Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application

US 9,367,681 B1
Filed: 02/23/2013
Issued: 06/14/2016
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

determining, by an explorer engine, a first state of an application;

identifying, by the explorer engine, a region of interest of the application, the region of interest comprises a portion of code of the application that is identified in response to either (i) a first rule-based analysis of the code of the application that identifies whether the portion of code of the application may correspond to improperly behaving code or (ii) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation that is associated with malware; and

reaching the region of interest by at least (a) determining a path from the first state of the application to the region of interest, (b) representing states of the application along the path as one or more logic expressions, (c) solving the one or more logic expressions associated with the states of the application to generate at least one stimulus to the expressions, and (d) causing the at least one stimulus to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described that involves receiving an application and generating a representation of the application that describes states of the application and transitions between the states. The method further includes referring to one or more rules and/or information from an inference engine that is observing the application'"'"'s run time behavior to identify a region of interest within the application and reaching the region of interest by performing the following: identifying a path from the application'"'"'s present state to the region of interest; representing states of the application along the path as logic expressions; solving the expressions to generate solutions to the expressions; causing stimuli to be provided to the application, where the stimuli correspond to the solutions.

Citations

42 Claims

1. A method, comprising:
- determining, by an explorer engine, a first state of an application;
  
  identifying, by the explorer engine, a region of interest of the application, the region of interest comprises a portion of code of the application that is identified in response to either (i) a first rule-based analysis of the code of the application that identifies whether the portion of code of the application may correspond to improperly behaving code or (ii) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation that is associated with malware; and
  
  reaching the region of interest by at least (a) determining a path from the first state of the application to the region of interest, (b) representing states of the application along the path as one or more logic expressions, (c) solving the one or more logic expressions associated with the states of the application to generate at least one stimulus to the expressions, and (d) causing the at least one stimulus to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 further comprising:
    - enabling one or more monitors to be operable during runtime of the application when the application is executing in a runtime environment; and
      
      observing behaviors by the one or more monitors during runtime of the application to determine if the region of interest corresponds to improperly behaving code or corresponds to code that conducts the particular operation that is associated with malware.
  - 3. The method of claim 1, wherein the path corresponds to a sequence of state transitions from the first state to a second state associated with the region of interest.
  - 4. The method of claim 1, wherein the identifying of the region of interest comprises analysis of the portion of code of the application to determine if the portion of the code generates an application programming interface (API) call that attempts to appear as if a user invoked the API call.
  - 5. The method of claim 1, wherein the identifying of the region of interest includes analysis of the portion of code of the application to determine if the portion of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 6. The method of claim 1, wherein the reaching of the region of interest comprises setting monitors within the runtime environment to observe behaviors for determining whether or not the region of interest corresponds to improperly behaving code.
  - 7. The method of claim 1, wherein the solving the expressions to generate the at least one stimulus comprises determining whether a solution exists for the logic expressions and determining constraints for the solution.
  - 8. The method of claim 1 further comprising:
    - setting one or more monitors; and
      
      observing behaviors by the one or more monitors during runtime of the application to determine if the region of interest corresponds to improperly behaving code.
  - 9. The method of claim 8 wherein the setting of the one or more monitors includes enabling at least one monitor associated with any of:
    - a virtual machine located between the application and an operating system instance within the run time environment associated with the application; and
      
      the operating system instance.
  - 10. The method of claim 8, wherein the setting of the one or more monitors includes enabling at least one monitor in both of the virtual machine and the operating system instance.
  - 11. The method of claim 1 wherein at least one stimulus is generated within the application through a stimulus function that has been instrumented in the application.
  - 12. The method of claim 11 further comprising instrumenting the application with the stimulus function to apply the at least one stimulus to the application.
  - 13. The method of claim 1 wherein at least one stimulus is generated within a virtual machine that resides between the application and an operating system on which the application is running.
  - 14. The method of claim 13 wherein the operating system is one of a plurality of operating system instances running on a virtual machine layer.
  - 15. The method of claim 1 wherein the at least one stimulus is generated within an operating system.
  - 16. The method of claim 1 further comprising:
    - responsive to identifying another suspected region of interest having a higher priority for analysis over the region of interest, discontinuing current analysis of the region of interest and performing operations to reach the another suspected region of interest for analysis.
  - 17. The method of claim 1 further comprising:
    - determining, during runtime of the application whether the regions of interest is associated with improperly behaving code or malware.

18. A system comprising:
- a processor; and
  
  a non-transitory storage medium communicatively coupled to the processor, the storage medium includes a central intelligence engine that comprisesan explorer engine configured, when executed by the processor, to (i) determine a first state of an application, (ii) identify a region of interest of the application, the region of interest is a portion of code of the application that is identified in response to either (a) a first rule-based analysis of the code of the application that identifies the portion of code of the application may correspond to improperly behaving code or (b) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation associated with malware, and (iii) reach the region of interest by at least (a) determining a path from the first state of the application to the region of interest, (b) representing states of the application along the path as one or more logic expressions, (c) solving the one or more logic expressions associated with the states of the application to generate at least one stimulus to the expressions, and (d) causing the at least one stimulus to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application; and
  
  a behavior and logic engine configured, when executed by the processor, to determine whether the regions of interest is associated with improperly behaving code or malware.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 19. The system of claim 18, wherein the central intelligence engine, in response to identifying another suspected region of interest having a higher priority for analysis over the region of interest, discontinuing current analysis of the region of interest and performing operations to reach the another suspected region of interest for subsequent analysis.
  - 20. The system of claim 18, wherein the explorer engine is further configured to cause the at least one stimulus to be provided to the application.
  - 21. The system of claim 18, wherein the path corresponds to a sequence of state transitions from the first state to a second state associated with the region of interest.
  - 22. The system of claim 18, wherein the explorer engine is configured to identify the region of interest by at least analyzing the portion of code of the application to determine if the portion of the code generates an application programming interface (API) call that attempts to appear as if a user invoked the API call.
  - 23. The system of claim 18, wherein the explorer engine is configured to identify the region of interest by at least analyzing the portion of code of the application to determine if the portion of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 24. The system of claim 18, wherein at least upon reaching of the region of interest, the explorer engine is configured to set monitors within a runtime environment for the behavior and logic engine to observe behaviors for determining whether or not the region of interest is associated with improperly behaving code or malware.
  - 25. The system of claim 18, wherein the explorer engine is configured to solve the expressions to generate the at least one stimulus by at least determining whether a solution exists for the logic expressions and determining constraints for the solution.
  - 26. The system of claim 18, whereinthe explorer engine is configured to set one or more monitors within a run-time environment;
    - andthe behavior and logic engine is configured to determine, based on monitor behaviors by the one or more monitors, whether the region of interest is associated with improperly behaving code or malware.
  - 27. The system of claim 26, wherein the setting of the one or more monitors by the explorer engine includes enabling at least one monitor associated with any of:
    - a virtual machine located between the application and an operating system instance within the run time environment associated with the application;
      
      the operating system instance.
  - 28. The system of claim 26, wherein the setting of the one or more monitors by the explorer engine includes enabling at least one monitor in both of the virtual machine and the operating system instance.
  - 29. The system of claim 18, wherein at least one stimulus is generated within the application through a stimulus function that has been instrumented in the application.
  - 30. The system of claim 18, wherein at least one stimulus is generated within a virtual machine that resides between the application and an operating system on which the application is running.
  - 31. The system of claim 30, wherein the operating system is one of a plurality of operating system instances running on a virtual machine layer.

32. A method, comprising:
- determining, by an explorer engine, a first state of an application;
  
  identifying, by the explorer engine, a region of interest of the application, the region of interest comprises a portion of code of the application that is identified response to either (i) a first rule-based analysis of the code of the application that identifies the portion of code of the application may correspond to improperly behaving code or (ii) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation that is associated with malware; and
  
  reaching the region of interest by at least (1) determining a path from the first state of the application to the region of interest, (2) maintaining a state of a graphic user interface (GUI) of the application, (3) using, at least in part, operations of the GUI of the application to transition from the first state of the application toward the region of interest, and (4) causing at least one stimulus, based at least in part on the information associated with the operations of the GUI, to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 33. The method of claim 32 further comprising:
    - enabling one or more monitors to be operable during runtime of the application; and
      
      observing behaviors by the one or more monitors during runtime of the application to determine if the region of interest corresponds to improperly behaving code or corresponds to malware.
  - 34. The method of claim 32, wherein the path corresponds to a sequence of state transitions from the first state to a second state associated with the region of interest.
  - 35. The method of claim 32, wherein the identifying of the region of interest comprises analysis of the portion of code of the application to determine if the portion of the code generates an application programming interface (API) call that attempts to appear as if a user invoked the API call.
  - 36. The method of claim 32, wherein the identifying of the region of interest includes analysis of the portion of code of the application to determine if the portion of the code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 37. The method of claim 32, wherein prior to reaching of the region of interest, the method further comprises setting monitors within a runtime environment to observe behaviors caused by the portion of code during execution for at least determining whether or not the region of interest corresponds to improperly behaving code.
  - 38. The method of claim 32 further comprising:
    - setting one or more monitors within a run-time environment; and
      
      observing behaviors by the one or more monitors for use in determining whether the region of interest corresponds to improperly behaving code.
  - 39. The method of claim 38 wherein the setting of the one or more monitors includes enabling at least one monitor associated with any of:
    - a virtual machine located between the application and an operating system instance within the run time environment associated with the application;
      
      the operating system instance.
  - 40. The method of claim 38, wherein the setting of the one or more monitors includes enabling at least one monitor in both of the virtual machine and the operating system instance.
  - 41. The method of claim 32, wherein the at least one stimulus is generated within the application through a stimulus function that has been instrumented in the application.
  - 42. The method of claim 32, wherein the at least one stimulus is generated within a virtual machine that resides between the application and an operating system on which the application is running.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Ismael, Osman Abdoul, Song, Dawn, Xue, Hui
Primary Examiner(s)
Chang, Kenneth

Application Number

US13/775,171
Time in Patent Office

1,207 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 2221/2111   Location-sensitive, e.g. ge...

Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links