Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application
First Claim
1. A method, comprising:
- determining, by an explorer engine, a first state of an application;
identifying, by the explorer engine, a region of interest of the application, the region of interest comprises a portion of code of the application that is identified in response to either (i) a first rule-based analysis of the code of the application that identifies whether the portion of code of the application may correspond to improperly behaving code or (ii) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation that is associated with malware; and
reaching the region of interest by at least (a) determining a path from the first state of the application to the region of interest, (b) representing states of the application along the path as one or more logic expressions, (c) solving the one or more logic expressions associated with the states of the application to generate at least one stimulus to the expressions, and (d) causing the at least one stimulus to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application.
7 Assignments
0 Petitions
Accused Products
Abstract
A method is described that involves receiving an application and generating a representation of the application that describes states of the application and transitions between the states. The method further includes referring to one or more rules and/or information from an inference engine that is observing the application'"'"'s run time behavior to identify a region of interest within the application and reaching the region of interest by performing the following: identifying a path from the application'"'"'s present state to the region of interest; representing states of the application along the path as logic expressions; solving the expressions to generate solutions to the expressions; causing stimuli to be provided to the application, where the stimuli correspond to the solutions.
-
Citations
42 Claims
-
1. A method, comprising:
-
determining, by an explorer engine, a first state of an application; identifying, by the explorer engine, a region of interest of the application, the region of interest comprises a portion of code of the application that is identified in response to either (i) a first rule-based analysis of the code of the application that identifies whether the portion of code of the application may correspond to improperly behaving code or (ii) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation that is associated with malware; and reaching the region of interest by at least (a) determining a path from the first state of the application to the region of interest, (b) representing states of the application along the path as one or more logic expressions, (c) solving the one or more logic expressions associated with the states of the application to generate at least one stimulus to the expressions, and (d) causing the at least one stimulus to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
a processor; and a non-transitory storage medium communicatively coupled to the processor, the storage medium includes a central intelligence engine that comprises an explorer engine configured, when executed by the processor, to (i) determine a first state of an application, (ii) identify a region of interest of the application, the region of interest is a portion of code of the application that is identified in response to either (a) a first rule-based analysis of the code of the application that identifies the portion of code of the application may correspond to improperly behaving code or (b) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation associated with malware, and (iii) reach the region of interest by at least (a) determining a path from the first state of the application to the region of interest, (b) representing states of the application along the path as one or more logic expressions, (c) solving the one or more logic expressions associated with the states of the application to generate at least one stimulus to the expressions, and (d) causing the at least one stimulus to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application; and a behavior and logic engine configured, when executed by the processor, to determine whether the regions of interest is associated with improperly behaving code or malware. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A method, comprising:
-
determining, by an explorer engine, a first state of an application; identifying, by the explorer engine, a region of interest of the application, the region of interest comprises a portion of code of the application that is identified response to either (i) a first rule-based analysis of the code of the application that identifies the portion of code of the application may correspond to improperly behaving code or (ii) a second rule-based analysis of the code of the application that identifies the portion of code of the application as being directed to a particular operation that is associated with malware; and reaching the region of interest by at least (1) determining a path from the first state of the application to the region of interest, (2) maintaining a state of a graphic user interface (GUI) of the application, (3) using, at least in part, operations of the GUI of the application to transition from the first state of the application toward the region of interest, and (4) causing at least one stimulus, based at least in part on the information associated with the operations of the GUI, to be provided to the application to drive the application during runtime to the region of interest while monitoring behaviors of the application. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification