Enhancing Compositional Static Analysis with Dynamic Analysis

Dynamic program analysis is extremely successful both in code debugging and in malicious code attacks. Fuzzing, concolic, and monkey testing are instances of the more general problem of analysing programs by dynamically executing their code with selected inputs. While static program analysis has a beautiful and well established theoretical foundation in abstract interpretation, dynamic analysis still lacks such a foundation. In this paper, we introduce a formal model for understanding the notion of precision in dynamic program analysis. It is known that in sound-by-construction static program analysis the precision amounts to completeness. In dynamic analysis, which is inherently unsound, precision boils down to a notion of coverage of execution traces with respect to what the observer (attacker or debugger) can effectively observe about the computation. We introduce a topological characterisation of the notion of coverage relatively to a given (fixed) observation for dynamic program analysis and we show how this coverage can be changed by semantic preserving code transformations. Once again, as well as in the case of static program analysis and abstract interpretation, also for dynamic analysis we can morph the precision of the analysis by transforming the code. In this context, we validate our model on well established code obfuscation and watermarking techniques. We confirm the efficiency of existing methods for preventing control-flow-graph extraction and data exploit by dynamic analysis, including a validation of the potency of fully homomorphic data encodings in code obfuscation.

Flexion-extension moments acting at the L5/S1 level and hip joints were calculated using three different techniques; a pure static analysis, a static analysis including the inertial force of the load, and a dynamic analysis. Ten subjects participated in the study and were asked to lift a box weighing either 50 N or 150 N, using a freestyle technique. The lifts were performed at normal and fast speed. The intra-subject lifting techniques were consistent when lifting the same loads. The moments predicted by the dynamic analysis and the static analysis were the same when holding weights in static postures. When performing the lifts, differences in the peak moments occurred between static and dynamic analyses. These differences were influenced by external load and by lifting speed. Taking the effect of the inertia of load into account in the static analysis resulted in an increase in the moment magnitude, but the predicted moment was still much less than in the dynamic analysis which yielded the largest moment magnitudes. The difference between dynamic and static analysis was greatest when lifting 50 N at fast speed; an 87% increase in L5/S1 moment and a 95% increase in hip moment was observed when replacing the pure static with a dynamic analysis.

Static and dynamic program analyses attempt to extract useful information on program’s behaviours. Static analysis uses an abstract model of programs to reason on their runtime behaviour without actually running them, while dynamic analysis reasons on a test set of real program executions. For this reason, the precision of static analysis is limited by the presence of false positives (executions allowed by the abstract model that cannot happen at runtime), while the precision of dynamic analysis is limited by the presence of false negatives (real executions that are not in the test set). Researchers have developed many analysis techniques and tools in the attempt to increase the precision of program verification. Software protection is an interesting scenario where programs need to be protected from adversaries that use program analysis to understand their inner working and then exploit this knowledge to perform some illicit actions. Program analysis plays a dual role in program verification and software protection: in program verification we want the analysis to be as precise as possible, while in software protection we want to degrade the results of the analysis as much as possible. Indeed, in software protection researchers usually recur to a special class of program transformations, called code obfuscation, to modify a program in order to make it more difficult to analyse while preserving its intended functionality. In this setting, it is interesting to study how program transformations that preserve the intended behaviour of programs can affect the precision of both static and dynamic analysis. While some works have been done in order to formalise the efficiency of code obfuscation in degrading static analysis and in the possibility of transforming programs in order to avoid or increase false positives, less attention has been posed to formalise the relation between program transformations and false negatives in dynamic analysis. In this work we are setting the scene for a formal investigation of the syntactic and semantic program features that affect the presence of false negatives in dynamic analysis. We believe that this understanding would be useful for improving the precision of the existing dynamic analysis tools and in the design of program transformations that complicate the dynamic analysis. To Maurizio on his 60th birthday!

Although malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for—especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based anti-virus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.

Today’s security threats like malware are more sophisticated and targeted than ever, and they are growing at an unprecedented rate. To deal with them, various approaches are introduced. One of them is Signature-based detection, which is an effective method and widely used to detect malware; however, there is a substantial problem in detecting new instances. In other words, it is solely useful for the second malware attack. Due to the rapid proliferation of malware and the desperate need for human effort to extract some kinds of signature, this approach is a tedious solution; thus, an intelligent malware detection system is required to deal with new malware threats. Most of intelligent detection systems utilise some data mining techniques in order to distinguish malware from sane programs. One of the pivotal phases of these systems is extracting features from malware samples and benign ones in order to make at least a learning model. This phase is called “Malware Analysis” which plays a significant role in these systems. Since API call sequence is an effective feature for realising unknown malware, this paper is focused on extracting this feature from executable files. There are two major kinds of approach to analyse an executable file. The first type of analysis is “Static Analysis” which analyses a program in source code level. The second one is “Dynamic Analysis” that extracts features by observing program’s activities such as system requests during its execution time. Static analysis has to traverse the program’s execution path in order to find called APIs. Because it does not have sufficient information about decision making points in the given executable file, it is not able to extract the real sequence of called APIs. Although dynamic analysis does not have this drawback, it suffers from execution overhead. Thus, the feature extraction phase takes noticeable time. In this paper, a novel hybrid approach, HDM-Analyser, is presented which takes advantages of dynamic and static analysis methods for rising speed while preserving the accuracy in a reasonable level. HDM-Analyser is able to predict the majority of decision making points by utilising the statistical information which is gathered by dynamic analysis; therefore, there is no execution overhead. The main contribution of this paper is taking accuracy advantage of the dynamic analysis and incorporating it into static analysis in order to augment the accuracy of static analysis. In fact, the execution overhead has been tolerated in learning phase; thus, it does not impose on feature extraction phase which is performed in scanning operation. The experimental results demonstrate that HDM-Analyser attains better overall accuracy and time complexity than static and dynamic analysis methods.

A computer model for dynamically analyzing a marine drilling riser has been developed. The model predicts a time history of riser stresses, deflections, and lower ball joint angle. This approach is novel in that it includes both random wave and vessel motion models. The random wave model allows one to specify any wave spectrum, from which the model generates a synthetic wave by decomposing the spectrum. The vessel motion model ties directly to the wave model and requires specification of the characteristics of the vessel's station-keeping system (mooring or dynamic positioning) and the vessel's response amplitude operators in surge or sway. Results of dynamic analyses of drilling risers will be discussed for various water depths. INTRODUCTION Marine drilling riser (see Fig. 1) stresses, deflections, and the lower ball joint angle can be predicted with either a static or a dynamic model. A static computer program, RISER (now commercially available on Control Data Corporation's Cybernet System), loads the riser with a static force derived by combining current and wave forces obtained from Morison's equation. In most instances, a static riser analysis will produce reasonable engineering simulations of riser behavior. This occurs when the zone of hydrodynamic damping over the riser overwhelms the zone of excitation along the riser. Frequently, however, the combination of vessel motion, oscillatory wave effects, and possible excitation of the riser's dynamic modes often requires that a dynamic analysis be performed to more precisely predict riser behavior and the locations of critical stressing zones. There are three basic types of dynamic analyses: a steady-state or frequency-domain analysis, a nondeterministic random vibration analysis, and a deterministic time history analysis. Burke (Ref. 2) presents a dynamic steady-state riser analysis procedure in which only steady-state wave loadings and vessel motion oscillation at the corresponding wave period are permitted. To account for the effect of current loading and mean vessel offset, Burke uses a static analysis. He then combined the dynamic steady-state analysis and the static analysis to obtain total stresses and deflections. Unfortunately, Morison's equation includes nonlinear terms which, in many cases, will not permit superposition of the static and steady-state analyses. Because of this, we believe that random wave and vessel response are not modeled accurately using Burke's approach. However, using only the dynamic steady-state analyses, Burke demonstrates that the dynamic behavior of the riser, caused primarily by vessel response to waves, is a significant design factor in all water depths. The present paper demonstrates the effect of both the random waves and the coupled vessel response. The second approach to a dynamic analysis is the nondeterministic random vibration method as presented by Tucker and Murtha (Ref. 3). In this method, the random wave spectrum is input to the riser model, and the riser response is output in the form of a spectrum. They show that the response of a riser to random wave forces is highly dependent on the input wave energy spectrum.

One of the challenges when examining enterprise applications is the ability to understand the dependencies of these applications on external and internal resources such as database access or transaction activation. Inferring dependencies can be achieved using a static approach, a dynamic one or a combination of the two. Static analysis tools detect dependencies based on code investigation while dynamic tools detect dependencies based on runtime execution. The combination of these two approaches is essential for a complete and precise analysis. In this paper we present and illustrate a technique for inferring application dependencies on resources. The technique is based on a combined dynamic and static analysis. A pattern language is defined to enable the specification of dependencies as sequences of method invocations in the application code. Specifically, the sequences are patterns that constitute access to resources, e.g. databases, message queues, and control systems. We propose an algorithm for inferring application dependencies based on hybrid dynamic and static analysis that propagates information provided by dynamic analysis into the static analysis and back to the dynamic analysis. Empirical results from our implemented prototype are presented.

In software engineering, program analysis is usually classified according to static analysis and dynamic analysis. While static analysis provides inaccurate and imprecise results due to programming language's features, dynamic analysis produces more accurate and precise results at runtime at the expense of longer executions to collect traces.One prime mechanism to observe executions in dynamic analysis is to instrument either the code or the binary/byte code. Instrumentation overhead potentially poses a serious threat to the accuracy of the dynamic analysis, especially for time dependent software systems (e.g., real-time software), since it can cause those software systems to go out of synchronization.There are two ways to increase accuracy of a dynamic analysis: devising more efficient instrumentation and using a hybrid (static plus dynamic) analysis. A hybrid analysis is a favourable approach to cope with the overhead problem over a purely dynamic analysis. Yet, in the context of reverse engineering source code to produce method calls dynamic and hybrid instrumentations typically lead to large execution traces and consequently large execution overhead.This thesis is a step towards efficient and accurate information collection through a hybrid analysis procedure to reverse engineer source code to produce method calls, with the prime objective to reduce instrumentation overhead. To that aim, the first contribution of this thesis is to systematically analyze the contribution to instrumentation overhead of different elements of an existing and promising hybrid solution. Then, a second contribution of the thesis is to suggest an instrumentation optimization process with a range of different designs for those elements to reduce the overhead and select the best one for each element to optimize that solution. The resulting optimized hybrid technique, our third contribution, which potentially produces more accurate instrumentation compared to that hybrid solution for multi-thread software by reducing execution overhead by three quarters, has a reasonable efficiency to reverse engineer programs to produce method calls for multi-threaded software. A final contribution of this thesis is to suggest a set of recommendations for efficient instrumentation.

As the dominator of the Smartphone operating system market, consequently android has attracted the attention of s malware authors and researcher alike. The number of types of android malware is increasing rapidly regardless of the considerable number of proposed malware analysis systems. In this paper, by taking advantages of low false-positive rate of misuse detection and the ability of anomaly detection to detect zero-day malware, we propose a novel hybrid detection system based on a new open-source framework CuckooDroid, which enables the use of Cuckoo Sandbox’s features to analyze Android malware through dynamic and static analysis. Our proposed system mainly consists of two parts: anomaly detection engine performing abnormal apps detection through dynamic analysis; signature detection engine performing known malware detection and classification with the combination of static and dynamic analysis. We evaluate our system using 5560 malware samples and 6000 benign samples. Experiments show that our anomaly detection engine with dynamic analysis is capable of detecting zero-day malware with a low false negative rate (1.16 %) and acceptable false positive rate (1.30 %); it is worth noting that our signature detection engine with hybrid analysis can accurately classify malware samples with an average positive rate 98.94 %. Considering the intensive computing resources required by the static and dynamic analysis, our proposed detection system should be deployed off-device, such as in the Cloud. The app store markets and the ordinary users can access our detection system for malware detection through cloud service.

Quantitative assessment of the stability of slopes is very important for the evaluation of an earth fill dam in order to perform the intended function throughout the service life. This study presents the slope stability and analysis of the Koga earth fill dam. The analyses were carried out using finite element-based PLAXIS 2D software. The behavior of both the body and the foundation of the dam was described using the Mohr–Coulomb criterion. Based on the result of this study, the resulting factor of safety values during end of construction for both static and dynamic stability analysis was 1.6221 and 1.3592, respectively. For steady-state condition, the water level was fixed at normal pool level (2015.25 m). The factor of safety obtained for static stability analysis was 1.6136 and the dynamic analysis 1.3157. The rapid drawdown condition is analyzed with normal pool level of 2015.25 m lowered to 2008.5 m. The analysis results showed that the factor of safety for the static and dynamic analysis was 1.2199 and 1.0353, respectively. Using recommended design standards: United States Army Corps of Engineers, British Dam Society and the Canadian Dam Association the slope stability analysis of the Koga earth dam at all critical loading conditions are safe. The displacement result shows the maximum total displacements for static and dynamic analysis were 1.033% and 1.628% of the dam height, respectively. The displacement result coincides with Fell et al. (J Geotech Geoenviron Eng 129(4):307–314, 2003) standards.

Android applications have recently witnessed a pronounced progress, making them among the fastest growing technological fields to thrive and advance. However, such level of growth does not evolve without some cost. This particularly involves increased security threats that the underlying applications and their users usually fall prey to. As malware becomes increasingly more capable of penetrating these applications and exploiting them in suspicious actions, the need for active research endeavors to counter these malicious programs becomes imminent. Some of the studies are based on dynamic analysis, and others are based on static analysis, while some are completely dependent on both. In this paper, we studied static, dynamic, and hybrid analyses to identify malicious applications. We leverage machine learning classifiers to detect malware activities as we explain the effectiveness of these classifiers in the classification process. Our results prove the efficiency of permissions and the action repetition feature set and their influential roles in detecting malware in Android applications. Our results show empirically very close accuracy results when using static, dynamic, and hybrid analyses. Thus, we use static analyses due to their lower cost compared to dynamic and hybrid analyses. In other words, we found the best results in terms of accuracy and cost (the trade‐off) make us select static analysis over other techniques.

Protecting sensitive data requires controlling the behavior of third part software. Static and dynamic data flow analysis can aid, however both of them have limits. Static analysis often detects false data leaks, whereas the more precise dynamic analysis introduces a significant overhead. This paper proposes a novel hybrid approach that combines static and dynamic data flow analysis for detecting data leaks in Java applications. Our approach minimizes the overhead by computing a minimal set of application points that need to be monitored and injects control code on the target application. Our method has no loss in quality with respect to dynamic analysis. We show the feasibility of our approach by providing a tool and presenting a case study on a sample application.

Near-infrared fluorescence indocyanine green lymphangiography, a primary modality for detecting lymphedema, which is a disease due to lymphatic obstruction, enables real-time observations of lymphatics and reveals not only the spatial distribution of drainage (static analysis) but also information on the lymphatic contraction (dynamic analysis). We have produced total lymphatic obstruction in the upper limbs of 18 Sprague-Dawley rats through the dissection of proximal (brachial and axillary) lymph nodes and 20-Gy radiation (dissection limbs). After the model formation for 1 week, 9 animal models were observed for 6 weeks using near-infrared fluorescence indocyanine green lymphangiography by injecting 6-μL ICG-BSA solution of 20-μg/mL concentration. The drainage pattern and leakage of lymph fluid were evaluated and time-domain signals of lymphatic contraction were observed in the distal lymphatic vessels. The obtained signals were converted to frequency-domain spectrums using signal processing. The results of both static and dynamic analyses proved to be effective in accurately identifying the extent of lymphatic disruption in the dissection limbs. The static analysis showed abnormal drainage patterns and increased leakage of lymph fluid to the periphery of the vessels compared with the control (normal) limbs. Meanwhile, the waveforms were changed and the contractile signal frequency increased by 58% in the dynamic analysis. Specifically, our findings revealed that regular lymphatic contractions, observed at a frequency range of 0.08 to 0.13 Hz in the control limbs, were absent in the dissection limbs. The contractile regularity was not fully restored for the follow-up period, indicating a persistent lymphatic obstruction. The dynamic analysis could detect the abnormalities of lymphatic circulation by observing the characteristics of signals, and it provided additional evaluation indicators that cannot be provided by the static analysis. Our findings may be useful for the early detection of the circulation problem as a functional evaluation indicator of the lymphatic system.

Reflection, which is widely used in practice and abused by many security exploits, poses a significant obstacle to program analysis. Reflective calls can be analyzed statically or dynamically. Static analysis is more sound but also more imprecise (by introducing many false reflective targets and thus affecting its scalability). Dynamic analysis can be precise but often miss many true reflective targets due to low code coverage.We introduce MIRROR, the first automatic reflection analysis for Java that increases significantly the code coverage of dynamic analysis while keeping false reflective targets low. In its static analysis, a novel reflection-oriented slicing technique is applied to identify a small number of small path-based slices for a reflective call so that different reflective targets are likely exercised along these different paths. This preserves the soundness of pure static reflection analysis as much as possible, improves its scalability, and reduces substantially its false positive rate. In its dynamic analysis, these slices are executed with automatically generated test cases to report the reflective targets accessed. This significantly improves the code coverage of pure dynamic analysis. We evaluate MIRROR against a state-of-the-art dynamic reflection analysis tool, TAMIFLEX, by using 10 large real-world Java applications. MIRROR detects 12.5% - 933.3% more reflective targets efficiently (in 362.8 seconds on average) without producing any false positives. These new targets enable 5 - 174949 callgraph edges to be reachable in the application code.

Escape analysis can determine whether and when a variable becomes shared for multiple threads, which is a foundation for many other program analyses. Most existing escape analysis tools are either purely dynamic or static analysis. Static analysis usually considers all possible behaviors of a program, however, may produce false positives; whereas dynamic approaches can not analyze unobserved behaviors of a program. This paper presents a hybrid approach that integrates static and dynamic analyses to address this problem. We first perform static analysis to obtain summaries of accesses to potential escaped variables. When the program runs, dynamic analysis is used to confirm variable sharing; for unexecuted code, we determine the sharing of variables in it by performing an interprocedural static analysis based on the runtime information. Compared to dynamic analysis, the hybrid approach is able to determine the escape property of variables in unexecuted code. Compared to static analysis, the hybrid approach produces fewer false alarms. We implemented this hybrid escape analysis in Java. Our experimental evaluation on several benchmarks and real-world applications shows that it has improved accuracy compared to existing approaches and can also boost the performance of subsequent program analyses significantly.