Dynamic code loading allows applications to incorporate code that is not statically declared to be included in them. Such code may originate either from a remote location or from within their local resources. For a benign application, this is an effective way to preserve intellectual property (IP) as well as hide security-sensitive app behaviors. This is because dynamically loaded code cannot be scanned statically, or at least, if the code is available as part of the app's resources, that becomes significantly more complicated than directly analyzing the declared code of the application.
Unfortunately, there are also great benefits to malicious applications in leveraging dynamic code loading. The same rationale of evading static checks and disguising the behavior of certain portions of the code is at play when it comes to malicious functionality. This remains a big problem that existing solutions for security detection and/or enforcement are largely unable to cope with.
One conventional method disambiguates malicious vs benign apps by statically analyzing the context in which a security-critical operation is performed. Another conventional method teaches a method for dynamic code instrumentation. Still another conventional method concerns application-level anomaly detection, and presents the technique of utilizing a wrapping layer around the application to collect indications of potentially anomalous behaviors and to then react to such cases.
The present invention takes a different approach from all of these conventional methods. While anomaly detection is an effective means to identify objectionable code behaviors, the present invention presents an approach that applies a specification, in contrast to just detecting unexpected behaviors. For this approach, anomaly detection alone is not sufficient.