Abstract: A method and system of determining a vulnerability of software are provided. In a setup phase, an authorized application is received from an authorized source. Static analysis is performed to identify a plurality of structural characteristics, which are stored. During an active phase, a call is received from a user device having a target application purporting to be a version of the authorized application, during a runtime of the target application. One or more structural characteristics are selected from the plurality of structural characteristics. The user device is requested to provide the selected one or more structural characteristics from the target application. Upon determining that the report does not provide a match between the selected one or more structural characteristic of the authorized application and the target application, the version of the target application is identified to be unsecure.

Abstract: Online security analysis is provided by installing an analysis agent on a mobile device. The analysis agent monitors the mobile device to detect an initiation of installation for a new application that is to be installed on the mobile device. In response to the initiation of installation, the analysis agent quarantines a set of resources corresponding to the new application; analyzes the set of resources to determine whether or not at least one of a potential security threat or a security misconfiguration exists; and, in response to determining that at least one of the potential security threat or the security misconfiguration exists, generates an alert for informing a user that the potential security threat or the security misconfiguration exists.

Abstract: A method includes receiving from a user via a user interface an activation of at least one element to set a privacy policy specifying the maximum amount of confidential data that is authorized to be leaked to a sink, tracking movement of confidential data through an application, determining based on the tracked movement of the confidential data that the confidential data is leaked to the sink by the application, comparing the confidential data that is leaked to the sink to the specified maximum amount of confidential data that is authorized to be leaked to the sink, and presenting to the user via the user interface an indication of whether the application complies with the privacy policy set by the user based on the comparison.

Abstract: Providing an online defense mechanism against privacy threats by storing a database of facts and an abstractions database in a storage medium. The database of facts includes a plurality of private data fields comprising at least a first set of private data fields and a second set of private data fields. The abstractions database associates at least one respective field of the first set of private data fields with at least one corresponding field of the second set of private data fields. A request is received from a mobile application for a first private data value from the first set of private data fields. The abstractions database and the database of facts are used to identify a second private data value from the second set of data fields that is associated with the first private data value. A response is formulated for the request by providing the second private data value.

Abstract: Privacy violation detection of a mobile application program is disclosed. Regular histories of the mobile application are mined. A call-graph representation of the mobile application program can be created and sequences of events of interest according to the platform specification of the mobile application can be collected. A plurality of learnable features are extracted from the regular histories. The plurality of learnable features are combined into a single feature vector which is fed into a machine-learning-based classification algorithm. Whether the mobile application program includes one or more permissions for accessing unauthorized privacy data of a mobile application user is determined based on a machine learning classification of the single feature vector. The collected sequences can be reduced into a plurality of feature vectors which can include at least one of a happens-before feature and a multiplicity of occurrences feature.

Abstract: A fine grained permission method and system that parameterizes permissions based on an objective criterion. The method includes accessing libraries of application programs requiring a permission, automatically extracting types of the parameters and respective corresponding fields read by the libraries requiring the permission, filtering the extracted types of parameters and fields based on a usage criteria to determine a filtered type of parameter and field for the permission and storing the filtered type parameter and field for the permission in a database. A request for a permission is passed to a fine grained permission module which obtains the filtered type of parameter and field for the permission, determines a specific parameter for the permission based on the filtered type of parameter and field and parameterizes the permission using the specific parameter. Downloading of the application program is completed by limiting the permission based on the specific parameter.

Abstract: A given program is said to be evasive when it performs different behaviors under different running conditions. In general, the aim of evasion is to make the analysis, monitoring or reverse engineering of the given software system harder for an analyzer. Evasion is largely used by malware to increase its effectiveness. Aspects of the invention include a system, method and computer program product to detect and bypass evasion mechanisms for software analysis. Given a set of fingerprinting sources and a program, we first search for evasion candidates. These are program slices where the data depending on fingerprinting sources is used at branching point. In a second step, instrumentation strategies are applied to generate programs where the combination of possible branches is forced via toggling of return values and/or expression values. Finally, the resulting programs are each executed dynamically to monitor deltas between observed behaviors across the original and instrumented versions.

Abstract: A method (and system) for trace recovery includes retrieving a code listing from a memory and performing a static analysis on the retrieved code listing. Based on the static analysis, profiling instructions are inserted in the code.

Abstract: In an approach for determining compatibility between a computing device and a software application, a processor receives code of a software application. A processor generates a call graph for the software application using the code, wherein the call graph describes at least a first type of hardware component required to execute the software application. A processor identifies a set of one or more hardware components included within a computing device. A processor determines whether the computing device is compatible with the software application based on, at least, the call graph and the determined set of one or more hardware components included within the computing device.

Abstract: A computer implemented method of preserving functionality in a computer program by generating customized mock inputs may include identifying a set of functionalities of the computer program, where a first functionality has a first input, and a second functionality has a second input. The method may also include determining a first and a second constraint respectively on the first and second inputs, where the first constraint defines a set of values of the first input which enables the first functionality, and the second constraint defines a set of values of the second input which enables the second functionality. The method may then include generating a constraint satisfaction problem including the first and second constraints, and determining whether a tuple of mock input values exists that satisfy the constraint satisfaction problem. The method may additionally include providing the tuple to the computer program as the customized mock inputs.

Abstract: A method is provided to instrument applications with an instrumentation policy that is visually configurable and allows for run-time modifications of the policy. Instrumentation is achieved without modifying the source code of the applications. Modification of the instrumentation policy of an application is applied without re-compiling, re-deploying, and re-provisioning the application. The instrumentation tracks the flow of values at run time throughout the execution of an application and fixes any security violation automatically by dynamically modifying any value that violates integrity or confidentiality.

Abstract: A method (and structure) for enforcing a security policy includes retrieving from a memory a program to be verified against a security policy and a security specification defining the security policy. A static program analysis is performed on the program, using a processor on a computer, to determine whether the program is compatible with the security specification. The program is rejected if the program is determined by the static program analysis as being incompatible with the security specification. If the program is determined during the static program analysis as compatible with the security specification under static analysis criteria, then building a call-graph representation of the program for use to evaluate any dynamically-loaded code during an execution of the program. Any paths, if any, of the call-graph representation that reach at least one policy-relevant operation is marked.

Abstract: A method (and system) for trace recovery includes retrieving a code listing from a memory and performing a static analysis on the retrieved code listing. Based on the static analysis, profiling instructions are inserted in the code.

Abstract: A method, including identifying over a set of classified applications a set of discriminating features, determining via code analysis, when a first application is subjected to classification, positions of the first application's code that correspond to discriminating features, and forwarding to a classification algorithm, such that according to its output the code fragments corresponding to the discriminating features are reported beyond a determination itself of the discriminating features.

Abstract: In an approach for determining compatibility between a computing device and a software application, a processor receives code of a software application. A processor generates a call graph for the software application using the code, wherein the call graph describes at least a first type of hardware component required to execute the software application. A processor identifies a set of one or more hardware components included within a computing device. A processor determines whether the computing device is compatible with the software application based on, at least, the call graph and the determined set of one or more hardware components included within the computing device.

Abstract: A method is provided to instrument applications with an instrumentation policy that is visually configurable and allows for run-time modifications of the policy. Instrumentation is achieved without modifying the source code of the applications. Modification of the instrumentation policy of an application is applied without re-compiling, re-deploying, and re-provisioning the application. The instrumentation tracks the flow of values at run time throughout the execution of an application and fixes any security violation automatically by dynamically modifying any value that violates integrity or confidentiality.

Abstract: A computer implemented method of preserving functionality in a computer program by generating customized mock inputs may include identifying a set of functionalities of the computer program, where a first functionality has a first input, and a second functionality has a second input. The method may also include determining a first and a second constraint respectively on the first and second inputs, where the first constraint defines a set of values of the first input which enables the first functionality, and the second constraint defines a set of values of the second input which enables the second functionality. The method may then include generating a constraint satisfaction problem including the first and second constraints, and determining whether a tuple of mock input values exists that satisfy the constraint satisfaction problem. The method may additionally include providing the tuple to the computer program as the customized mock inputs.

Abstract: A system and method whereby permission is accessed that is to be revoked for an application. The permission involves access to private data of a user via an API of an OS. It is determined, in the application, program point(s) involving access to the private data of the user via the API. For each selected one of the program point(s), code in the application is rewritten to replace a source statement, at the selected program point, that accesses the private data with another statement that allocates a mock object or value based on a type of an actual value returned by the source statement. The mock object or value does not expose the private data of the user. The application with the rewritten code is packaged as an output application able to be subsequently executed by the user, and is output for use by the user.

Abstract: A system and method whereby permission is accessed that is to be revoked for an application. The permission involves access to private data of a user via an API of an OS. It is determined, in the application, program point(s) involving access to the private data of the user via the API. For each selected one of the program point(s), code in the application is rewritten to replace a source statement, at the selected program point, that accesses the private data with another statement that allocates a mock object or value based on a type of an actual value returned by the source statement. The mock object or value does not expose the private data of the user. The application with the rewritten code is packaged as an output application able to be subsequently executed by the user, and is output for use by the user.