Skip to main content
SpringerLink
Log in

MIME: A Formal Approach to (Android) Emulation Malware Analysis

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9482))

Included in the following conference series:

Abstract

In this paper, we propose a new dynamic and configurable approach to anti-emulation malware analysis, aiming at improving transparency of existing analyses techniques. We test the effectiveness of existing widespread free analyzers and we observe that the main problem of these analyses is that they provide static and immutable values to the parameter used in anti-emulation tests. Our approach aims at overcoming these limitations by providing an abstract non-interference-based approach modeling the fact that parameters can be modified dynamically, and the corresponding executions compared.

This work is partly supported by the MIUR FIRB project FACE (Formal Avenue for Chasing malwarE) RBFR13AJFT.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    International Mobile Equipment Identity.

  2. 2.

    International Mobile Subscriber Identity.

References

  1. Bellini, F., Chiodi, R., Mastroeni, I.: Mime: a formal approach for multiple investigation in (android) malware emulation analysis. Technical report RR 97/2015 (2015). http://hdl.handle.net/11562/926789

  2. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Conference Record of POPL 1977, pp. 238–252. ACM (1977)

    Google Scholar 

  3. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of CCS 2008, pp. 51–62. ACM (2008)

    Google Scholar 

  4. P. Ferrie. Attacks on virtual machine emulators. Symantec Corporation, Mountain View (2007)

    Google Scholar 

  5. Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proceedings of POPL 2004, pp. 186–197. ACM (2004)

    Google Scholar 

  6. Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation-resistant malware. In: Proceedings of VMSec 2009, pp. 11–22. ACM (2009)

    Google Scholar 

  7. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  8. Liston, T., Skoudis, E., On the cutting edge: Thwarting virtual machine detection (2006). http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

  9. Mastroeni, I.: On the rôle of abstract non-interference in language-based security. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 418–433. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  10. Mastroeni, I.: Abstract interpretation-based approaches to security - A survey on abstract non-interference, its challenging applications. In: Semantics, Abstract Interpretation, Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his 60th Birthday, pp. 41–65 (2013)

    Google Scholar 

  11. Paleari, R., Martignoni, L., Fresi Roglia, G., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect cpu emulators. In: Procedings of WOOT 2009, p. 2. USENIX Association (2009)

    Google Scholar 

  12. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of EuroSec 2014, pp. 5:1–5:6. ACM (2014)

    Google Scholar 

  13. D. Quist, V. Smith. Detecting the presence of virtual machines using the local data table. Offensive Computing (2006). http://index-of.es/Misc/vm.pdf

  14. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction (2004). http://www.securiteam.com/securityreviews/6Z00H20BQS.html

  16. Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & defeating split personality malware. In: Proceedings of SECURWARE 2011, pp. 7–13 (2011)

    Google Scholar 

  17. Yan, L.K., Jayachandra, M., Zhang, M., Yin, H.: V2e: combining hardware virtualization and software emulation for transparent and extensible malware analysis. Sigplan Not. 47(7), 227–238 (2012)

    Article  Google Scholar 

  18. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of SP 2012, pp. 95–109. IEEE Computer Society (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università di Verona, Verona, Italy

    Fabio Bellini, Roberto Chiodi & Isabella Mastroeni

Authors
  1. Fabio Bellini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roberto Chiodi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Isabella Mastroeni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Isabella Mastroeni .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. School of Computer Science, Carleton University, Ottawa, Ontario, Canada

    Evangelos Kranakis

  3. École des Mines de Nancy, Université de Lorraine, Nancy Cedex, France

    Guillaume Bonfante

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Bellini, F., Chiodi, R., Mastroeni, I. (2016). MIME: A Formal Approach to (Android) Emulation Malware Analysis. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds) Foundations and Practice of Security. FPS 2015. Lecture Notes in Computer Science(), vol 9482. Springer, Cham. https://doi.org/10.1007/978-3-319-30303-1_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30303-1_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30302-4

  • Online ISBN: 978-3-319-30303-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation