Greetz from academe: film at eleven


John Aycock

University of Calgary, Canada
Editor: Helen Martin


In the latest of his ‘Greetz from Academe’ series, highlighting some of the work going on in academic circles, John Aycock looks at PREC: practical root exploit containment for Android devices.

It seems I may have accidentally set the bar too high in last month’s Greetz from Academe by mentioning both Robert Louis Stevenson and Alan Turing in the same piece. Juxtaposing literary and intellectual greats? Anything that follows will surely pale in comparison. As the astute reader will have surmised, I will not be presenting the long-awaited Mark Twain/Einstein grudge match; sorry to disappoint. Instead, I will begin with the media.

While some academics embrace the media, I also have a number of colleagues who are either wary of it or outright scornful, because media stories often gloss over subtle scientific points. Of course, it is also true that some academic research areas tend not to make a lot of headlines. Somehow I doubt that my colleague researching category theory gets too many calls from Fox News.

For my part, I always enjoy reading media press releases about computer security. They tend to have a tantalizing combination of being ill-informed along with a level of breathlessness so great that I wonder if the writer will expire mid-sentence. Earlier last week I was skimming ACM TechNews, a digest of various media stories and press releases related to computer science. It usually contains at least one security-related story, and that day was no exception: ‘Student Devises Novel Way to Detect Hackers’, blared the headline [1].

The original press release was from Binghamton University in New York [2], and after a lengthy blurb about the Ph.D. researcher’s upbringing, mixed with a healthy sprinkling of cyber-fearmongering, we arrived at the obligatory technical part: ‘Instead of reviewing all programs run by a network to find the signature of one of millions of known malware programs [...] they have developed a technology to assess behavior of individual computers.’ So far, so good. ‘This is done by monitoring system calls,’ the press release goes on to say, and the other shoe drops. I’ll spare you the remainder, but essentially, to anyone in security the press release reads as though they reinvented system call monitoring and anomaly detection. I’m sure there’s more to the researchers’ work than that, but it’s a great example of subtleties being lost.

Of course, the idea of monitoring system calls to detect anomalies has been around for many years, with key academic research by Stephanie Forrest et al. published in 1996 [3]; even their ACSAC talk on the topic, labelled in the ACSAC conference program as a ‘Classic Paper’, is itself approaching its sixth birthday [4]. All of this means that whenever a new paper appears flying the system-call-monitoring banner, there should be some new spin on it. No novelty equals no publication in academia, after all.

This brings me to ‘PREC: Practical root exploit containment for Android devices’ [5], a freshly published paper involving system call monitoring. Malware detection on mobile devices has been an open problem for some time: how do you detect malware while leaving sufficient CPU, memory, and battery life to play Angry Birds? The PREC work combines the two, as the majority of the malicious test cases involve Angry Birds being repackaged by the researchers with different root exploits. I’m not kidding.

The main idea behind PREC is perhaps best summed up as follows: ‘PREC focuses on third-party native code which is very difficult, if not totally impossible, to decompile’ [5, p. 192]. This may come as a surprise to anyone who does reverse engineering on a daily basis, but it does capture both PREC’s premise and its mechanism. One of many assumptions PREC makes is that most Android root exploit shenanigans stem from third-party native code. This means that the scope of system call monitoring – and hence the overhead PREC imposes – can be restricted to that alone. Execution of third-party native code is shunted to a pool of threads whose system calls are monitored and compared, on device, to a system call profile precomputed off-device (e.g. in the cloud). Threads that deviate too far from the known profile are contained by outright termination or else slowed down to the point of uselessness.

In my opinion, PREC makes a few too many assumptions, since each assumption in a security system serves mostly to yield a blueprint for bypassing it. However, it does offer a low-impact re-spin of system call monitoring that fits in nicely with efforts to shift work into the cloud, making PREC interesting as a starting point if not a panacea. No need to stop the presses, but it might be worth watching the film at eleven.


[3] Forrest, S.; Hofmeyr, S. A.; Somayaji, A.; Longstaff, T. A sense of self for Unix processes. 1996 IEEE Symposium on Security and Privacy.

[4] Forrest, S.; Hofmeyr, S.; Somayaji, A. The evolution of system call monitoring. 2008 Annual Computer Security Applications Conference.

[5] Ho, T.-H.; Dean, D.; Gu, X.; Enck, W. PREC: Practical root exploit containment for Android devices. 4th ACM Conference on Data and Application Security and Privacy, 2014.



Latest articles:

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.

Decompiling Excel Formula (XF) 4.0 malware

Office malware has been around for a long time, but until recently Excel Formula (XF) 4.0 was not something researcher Kurt Natvig was very familiar with. In this article Kurt allows us to learn with him as he takes a deeper look at XF 4.0.

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.