SlideShare une entreprise Scribd logo

STAAF, An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis

Praetorian
Praetorian

There has been no shortage of Android malware analysis reports recently, but thus far that trend has not been accompanied with an equivalent scale of released public Android application tools or frameworks. To address this issue, we are presenting the Scalable Tailored Application Analysis Framework (STAAF), released as a new OWASP project for public use under Apache License 2.0. The goal of this framework is to allow a team of one or more analysts to efficiently analyze a large number of Android applications. In addition to large scale analysis, the framework aims to promote collaborative analysis through shared processing and results. Our framework is designed using a modular and distributed approach, which allows each processing node to be highly tailored for a particular task. At the heart of the framework is the Resource Manager (RM) module, which is responsible for tracking samples, managing analysis modules, and storing results. The RM also serves to reduce processing time and data management through the deduplication of data and work, and it also aids with the scheduling of tasks so that they can be completed as a pipeline or as a single unit. When processing begins, the RM uses several default "primitive" modules that carry out the fundamental operations, such as extracting the manifest, transforming the Dalvik bytecode, and extracting application resources. The analysis modules then use the raw results to extract specific attributes such as permissions, receivers, invoked methods, external resources accessed, control flow graphs, etc., and these results are then stored in a distributed data store, after which the information can be queried for high level trends or targeted searches. The modular nature of our framework allows independent analyses to happen on a per module basis, and the results of this data processing can be merged with other results at a later time. This design promotes an agile approach to large scale analysis, because it permits a wide array of analysis to happen distributively and in parallel. This means that teams with different needs or schedules can complete time-sensitive tasks separately with minimized data processing pipelines, while allowing more complex or time intensive tasks to be added later. Additionally, if analysis needs to be branched at some point in the pipeline, intermediate results can be retained and additional modules can be added leveraging the results from the past analysis steps. The results are also stored in a distributed database and designed to be queried using a map-reduce style query, which offers performance efficiencies as well as allowing the transparent inclusion of remote third party analysis databases. By using this plug-in style analysis framework, we are able to attain more efficient processing schedules and tailor the analysis for a specific need. This framework is designed to be scalable and extensible, and the initial offering of this framework includes several modules...

TechnologieFormation
1  sur  49
Télécharger pour lire hors ligne
STAAF An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis OWASP AppSec USA Thursday, September 22, 2011 1 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Allow Me to Introduce Myself Ryan W Smith VP Engineering at Praetorian  OWASP DFW Chapter Leader (2011)  Active member of The Honeynet Project (2002- )  8+ years of work with DoD, Intelligence Community, Federal/State/Local governments, and Fortune 500 companies 2 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
3 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 4 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What can STAAF do for you? Observation #1: There are a lot of Android app analysis tools freely available BUT: They’re typically designed for single app analysis STAAF leverages the power of these tools as modules, And adds efficiency, scalability, data mgmt and sharing 5 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What can STAAF do for you? Observation #2: Higher value analysis can be attained by analyzing large numbers of applications over long periods of time SOLUTION: Reduce the time and complexity for an analyst to process large numbers of apps Goal Analyze 50k apps in less than 2 days and make the extracted data readily available to analysts 6 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What can STAAF do for you? Process Process Meaningful Apps Data Results Mod #1 Mod A Mod #2 Mod B Analytic Mod #3 Data Mod C Mod #N Mod Z Goal Minimize analysts’ effort to extract meaningful results from a large number of applications 7 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What is STAAF 8 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What is STAAF 9 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What is STAAF 10 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What is STAAF 11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What is STAAF 12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
What STAAF is NOT • STAAF is not a stand alone application • STAAF is not only a malware detection or anti-virus engine • STAAF is not an application collection tool STAAF is a problem agnostic app analysis framework 13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Android’s Open App Model • Low barrier to entry • Apps hosted and installed from anywhere • All apps are created equal • No distinction between core apps and 3rd party apps • Accept apps based on: 1. Trust of the source 2. Permissions requested 15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
“Legitimate” Monitoring Apps Ad/Marketing Networks Social Gaming Networks 16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
“Not-So-Legitimate” Permission Use SMS Trojan – Link to site hosting rogue app for “free movie player” – Sends 2 Premium SMS messages to a Kazakhstan number (about $5 per message) Gemini – Repackaged apps in Chinese markets – Sex positions and MonkeyJump2 are known examples – Central C&C – Exfiltrates unique device identifiers – Downloads and Install New Apps (with permission) DroidDream – Approx. 50 Malicious apps in official market – Central C&C – Exfiltrates unique device identifiers – Downloads additional code modules 17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 0: STAAF components initialized 19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 1: Users sends APKs to be processed 20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 2: Coordinator checks database for previous results and logs new instance data for each APK 21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 3: Coordinator sends new APKs to the file repository service 22 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 4: Coordinator sends tasking orders to the task queue 23 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 5: Elastic computing nodes pull tasks from their designated task queue 24 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 6: Elastic computing nodes pull in the APK and related information 25 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 6: After processing the elastic computing nodes push out processed files and analysis results 26 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF Workflow Step 7: When all tasking is complete elastic computing nodes notify the coordinator 27 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Task Modules • Can be registered dynamically • Task-Oriented – High level • What % of apps use permission X COMPLEXITY • What is the most PRIORITY common libraries used – Mid level • Extract Permissions • Extract static URLs • Extract Methods Called – Low level • Extract manifest • Extract Dex bytecode 28 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Deduplication of Effort • All Intermediate data are cached for later use – Extract and convert manifest to ASCII – Extract Dex and convert to Smali and Java – Compute the control flow graph from the Dex • Libraries and shared resources must only be processed once • Apps must only be processed once by each module, ever Small savings matter at large scales 29 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Distributed Data Sharing • Sharing app samples is just the beginning • Share the entire process: – Raw Application – Extracted Resources – Raw Data – Processed Data • Or set specific limits on what data is shared 30 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 31 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 3 1h56m 500 1 4 Central 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local 8 0h27m 1722 5 5 Local 9 1h19m 9349 5 10 Local Achieved 50k apps in ~7 hours* *Extrapolated from shorter tests 32 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 1 Node Node 3 1h56m 500 1 4 Central 5 1 ECU 4 0h36m 500 1 4 Local ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 0h36m 9 1h19m 9349 5 10 Local “One EC2 Compute Unit (ECU) provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or 2007 Xeon processor.” -Amazon 33 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 1 ECU 1 ECU 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 1h56m 9 1h19m 9349 5 10 Local STAAF is bound by both CPU and database throughput 34 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 4 4 2 2h00m 500 1 2 Central Nodes Nodes 3 1h56m 500 1 4 Central 1 ECU 1 ECU 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 1h56m 0h36m 9 1h19m 9349 5 10 Local By using distributed, local databases STAAF achieves a significant time performance increase 35 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 1 ECU 1 ECU 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 0h36m 9 1h19m 9349 5 10 Local Using by adding multiple processors with local databases, we achieve near linear scalability 36 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Local Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 4 1 Nodes Node 3 1h56m 500 1 4 Central 5 1 ECU 4 0h36m 500 1 4 Local ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 0h36m 0h36m 9 1h19m 9349 5 10 Local By simply increasing the CPU capacity to 5 ECUs, we achieve the same performance as four 1 ECU nodes 37 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 5 5 4 0h36m 500 1 4 Local ECUs ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 0h36m 0h28m 9 1h19m 9349 5 10 Local Once again, using a central database fails to achieve linear performance gains 38 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 5 5 4 0h36m 500 1 4 Local ECUs ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 0h36m 0h10m 9 1h19m 9349 5 10 Local By using distributed, local databases we once again achieve near linear performance gains 39 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 5 1 ECU 4 0h36m 500 1 4 Local ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 0h10m 9 1h19m 9349 5 10 Local By increasing CPU capacity, number of processing nodes, and number of databases, we decreased processing time by 14.5x 40 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Local Local DB DB 1 2h25m 500 1 1 Central 5 10 2 2h00m 500 1 2 Central Nodes Nodes 3 1h56m 500 1 4 Central 5 5 4 0h36m 500 1 4 Local ECUs ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local 1722 Apps 9349 Apps 8 0h27m 1722 5 5 Local Compute Time Compute Time 9 1h19m 9349 5 10 Local 0h27m 1h19m Larger tests confirm that STAAF continues to scale linearly 41 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Initial Results :: Permissions Requests 53,000 Applications Analyzed Permissions Requested  Android Market: ~48,000  Average: 3  3rd Party Markets: ~5,000  Most Requested: 117 Location Data 11,929 (24%) Read Contacts 3,636 (8%) Send SMS 1,693 (4%) Receive SMS 1,262 (4%) Record Audio 1,100 (2%) Read SMS 832 (2%) Process Outgoing Calls 323 (1%) 42 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Additional Results :: Shared Libraries 53,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 com.admob 38% (18,426 apps ) org.apache 8% ( 3,684 apps ) com.google.android 6% ( 2,838 apps ) com.google.ads 6% ( 2,779 apps ) com.flurry 6% ( 2,762 apps ) com.mobclix 4% ( 2,055 apps ) com.millennialmedia 4% ( 1,758 apps) 43 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Permissions Are Not a Good Indicator Malware only needs a single permission zsones & Droid Dream SMS Replicator Fake Security Tool Gemeni SMS Trojan 44 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 45 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
STAAF’s Future • Build a publically available user interface • Provide a dashboard with global stats • Further Tune database performance issues • Build more complex analysis modules – Static data flow analysis – Dynamic sandbox analysis • Expose a public module interface through UI 46 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 47 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Final Thoughts • STAAF is a system of systems and services, not an application • STAAF enables large scale Android application analysis • STAAF is problem agnostic and can be tailored to answer many analytic questions • STAAF augments the capabilities of the analyst, it does not replace them • STAAF achieves scalable performance increases by increasing computer nodes/power 48 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
Q&A 49 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured

Recommandé

Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesExploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Praetorian
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Praetorian
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
Shah Sheikh
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 

Recommandé

Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesExploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Praetorian
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Praetorian
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
Shah Sheikh
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
Group of company MUK
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
Skycure
 
IoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstIoT Security - Preparing for the Worst
IoT Security - Preparing for the Worst
Satria Ady Pradana
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
Lancope, Inc.
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
F _
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Sylvain Martinez
 
China Cyber
China CyberChina Cyber
China Cyber
Dominic Karunesudas
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
Ahmed Musaad
 

Contenu connexe

Tendances

Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 

Tendances (20)

Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
 
IoT Security - Preparing for the Worst
IoT Security - Preparing for the WorstIoT Security - Preparing for the Worst
IoT Security - Preparing for the Worst
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
 
China Cyber
China CyberChina Cyber
China Cyber
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 

En vedette

Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
Praetorian
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
mapqrs
 

En vedette (10)

Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Reverse Engineering (EVO 2008)
Reverse Engineering (EVO 2008)Reverse Engineering (EVO 2008)
Reverse Engineering (EVO 2008)
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
 

Similaire à STAAF, An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis

Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
SanthoshiAgadala_Test Engineer_2.6 years of Experience
SanthoshiAgadala_Test Engineer_2.6 years of ExperienceSanthoshiAgadala_Test Engineer_2.6 years of Experience
SanthoshiAgadala_Test Engineer_2.6 years of Experience
dasfagfdagadg
 
Android to TIZEN conversion service
Android to TIZEN conversion serviceAndroid to TIZEN conversion service
Android to TIZEN conversion service
Hyeokgon Ryu
 
SanthoshiAgadala_Test Engineer_2.7 years of Experience
SanthoshiAgadala_Test Engineer_2.7 years of ExperienceSanthoshiAgadala_Test Engineer_2.7 years of Experience
SanthoshiAgadala_Test Engineer_2.7 years of Experience
dasfagfdagadg
 

Similaire à STAAF, An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis (20)

Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Cyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercatoCyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercato
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Delivering Mobile Apps to the Field with Oracle
Delivering Mobile Apps to the Field with OracleDelivering Mobile Apps to the Field with Oracle
Delivering Mobile Apps to the Field with Oracle
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
Introduction to android - SpringPeople
Introduction to android - SpringPeopleIntroduction to android - SpringPeople
Introduction to android - SpringPeople
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
SanthoshiAgadala_Test Engineer_2.6 years of Experience
SanthoshiAgadala_Test Engineer_2.6 years of ExperienceSanthoshiAgadala_Test Engineer_2.6 years of Experience
SanthoshiAgadala_Test Engineer_2.6 years of Experience
 
Android to TIZEN conversion service
Android to TIZEN conversion serviceAndroid to TIZEN conversion service
Android to TIZEN conversion service
 
SanthoshiAgadala_Test Engineer_2.7 years of Experience
SanthoshiAgadala_Test Engineer_2.7 years of ExperienceSanthoshiAgadala_Test Engineer_2.7 years of Experience
SanthoshiAgadala_Test Engineer_2.7 years of Experience
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

STAAF, An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis

  • 1. STAAF An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis OWASP AppSec USA Thursday, September 22, 2011 1 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 2. Allow Me to Introduce Myself Ryan W Smith VP Engineering at Praetorian  OWASP DFW Chapter Leader (2011)  Active member of The Honeynet Project (2002- )  8+ years of work with DoD, Intelligence Community, Federal/State/Local governments, and Fortune 500 companies 2 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 3. 3 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 4. Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 4 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 5. What can STAAF do for you? Observation #1: There are a lot of Android app analysis tools freely available BUT: They’re typically designed for single app analysis STAAF leverages the power of these tools as modules, And adds efficiency, scalability, data mgmt and sharing 5 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 6. What can STAAF do for you? Observation #2: Higher value analysis can be attained by analyzing large numbers of applications over long periods of time SOLUTION: Reduce the time and complexity for an analyst to process large numbers of apps Goal Analyze 50k apps in less than 2 days and make the extracted data readily available to analysts 6 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 7. What can STAAF do for you? Process Process Meaningful Apps Data Results Mod #1 Mod A Mod #2 Mod B Analytic Mod #3 Data Mod C Mod #N Mod Z Goal Minimize analysts’ effort to extract meaningful results from a large number of applications 7 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 8. What is STAAF 8 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 9. What is STAAF 9 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 10. What is STAAF 10 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 11. What is STAAF 11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 12. What is STAAF 12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 13. What STAAF is NOT • STAAF is not a stand alone application • STAAF is not only a malware detection or anti-virus engine • STAAF is not an application collection tool STAAF is a problem agnostic app analysis framework 13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 14. Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 15. Android’s Open App Model • Low barrier to entry • Apps hosted and installed from anywhere • All apps are created equal • No distinction between core apps and 3rd party apps • Accept apps based on: 1. Trust of the source 2. Permissions requested 15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 16. “Legitimate” Monitoring Apps Ad/Marketing Networks Social Gaming Networks 16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 17. “Not-So-Legitimate” Permission Use SMS Trojan – Link to site hosting rogue app for “free movie player” – Sends 2 Premium SMS messages to a Kazakhstan number (about $5 per message) Gemini – Repackaged apps in Chinese markets – Sex positions and MonkeyJump2 are known examples – Central C&C – Exfiltrates unique device identifiers – Downloads and Install New Apps (with permission) DroidDream – Approx. 50 Malicious apps in official market – Central C&C – Exfiltrates unique device identifiers – Downloads additional code modules 17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 18. Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 19. STAAF Workflow Step 0: STAAF components initialized 19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 20. STAAF Workflow Step 1: Users sends APKs to be processed 20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 21. STAAF Workflow Step 2: Coordinator checks database for previous results and logs new instance data for each APK 21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 22. STAAF Workflow Step 3: Coordinator sends new APKs to the file repository service 22 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 23. STAAF Workflow Step 4: Coordinator sends tasking orders to the task queue 23 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 24. STAAF Workflow Step 5: Elastic computing nodes pull tasks from their designated task queue 24 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 25. STAAF Workflow Step 6: Elastic computing nodes pull in the APK and related information 25 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 26. STAAF Workflow Step 6: After processing the elastic computing nodes push out processed files and analysis results 26 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 27. STAAF Workflow Step 7: When all tasking is complete elastic computing nodes notify the coordinator 27 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 28. Task Modules • Can be registered dynamically • Task-Oriented – High level • What % of apps use permission X COMPLEXITY • What is the most PRIORITY common libraries used – Mid level • Extract Permissions • Extract static URLs • Extract Methods Called – Low level • Extract manifest • Extract Dex bytecode 28 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 29. Deduplication of Effort • All Intermediate data are cached for later use – Extract and convert manifest to ASCII – Extract Dex and convert to Smali and Java – Compute the control flow graph from the Dex • Libraries and shared resources must only be processed once • Apps must only be processed once by each module, ever Small savings matter at large scales 29 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 30. Distributed Data Sharing • Sharing app samples is just the beginning • Share the entire process: – Raw Application – Extracted Resources – Raw Data – Processed Data • Or set specific limits on what data is shared 30 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 31. Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 31 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 32. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 3 1h56m 500 1 4 Central 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local 8 0h27m 1722 5 5 Local 9 1h19m 9349 5 10 Local Achieved 50k apps in ~7 hours* *Extrapolated from shorter tests 32 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 33. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 1 Node Node 3 1h56m 500 1 4 Central 5 1 ECU 4 0h36m 500 1 4 Local ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 0h36m 9 1h19m 9349 5 10 Local “One EC2 Compute Unit (ECU) provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or 2007 Xeon processor.” -Amazon 33 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 34. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 1 ECU 1 ECU 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 1h56m 9 1h19m 9349 5 10 Local STAAF is bound by both CPU and database throughput 34 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 35. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 4 4 2 2h00m 500 1 2 Central Nodes Nodes 3 1h56m 500 1 4 Central 1 ECU 1 ECU 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 1h56m 0h36m 9 1h19m 9349 5 10 Local By using distributed, local databases STAAF achieves a significant time performance increase 35 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 36. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 1 ECU 1 ECU 4 0h36m 500 1 4 Local 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 0h36m 9 1h19m 9349 5 10 Local Using by adding multiple processors with local databases, we achieve near linear scalability 36 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 37. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Local Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 4 1 Nodes Node 3 1h56m 500 1 4 Central 5 1 ECU 4 0h36m 500 1 4 Local ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 0h36m 0h36m 9 1h19m 9349 5 10 Local By simply increasing the CPU capacity to 5 ECUs, we achieve the same performance as four 1 ECU nodes 37 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 38. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Central DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 5 5 4 0h36m 500 1 4 Local ECUs ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 0h36m 0h28m 9 1h19m 9349 5 10 Local Once again, using a central database fails to achieve linear performance gains 38 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 39. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 5 5 4 0h36m 500 1 4 Local ECUs ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 0h36m 0h10m 9 1h19m 9349 5 10 Local By using distributed, local databases we once again achieve near linear performance gains 39 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 40. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Central Local DB DB 1 2h25m 500 1 1 Central 2 2h00m 500 1 2 Central 1 4 Node Nodes 3 1h56m 500 1 4 Central 5 1 ECU 4 0h36m 500 1 4 Local ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local Compute Time Compute Time 8 0h27m 1722 5 5 Local 2h25m 0h10m 9 1h19m 9349 5 10 Local By increasing CPU capacity, number of processing nodes, and number of databases, we decreased processing time by 14.5x 40 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 41. Time Trials STAAF Performance Tests # Time Apps ECUs Nodes Database Local Local DB DB 1 2h25m 500 1 1 Central 5 10 2 2h00m 500 1 2 Central Nodes Nodes 3 1h56m 500 1 4 Central 5 5 4 0h36m 500 1 4 Local ECUs ECUs 5 0h36m 500 5 1 Central 6 0h28m 500 5 4 Central 7 0h10m 500 5 4 Local 1722 Apps 9349 Apps 8 0h27m 1722 5 5 Local Compute Time Compute Time 9 1h19m 9349 5 10 Local 0h27m 1h19m Larger tests confirm that STAAF continues to scale linearly 41 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 42. Initial Results :: Permissions Requests 53,000 Applications Analyzed Permissions Requested  Android Market: ~48,000  Average: 3  3rd Party Markets: ~5,000  Most Requested: 117 Location Data 11,929 (24%) Read Contacts 3,636 (8%) Send SMS 1,693 (4%) Receive SMS 1,262 (4%) Record Audio 1,100 (2%) Read SMS 832 (2%) Process Outgoing Calls 323 (1%) 42 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 43. Additional Results :: Shared Libraries 53,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 com.admob 38% (18,426 apps ) org.apache 8% ( 3,684 apps ) com.google.android 6% ( 2,838 apps ) com.google.ads 6% ( 2,779 apps ) com.flurry 6% ( 2,762 apps ) com.mobclix 4% ( 2,055 apps ) com.millennialmedia 4% ( 1,758 apps) 43 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 44. Permissions Are Not a Good Indicator Malware only needs a single permission zsones & Droid Dream SMS Replicator Fake Security Tool Gemeni SMS Trojan 44 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 45. Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 45 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 46. STAAF’s Future • Build a publically available user interface • Provide a dashboard with global stats • Further Tune database performance issues • Build more complex analysis modules – Static data flow analysis – Dynamic sandbox analysis • Expose a public module interface through UI 46 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 47. Presentation Roadmap • STAAF (Overview) • Background • STAAF (Deep Dive) • Results • Future Work • Conclusions 47 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 48. Final Thoughts • STAAF is a system of systems and services, not an application • STAAF enables large scale Android application analysis • STAAF is problem agnostic and can be tailored to answer many analytic questions • STAAF augments the capabilities of the analyst, it does not replace them • STAAF achieves scalable performance increases by increasing computer nodes/power 48 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  • 49. Q&A 49 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured