What is it that makes a program malicious? In this project, we investigate the hypothesis that a "malicious'' program is one that does not work as advertised. Our idea is to make use of large collections of programs, especially apps in app stores, and to learn associations between advertised and implemented behavior from them. As advertised behavior, we make use of natural language descriptions as presented in user interface elements; as implemented behavior, we check the functionality triggered by these UI elements. The result is a model of actions and reactions that characterizes "normal'' behavior; Given a new app, we can then check its model automatically whether the observed actions and reactions are "normal'' or not. We can thus highlight problems related to security (the implementation does not work as advertised) as well as usability (the description does not match the implementation). During execution, a sandbox detects "abnormal'' and explicitly disallowed sequences, and blocks the associated resource accesses and UI elements: "The 'Download' button is greyed out because it sends your address book to a server in Bezerkistan''.The project brings together expertise in program analysis, test generation, natural language processing, model inference, and model checking. It makes significant contributions in all these fields to achieve its overall goal of detecting and preventing abnormal behavior in reactive systems.

DFG Programme Research Grants

International Connection China

Partner Organisation National Natural Science Foundation of China

Cooperation Partner Professor Dr. Lijun Zhang