run time environment.
  - 36. The system of claim 35, wherein the dynamic run time environment enables the one or more monitors by at least enabling a first monitor embedded within or operating in association with the virtual machine and a second monitor embedded within or operating in association with the operating system instance.
  - 37. The system of claim 34, wherein the dynamic run time environment enables the one or more monitors includes by at least enabling one or more of (i) a system calls monitoring function or (ii) a device operation monitoring function.
  - 38. The system of claim 15 being implemented as a single computing system.
  - 39. The system of claim 15 being implemented as a plurality of computing systems with at least one of the static instrumentation engine, the dynamic run time environment and the central intelligence engine being operated on a first computing device of the plurality of computing devices and at least another of the static instrumentation engine, the dynamic run time environment and the central intelligence engine being operated on a second computing device of the plurality of computing devices.

16. A method for automatically analyzing an application by one or more hardware processors executing instructions that perform operations comprising:
- generating one or more machine learned rules;
  
  identify a region of interest of an application based on at least the one or more machine learned rules, the identifying of the region of interest includes analyzing a portion of code of the application and identifying that the portion of code either (i) represents an inappropriate code structure or (ii) would cause an improper state transition upon execution;
  
  configuring one or more monitors for the application to be enabled in a run time environment of the application;
  
  determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest; and
  
  applying the stimuli to the application;
  
  observing behaviors of the application during virtual processing within a virtual machine operating within the run time environment; and
  
  determining, by a central intelligence engine, whether the region of interest corresponds to improperly behaving code.
- View Dependent Claims (17, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 17. The method of claim 16 wherein the generating of the one or more machine learned rules is conducted by a cloud service.
  - 40. The method of claim 16, wherein the identifying of the region of interest includes an analysis of the portion of code of the application to determine if the portion of the code violates one or more rules.
  - 41. The method of claim 16, wherein the identifying of the region of interest includes an analysis of the portion of code of the application to determine if the portion of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 42. The method of claim 16, wherein the determining the specific stimuli comprises determining a data value that, when processed by the application, drives the virtual processing of the application by the virtual machine to the portion of code of the application representing the region of interest.
  - 43. The method of claim 16, wherein the determining the specific stimuli comprises determining an event that causes an operating system used in the virtual processing of the application by the virtual machine to report the event to the application or provide state information to hardware observable by the application.
  - 44. The method of claim 16 wherein the configuring of the one or more monitors includes enabling at least one monitor in an operating system instance operating with the virtual machine.
  - 45. The method of claim 44, wherein the enabling of the at least one monitor includes enabling a system calls monitoring function.
  - 46. The method of claim 45, wherein the system calls monitoring function is at least a portion of the operating system instance.
  - 47. The method of claim 16, wherein the region of interest is determined from the one or more machine learned rules produced from data by a machine learning system and the data provides details as to specific low level code structures of the improperly behaving code in order to identify the region of interest of the application.
  - 48. The method of claim 16, wherein the central intelligence engine comprises program code that includes one or more instructions executed by the one or more hardware processors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Ismael, Osman Abdoul, Song, Dawn, Aziz, Ashar, Xue, Hui, Johnson, Noah, Mohan, Prashanth
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US13/775,168
Time in Patent Office

983 Days
Field of Search

726 22- 25, 713187-188, 717124-161
US Class Current

1/1
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 11/36   Preventing errors by testin...

G06F 11/3604   Software analysis for verif...

G06F 11/3612   by runtime analysis perform...

G06F 11/362   Software debugging

G06F 11/3664   Environments for testing or...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

Framework for efficient security coverage of mobile software applications

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Framework for efficient security coverage of mobile software applications

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links