DroidGen: Data-Driven Policy Generation for Android

GenDroid is a tools for the automatic inference of policies using a data-driven approach: requires a training set of good and bad applications. It makes call to a constraint solver to generate a policy under which a maximum of malware is excluded and a maximum of benign applications is allowed. The policy can then be used to filter-out new applications which do not belong to the training set.




The policy generation process is composed of several phases which are described below.

Application Abstraction

The first step towards policy generation is the extraction of application specifications (abstractions). A specification is a summary of the usage of different permissions in various contexts within an app. For illustration, we consider as a running example the audio recording app Recorder.apk which is included in the package. We call DroidGen as follows:

python2.7  DroidGen.py -f examples/apps/Recorder.apk -m -r recorder.spec
Option -f is for specifying the target APK file (app). Option -m indicates that we are using the API-to-permission map. Finally, option -r is responsible for for inferring the specification and storing it in the file recorder.spec which looks like:
    //----------------------------------------------------------
    //----------------------- Recorder.apk
    //----------------------------------------------------------
    EVICHECK ACTIVITY METHOD : RECORD_AUDIO WRITE_EXTERNAL_STORAGE
    EVICHECK ONCREATE METHOD :
    EVICHECK ONCLICK HANDLER : RECORD_AUDIO WRITE_EXTERNAL_STORAGE
  
The specification simply says that the permissions RECORD_AUDIO and WRITE_EXTERNAL_STORAGE are used in a click handler and in an activity.

Policy Generation

As mentioned previously, to infer a policy we require a training set of benign and malware applications. The goal is to find a policy under which a maximum of malware is excluded and a maximum of benign applications is allowed. We use the SMT solver Z3 as back-end to solve the optimisation problem. For this, DroidGen takes as input two files containing a batch of specifications, one for benign apps and the other one for malware. The package includes two example batch files, namely spec_perm_train.ben and spec_perm_train.mal for benign and malware respectively. Each file contains specifications of 1000 apps. They were generated by running DroidGen with the specification extraction option -r (previously seen) on a set of malware and benign apps. To generate a policy, We call DroidGen as follows:
python2.7  DroidGen.py -s examples/specs/train/spec_perm_train -p policy_perm.pol -z3
Option -p specifies the file where the policy is stored. As its name indicates, option -z3 instructs DroidGen to use Z3 as a solver.

Policy Testing

We also provide two testing sets (benign and malware) as batch files, namely spec_perm_test.ben and spec_perm_test.mal. If we want to test the generated policy on the set of malware, we use the command below with option -ts for testing:

python2.7 DroidGen.py -s examples/specs/test/spec_perm_test.mal -p policy_perm.pol -z3 -ts