Hi Kris, Could you please explain a little bit more about "Return oriented programming at the intent level (so that apps cannot act as proxies)"? Have you seen samples of this kind of attack? I only know ROP by overflow native code. Thank you very much!
-Yuan 在 2013年5月21日星期二UTC-7下午3时07分48秒,Kristopher Micinski写道: > > Actually one point really interested me in your app: you require only > the internet permission, good job on keeping that set down! By > contrast, many apps don't look at this, still I was interested > compared to things like xray, what else could be possible: > > - confused deputy attacks and interapp flows? > - Overprovisioned permissions? > - Return oriented programming at the intent level (so that apps cannot > act as proxies)? > - Similarity to other apps on the market via call graph similarity? > > Many others! I guess the main point is that Android security is much > more than signature files and simple regular expression matching > (though to be honest, that's better than most of the "antivirus apps" > out there for Android). > > I'd also advise you look into some of the Android app crackers, and > other markets just to see what they throw into apps: in case you need > training rules. > > Kris > > > On Tue, May 21, 2013 at 6:02 PM, Kristopher Micinski > <krismi...@gmail.com <javascript:>> wrote: > > I'm not at all asking you to disclose the secret sauce, I'm just > > saying that your tool isn't doing very well unless it's doing some > > sort of lightweight static analysis using bytecode matching on some > > set of binary regular expressions. > > > > In other words, your secret sauce isn't very secret: everyone knows > > this can be done, it's just how much time you put into making your > > analysis set realistic. > > > > Kris > > > > On Tue, May 21, 2013 at 5:58 PM, Sumin Tchen > > <stc...@belarc.com<javascript:>> > wrote: > >> HI Kris, > >> > >> You might find this study by Imperva and Technion on effectivess of AV > interesting: > http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf > > >> > >> Sorry, we don't disclose the "secret sauce". > >> > >> Regards, > >> Sumin > >> > >> > >> | -----Original Message----- > >> | From: Kristopher Micinski [mailto:krismi...@gmail.com <javascript:>] > >> | Sent: Tuesday, May 21, 2013 17:32 > >> | To: Sumin Tchen > >> | Cc: Android Security Discussions > >> | Subject: Re: [android-security-discuss] Re: New Android vulnerability > app > >> | > >> | On Sat, May 18, 2013 at 10:48 AM, sumin tchen > >> <stc...@belarc.com<javascript:>> > wrote: > >> | > HI Kris, > >> | > > >> | > Good question! Anti-virus is based on signature files which > identify > >> | > the security threats. While this worked somewhat in the past, it's > >> | > pretty ineffective against today's threats which can change their > >> | > signatures much faster than AV products can update their > signatures. > >> | > > >> | > >> | This isn't my experience at all: most of the people I know doing > antivirus on > >> | Android (I've read a few) do things more like regular expressions > style > >> | matching on bytecode for apps. Lightweight static analysis is a key > to > >> | antivirus (though of course not the only option, it's all a numbers > game): it's > >> | way more than just signature files. > >> | > >> | > Belarc's Security Advisor is based on discovering and helping you > >> | > update the existing vulnerabilities, both apps and operating > system, > >> | > and thereby not allowing the security threats to affect your > Android > >> | > device. This works no matter how often the threat signatures > change. > >> | > > >> | > >> | You still didn't really mention at all what techniques your tool > employs. You > >> | don't have to give any hint at how your "secret sauce" > >> | is, of course, but I was more interested in what style of binary > analysis > >> | techniques you were using. > >> | > >> | > Naturally there are always new vulnerabilities being discovered, > and > >> | > this is why we are planning to release new updates to the Security > >> | > Advisor on a regular schedule. We have a discussion of this topic, > >> | > with links to security papers from the NSA and SANS, here: > >> | > http://www.belarc.com/sa_full.html and here for mobiles :)) > >> | > http://m.belarc.com/sa.html > >> | > > >> | > >> | Sure, I agree completely that there are some device specific holes > that need > >> | to be checked against apps and other things, but I am still unable to > find out > >> | how this is working.. > >> | > >> | Kris > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
