With Boxmate malicious programs have no place left to hide

March 9, 2016, Saarland University
Konrad Jamrozik, Andreas Zeller and Philipp von Styp-Rekowsky are protecting smartphones and more. With Boxmate malicious programs have no place left to hide. Credit: Oliver Dietze

No matter how well-tested our software may be, hackers keep on finding vulnerabilities to exploit or control systems at will. "The attackers are always one step ahead," says Andreas Zeller, professor of computer science at Saarland University and researcher at the Center for IT Security, Privacy and Accountability (CISPA). "The core problem of existing security systems is that the attack needs to have been observed at least once to be able to recognize it the next time - and then, you have to update everything again and again." This threat is particularly prominent in the upcoming "Internet of Things", where hundreds and thousands of devices can become potential targets.

A new approach called "Boxmate" is now set to prevent other programs from surreptitiously changing their behavior, as this would be part of or a result of a hidden attack, or a backdoor exploit. Developed by Zeller together with graduate students Konrad Jamrozik and Philipp von Styp-Rekowsky, Boxmate systematically generates program inputs in order to investigate the program's regular behavior. "During this automatic testing, we log which critical data - say locations or contacts - and which critical resources - microphone or Internet access - the program is accessing to perform these tasks," Zeller explains, "and the test generator ensures that all visible features actually are exercised."

During production, the program then gets placed into a "sandbox," an automated watchdog which oversees the operation of the program in question - and which raises an alarm whenever some data is being accessed that was not already accessed during testing. If the program is compromised or exhibits previously unseen malicious behavior, the sandbox will catch and prevent the attack.

The nicest feature of Boxmate, says Zeller, "is that malicious programs no longer have a place to hide." Indeed, if a program wants to use certain kinds of data later on, it will already have to access it while being tested by Boxmate - and thereby expose what it is doing. "Any hidden functionality will be disabled by the sandbox," says Zeller, "and this will make it hard for attackers".

But wouldn't the sandbox also raise alarms during normal usage? "Our test generator explores behavior so well that during regular usage, we normally have no alarms at all," says Zeller, who has already tested Boxmate on more than a hundred different apps with his team. Modern mobile systems request authorizations for every access to sensitive data like the camera, contacts, and the microphone. "With Boxmate, we already know from testing that these are being used, and how," says Zeller.

The current implementation of Boxmate protects apps on Android smartphones. However, the concept can equally be applied on the desktop, servers, or embedded systems, and it requires no changes to existing programs. Zeller has already applied for a worldwide patent for the technology underlying Boxmate, so licensing is already possible. To permanently establish Boxmate as a comprehensive security tool for industry and commerce, Zeller's research group has now joined forces with industry partner Backes SRT. This Saarland University spin-off has developed, for instance, the "SRT AppGuard" app, a security available as a free app and already downloaded more than one million times. "Boxify," the extended, commercial version of AppGuard, works together with Boxmate and will also be presented at Cebit.

Zeller financed the research on Boxmate with funds from an ERC Advanced Grant. He had received the highest award of the ERC in 2011, with his proposal for "SPECMATE - Specification Mining and Testing".

Computer scientists from the Center for IT Security, Privacy and Accountability (CISPA) at Saarland University will present their method for the first time at the Cebit computer fair in Hannover between March 14 and 18 (Hall 6, Stand D 28).

Explore further: Wisdom of app stores: Early identification of malicious Android apps from Google Play

More information: www.boxmate.org/

Related Stories

Detecting software errors via genetic algorithms

March 5, 2014

According to a current study from the University of Cambridge, software developers are spending about the half of their time on detecting errors and resolving them. Projected onto the global software industry, according to ...

Mobile quarantine station for malicious Android apps

March 13, 2015

The attacks were perfidious: In February this year, the Czech IT security company Avast declared that it had identified several malicious game apps for mobile phones in the Google Play Store – ones that would only become ...

Computer scientists simplify parallel programming

March 12, 2015

Modern software takes computational speed for granted. But modern microprocessors can only speed up by increasing the number of cores. To take full advantage of multiple cores, software developers have to arrange their code ...

Recommended for you

Uber filed paperwork for IPO: report

December 8, 2018

Ride-share company Uber quietly filed paperwork this week for its initial public offering, the Wall Street Journal reported late Friday.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.