Framework for efficient security coverage of mobile software applications

US 9,792,196 B1
Filed: 11/02/2015
Issued: 10/17/2017
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A system for automatically analyzing an application instance for improperly behaving code, the system comprising:

one or more hardware processors; and

a memory coupled to the one or more hardware processors, the memory including a central intelligence engine that, when executed by the one or more hardware processors, (a) identifies a region of interest of the application instance that includes code by analyzing a portion of the code of the application instance and identifying whether the portion of the code either (i) represents an inappropriate code structure or (ii) would cause a potentially improper behavior of the code to occur, or (iii) would cause a potentially improper state transition when the portion of the code is executed, (b) determines specific stimuli that will cause one or more state transitions within the application instance to reach the region of interest, and (c) applies the stimuli to the application instance prior to monitoring of one or more behaviors resulting from execution of at least the portion of the code of the application instance at the region of interest within one or more virtual machines comprising a run-time environment.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described that includes receiving an application and generating a representation of the application that describes specific states of the application and specific state transitions of the application. The method further includes identifying a region of interest of the application based on rules and observations of the application'"'"'s execution. The method further includes determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest. The method further includes enabling one or more monitors within the application'"'"'s run time environment and applying the stimuli. The method further includes generating monitoring information from the one or more monitors. The method further includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

700 Citations

31 Claims

1. A system for automatically analyzing an application instance for improperly behaving code, the system comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, the memory including a central intelligence engine that, when executed by the one or more hardware processors, (a) identifies a region of interest of the application instance that includes code by analyzing a portion of the code of the application instance and identifying whether the portion of the code either (i) represents an inappropriate code structure or (ii) would cause a potentially improper behavior of the code to occur, or (iii) would cause a potentially improper state transition when the portion of the code is executed, (b) determines specific stimuli that will cause one or more state transitions within the application instance to reach the region of interest, and (c) applies the stimuli to the application instance prior to monitoring of one or more behaviors resulting from execution of at least the portion of the code of the application instance at the region of interest within one or more virtual machines comprising a run-time environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 21, 22, 23, 24)
- - 2. The system of claim 1, wherein the central intelligence engine, upon execution by the one or more hardware processors, identifies the region of interest by at least analyzing the portion of code of the application instance to determine if the portion of the code, upon execution, causes the potentially improper behavior of the portion of the code that include a violation of one or more rules.
  - 3. The system of claim 1, wherein the central intelligence engine, upon execution by the one or more hardware processors, identifies the region of interest by at least analyzing the portion of code of the application instance to determine if the portion of the code, upon execution, causes the potentially improper behavior by attempting to cause data to be read out of a storage location assigned for sensitive data.
  - 4. The system of claim 1, wherein the central intelligence engine, upon execution by the one or more hardware processors, determines the specific stimuli by at least determining a data value that, when processed by the application instance, drives execution of the application instance within the run-time environment to the portion of code of the application instance representing the region of interest.
  - 5. The system of claim 1, wherein the potentially improper behavior includes an attempt to engage in a communication session with a particular machine or database within a network.
  - 6. The system of claim 1, wherein the central intelligence engine, when executed by the one or more hardware processors, further enables or disables monitoring logic that is configured to monitor the one or more behaviors during processing of at least the portion of the code of the application instance in response to applying the stimuli to the application instance.
  - 7. The system of claim 6, wherein the monitoring logic is deployed in either (i) the one or more virtual machines or (ii) an operating system operating with the application instance.
  - 8. The system of claim 6, wherein the monitoring logic includes at least one monitor in any of:
    - a virtual machine of the one or more virtual machines;
      
      oran operating system instance that operates in combination with the application instance.
  - 9. The system of claim 1, wherein the memory further comprises the one or more virtual machines including monitoring logic that, when enabled by the central intelligence engine and during execution of the code of the application software at the region of interest, monitors the one or more behaviors of the portion of the code to determine if the code is improperly behaving code when any of the one or more behaviors is an improper behavior.
  - 10. The system of claim 8, wherein the enabling of the one or more monitoring logic includes enabling a first monitor operating in cooperation with the virtual machine or a second monitor operating in cooperation with the operating system instance.
  - 11. The system of claim 8, wherein the enabling of the one or more monitors includes enabling a system call monitoring function implemented within the operating system instance.
  - 12. The system of claim 11, wherein the region of interest is determined from one or more machine learned rules produced from data by a machine learning system and the data provides details as to specific low level code structures of a plurality of improperly behaving codes that are used to identify the region of interest of the application instance.
  - 21. The system of claim 2, wherein the one or more rules include any combination of (i) one or more rules from a first database, (ii) one or more rules from a machine learning platform, or (iii) one or more user provided rules.
  - 22. The system of claim 1, wherein the central intelligence engine, upon execution by the one or more hardware processors, identifies a second region of interest different from the region of interest based, at least in part, on the one or more behaviors resulting from execution of the code of the application instance at the region of interest.
  - 23. The system of claim 1, wherein the potentially improper behavior includes an attempt to engage in a communication session with a protected or private region of system memory used by the application instance during execution within the run-time environment.
  - 24. The system of claim 1, wherein the potentially improper behavior includes an attempt to engage in a communication session with a register space used by the application instance during execution within the run-time environment.

13. A method for automatically analyzing an application instance by one or more hardware processors executing software that perform operations comprising:
- identifying, during execution of the software by the one or more hardware processors, a region of interest of the application instance based on an analysis of code of the application instance, the region of interest corresponds to one or more parts of the code of the application instance considered to potentially include improperly behaving code that either (i) represents an inappropriate code structure, or (ii) causes a potentially improper behavior of the code to occur, or (iii) causes a potentially improper state transition when executed;
  
  determining, during execution of the software by the one or more hardware processors, specific stimuli that causes one or more state transitions within the application instance to reach the region of interest to occur;
  
  applying, during execution of the software by the one or more hardware processors, the stimuli to the application instance so that the application instance commences processing of the one or more parts of code of the application instance that is associated with the region of interest;
  
  monitoring, during execution of the software by the one or more hardware processors, one or more behaviors of the application instance during processing of the one or more parts of code of the application instance that is associated with the region of interest within one or more virtual machines in response to the applied stimuli; and
  
  determining, during execution of the software by the one or more hardware processors, whether the one or more behaviors identify that the region of interest corresponds to improperly behaving code.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 25, 26, 27)
- - 14. The method of claim 13, wherein the identifying of the region of interest includes an analysis of a first part of the one or more parts of code of the application instance within one or more virtual machines to determine if the first part of the code violates one or more rules.
  - 15. The method of claim 13, wherein the identifying of the region of interest includes execution of a first part of the one or more parts of code of the application instance within one or more virtual machines and an analysis of the one or more behaviors to determine if the first part of the one or more parts of code will attempt to cause data to be read out of a storage location assigned for sensitive data.
  - 16. The method of claim 13, wherein the determining of the specific stimuli comprises determining a data value that, when processed by the application instance, drives processing of the application instance by the one or more virtual machines to a first part of the one or more parts of code of the application instance representing the region of interest.
  - 17. The method of claim 13, wherein the potentially improper behavior includes an attempt to engage in a communication session with a particular machine or database within a network.
  - 18. The method of claim 13, wherein prior to monitoring the one or more behaviors, the method further comprisesenabling one or more monitors associated with the application instance;
    - andgenerating monitoring information from the one or more monitors.
  - 19. The method of claim 18 wherein the enabling of the one or more monitors includes enabling at least one monitor embedded within or operating in association with an operating system instance in response to determining the specific stimuli causing the one or more state transitions within the application instance to reach the region of interest.
  - 20. The method of claim 19, wherein the enabling of the one or more monitors includes enabling a system call monitoring function embedded within or operating in association with the operating system instance.
  - 25. The system of claim 13, wherein the software, upon execution of the one or more parts of code of the application, identifies a second region of interest different from the region of interest based, at least in part, on the one or more monitored behaviors.
  - 26. The system of claim 13, wherein the potentially improper behavior includes an attempt to engage in a communication session with a protected or private region of system memory used by the application instance during execution of the one or more parts of code of the application within one or more virtual machines.
  - 27. The system of claim 13, wherein the potentially improper behavior includes an attempt to engage in a communication session with a register space used by the application instance during execution of the one or more parts of code of the application within one or more virtual machines.

28. A method for automatically analyzing an application instance by one or more hardware processors executing software that perform operations comprising:
- receiving the application for analysis of a portion of code of the application instance, the portion of code considered to potentially include improperly behaving code that either (i) represents an inappropriate code structure, or (ii) causes a potentially improper behavior of the code to occur, or (iii) causes a potentially improper state transition when executed;
  
  determining a specific stimuli that causes one or more transitions within the application instance to begin processing the portion of code of the application instance;
  
  applying the stimuli to the application instance so that the application instance commences processing of the portion of code of the application instance;
  
  determining whether one or more behaviors monitored during processing of the portion of code of the application instance by the one or more hardware processor identify that the portion of the code corresponds to improperly behaving code.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28, wherein the portion of code is identified by an analysis of a first part of the code of the application instance within one or more virtual machines to determine if the first part of the code violates one or more rules.
  - 30. The method of claim 28, wherein the determining of the specific stimuli comprises determining a data value that, when processed by the application instance, drives processing of the application instance by one or more virtual machines to the portion of code of the application instance.
  - 31. The method of claim 28, wherein the receiving of the application, the determining of the specific stimuli, the applying of the stimuli and the determining whether the one or more behaviors identify that the portion of the code corresponds to improperly behaving code is conducted by a cloud service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Song, Dawn, Aziz, Ashar, Johnson, Noah, Mohan, Prshanth, Xue, Hui
Primary Examiner(s)
Herzog, Madhuri

Application Number

US14/930,385
Time in Patent Office

715 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 11/36   Preventing errors by testin...

G06F 11/3604   Software analysis for verif...

G06F 11/3612   by runtime analysis perform...

G06F 11/362   Software debugging

G06F 11/3664   Environments for testing or...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

Framework for efficient security coverage of mobile software applications

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

700 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Framework for efficient security coverage of mobile software applications

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

700 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links