Praetorian’s Ryan W Smith and Adam Pridgen to speak at OWASP AppSec USA 2011

Posted on Wednesday, August 10, 2011 by Paul Jauregui

Praetorian’s Ryan W Smith and Adam Pridgen to speak at OWASP AppSec USA 2011. The two security researchers will present their work on STAAF, an efficient distributed framework for performing large scale android application analysis.

When: September 22-23, 2011 6:00 – 9:00 PM
Where: Minneapolis Convention Center (map)

Speakers:
1) Ryan W Smith (Learn more about Ryan)
2) Adam Pridgen (Learn more about Adam)

Registration and more details at http://www.appsecusa.org/

[Talk Details can be found at http://www.appsecusa.org/talks.html#staaf]

STAFF: An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis

There has been no shortage of Android malware analysis reports recently, but thus far that trend has not been accompanied with an equivalent scale of released public Android application tools or frameworks. To address this issue, we are presenting the Scalable Tailored Application Analysis Framework (STAAF), released as a new OWASP project for public use under Apache License 2.0. The goal of this framework is to allow a team of one or more analysts to efficiently analyze a large number of Android applications. In addition to large scale analysis, the framework aims to promote collaborative analysis through shared processing and results.

Our framework is designed using a modular and distributed approach, which allows each processing node to be highly tailored for a particular task. At the heart of the framework is the Resource Manager (RM) module, which is responsible for tracking samples, managing analysis modules, and storing results. The RM also serves to reduce processing time and data management through the deduplication of data and work, and it also aids with the scheduling of tasks so that they can be completed as a pipeline or as a single unit. When processing begins, the RM uses several default “primitive” modules that carry out the fundamental operations, such as extracting the manifest, transforming the Dalvik bytecode, and extracting application resources. The analysis modules then use the raw results to extract specific attributes such as permissions, receivers, invoked methods, external resources accessed, control flow graphs, etc., and these results are then stored in a distributed data store, after which the information can be queried for high level trends or targeted searches.

The modular nature of our framework allows independent analyses to happen on a per module basis, and the results of this data processing can be merged with other results at a later time. This design promotes an agile approach to large scale analysis, because it permits a wide array of analysis to happen distributively and in parallel. This means that teams with different needs or schedules can complete time-sensitive tasks separately with minimized data processing pipelines, while allowing more complex or time intensive tasks to be added later. Additionally, if analysis needs to be branched at some point in the pipeline, intermediate results can be retained and additional modules can be added leveraging the results from the past analysis steps. The results are also stored in a distributed database and designed to be queried using a map-reduce style query, which offers performance efficiencies as well as allowing the transparent inclusion of remote third party analysis databases. By using this plug-in style analysis framework, we are able to attain more efficient processing schedules and tailor the analysis for a specific need.

This framework is designed to be scalable and extensible, and the initial offering of this framework includes several modules that focus key aspects of the application analysis process. Our hope is that by releasing the framework, we will not only provide an efficient tool for automating and scaling analysis tasks, but we hope the work will encourage the sharing of research in the field. We will present a detailed overview of the architecture of the STAAF framework and the process for creating a customized implementation. We’ll also demonstrate multiple use-case walk-throughs, and present results from our own analysis of a private collection of applications from the official Android market as well as several third party marketplaces.

Paul Jauregui

Next entry:

DARPA Goes Agile with Cyber Fast Track

Previous entry:

Agile Austin Meeting: Building Security into the Next Iteration