Cloud-based Dynamic Program Analysis for Android Devices

The goal of this research visit is to extend a jointly developed dynamic program analysis (DPA) framework to support remote analyses for Android devices in the Cloud. DPA is a widely-used technique to analyse a program while it is executing. DPA is particularly challenging in mobile devices due to the limited amount of resources (e.g., memory, CPU, network, energy) and the limited availability of analysis tools, compared to desktop or server platforms. DPA for Android is an important research topic that mainly focuses on security (malware detection, data leak detection, etc.) but also includes runtime verification, code coverage testing, and runtime monitoring, amongst others. The state-of-the-art in DPA has mainly focused on running analysis code directly on the Android platform together with the analyzed application, thus often introducing unwanted interferences and perturbations and being limited by the available resources. Unfortunately, remote analysis has not yet been fully exploited, mainly due to the enormous amounts of events that need to be captured, sent, and tracked on the remote analysis server. These limitations apply also to our current remote DPA framework called ShadowVM, which can suffer from an overwhelming number of events and a single analysis server architecture, introducing a bottleneck and thus hindering some kinds of analyses. This research visit aims at exploring new forms of remote analysis for Android leveraging Cloud services to dynamically allocate the necessary resources to be able to handle large amounts of events and exploiting previous execution traces for DPA on Android.The basic idea of this project is borrowed from Cloud-based Internet of Things (IoT) architectures, were IoT sensor data is sent to hyper-scale event-handling Cloud services and later consumed and processed in parallel. In the current ShadowVM all events are sent asynchronously and consumed by a single analysis server that has to deal with the analysis of several processes and threads of the analyzed Android applications. By introducing an intermediate hyper-scale event-handing Cloud service with publish-subscribe support, we can run independent instances of ShadowVM analysis servers in the Cloud; these servers will process the events of interest by subscribing to the correct topic (e.g., using the process and thread IDs). The publish-subscribe support is used in both directions to coordinate and agree upon analysis topics. First, the application to be analysed subscribes to an analysis broker service responsible of provisioning ShadowVM instances. Once ready, the analysis instance publishes its availability and both the application and the analysis server agree upon the topic (i.e., a key that identifies the information channel), such that the application can publish the event stream, and the analysis server instance can process it. This new architecture allows one to parallelize the analysis in an elastic way and also to share events among several independent analysis servers, thus enabling more complex inter-process analyses that are currently not possible. Furthermore, by using Cloud-based storage services to store massive amounts of events, it becomes possible to exploit previous execution traces for DPA on Android, e.g., using big-data analytics or machine learning techniques. The implementation of the proposed new DPA architecture for Android includes: (a) running the current ShadowVM remote analysis server in the Cloud, (b) developing a new analysis server with Cloud service provisioning, (c) integrating an intermediate hyper-scale event-handling Cloud service and integrating the IoT-based event producer mechanism in Android using the MQTT publish-subscribe protocol, and (d) running elastic ShadowVM instances in parallel that can subscribe to events of interest. The Cloud infrastructure will be provided free of charge thanks to an existing collaboration in the context of Cloud-based IoT involving the research fellow candidate. The outcome of the research visit will include open-source software prototypes and publications in top-tier conferences and journals.