Methods For Detecting Maliciousness In PDF Files: An Essay.

Overview of Malicious PDFs

This study researched methods for detecting maliciousness in Portable Document Format files (PDFs) in order to expand the knowledge of this area and increase the effectiveness of detecting malicious PDFs.  To accomplish this, Nissim, Cohen, Glezer, & Elovici (2015) examined the methods which hackers use to create malicious PDFs, as well as the effectiveness of current methods for detecting these malicious files.  For example, according to the study, a common method that hackers use to carry out malicious activities through PDFs is by embedding JavaScript code in the files (Nissim et al., 2015). 

When a user opens the file, the PDF reader automatically executes the code, and the hacker’s program fulfills its goal.  Another method which hackers use is embedding a malicious file inside a benign PDF (Nissim et al., 2015).  Again, the hacker utilizes the PDF reader to aid in the execution of malicious operations by opening the files embedded in the PDF.  Finally, a third method that hackers use is placing links inside PDFs which load malicious webpages when a computer user opens the file (Nissim et al., 2015).  These webpages then freely target the user’s computer, and the hacker’s goal is again accomplished.  Because there are so many ways for hackers to use and improve on these techniques, there is no simple solution for detecting all malicious PDFs. 

However, according to Nissim et al. (2015), the myriad of detection methods can be broken down into two basic types: static analysis and dynamic analysis.  The main difference between the two is that static analysis examines the PDF’s contents without opening the file or executing its contents, while dynamic analysis runs the JavaScript code embedded in the file and analyzes the process for suspicious activity (Nissim et al., 2015).  The authors break the category of static analysis into two more categories, one of which analyzes the JavaScript embedded in a PDF, while the other examines the file metadata for indications that the file is not benign (Nissim et al., 2015). 

There are multiple ways to execute these two types of static analysis, each of which has its own additional strengths and weaknesses (Nissim et al., 2015).  Finally, dynamic analysis can also be separated into two categories.  One category is similar to static analysis due to the fact that it first extracts the JavaScript code from the file, but it is different in that it attempts to locate telltale signs of malicious activity by executing the code instead of examining it (Nissim et al., 2015).  The other category of dynamic analysis monitors the behavior of the code as it is executed, then evaluates that behavior for malicious actions (Nissim et al., 2015).  To obtain all this information and more, the authors of this survey relied on various methods.

            In order to complete their survey on PDFs, Nissim et al. (2015) referred to sources such as previous studies, but also collected and analyzed their own data.  Some, but not all, of these studies were recent at the time that the authors conducted their survey, with published dates ranging from 1997 to 2014, though the majority of the sources were from 2005 or later (Nissim et al., 2015).  The authors used these sources to obtain information about different methods of creating malicious PDFs, while several studies contained information describing the process of detecting these dangerous files (Nissim et al., 2015).

Detection Methods for Malicious PDFs

  Of the latter type of study, each was recent when this article was written, with their publishing dates ranging from 2011 to 2013.  Nissim et al. (2015) examined and expounded on the information from these studies, and presented the relevant data from them in tables comparing such things as sample size, true positive rate, false positive rate, and processing time.  Finally, Nissim et al. (2015) collected their own dataset of malicious and benign PDFs, which they studied and from which they drew additional observations and conclusions, elaborated on below.

Results

            Nissim et al. (2015) found that static and dynamic methods of detection each had advantages and disadvantages.  Static analysis of PDFs can examine files without the files knowing they are being examined (Nissim et al., 2015).  Thus, the malicious nature of a file cannot hide itself by suppressing malicious activity during an analysis of this type.  However, if some of the code cannot be extracted from a PDF due to various methods intended to hide it, then static analysis might incorrectly classify the file as safe (Nissim et al., 2015).  In contrast, the methods intended to hide code will have no effect on dynamic analysis, which is one of its advantages (Nissim et al., 2015). 

However, this type of analysis must be able to handle corrupted files or PDFs with other files embedded in them (Nissim et al., 2015).  Due to this, the factors of complexity and cost are some disadvantages of this type of analysis (Nissim et al., 2015).  Another disadvantage is that in dynamic analysis, if the malicious file can detect that it is being examined, it may also enact protective measures, such as ending the execution of its code prior to displaying malicious behavior (Galal, Mahdy, & Atiea, 2016), which can prevent the analysis from detecting its malicious nature (Nissim et al., 2015). 

Since the advantages and disadvantages of one type of analysis helps balance the other, Nissim et al. (2015) suggested that a combination of static and dynamic analysis might increase the success of detecting malicious PDFs.  Indeed, of the programs and methods of detection they researched, the four that combined static and dynamic analysis had very high true positive rates, ranging from 0.8934 to 1.0, and false positives rates of 0 for the two programs that had records for these values (Nissim et al., 2015). 

Although none of the other programs scored as well at detecting false positives, four of the programs using static analysis received true positive rates of greater than 0.99, which was a higher score than all but one of the programs combining static and dynamic analysis (Nissim et al., 2015).  Only one program using solely dynamic analysis was examined.  The results were not encouraging.  Not only did this program possess one of the longest processing times, but its true positive rate was second lowest, at 0.8024 (Nissim et al., 2015).  Its false positive rate was not recorded.  However, in addition to recording and examining the data and results from prior studies, the authors also conducted their own research.

Static Analysis Methods

            To supplement their initial research, Nissim et al. (2015) used both malicious and benign PDFs collected from various places, and upon studying them, found ways that they could make the detection process more efficient.  Of the PDFs they collected, they determined that the majority of the files capable of carrying out malicious activity were incompatible with the file format specifications for PDFs (Nissim et al., 2015).  Since computer users cannot utilize incompatible files, even if they are benign, the authors realized that if incompatible files are never permitted to reach the PDF reader, the quantity of files that will have to be thoroughly analyzed is greatly reduced (Nissim et al., 2015).

  Subsequently, Nissim et al. (2015) suggested analyzing all remaining compatible files with a combination of static analysis and dynamic analysis.  If the analysis produces a large amount of uncertainty about the status of the file, then they recommended that the file be passed on to a human expert to determine conclusively whether it is malicious (Nissim et al., 2015).  According to their active learning plan, the results from the human examination can then be used to train the analysis program to better detect malicious PDFs in the future (Nissim et al., 2015).  All these methods, in addition to the information gathered in the first part of the survey, contribute to the overall value of the study.

Discussion

            The survey conducted by Nissim et al. (2015) was clear and thorough.  The authors supplied detailed, but not too technical, descriptions for the different ways in which malicious PDFs are created, as well as the methods used to detect these dangerous files.  They supplied sufficient information to both understand the problem and consider the options available to deal with that problem.  By supplementing the research of other studies with their own, they showed how the information they gathered can be put to use.  Their subsequent description of a framework for analyzing PDFs was an efficient and thorough solution, and allowed them to show the importance of the information they had gathered, such as by suggesting that programmers test a PDF’s compatibility in order to filter out the majority of potentially malicious files (Nissim et al., 2015). 

Overall, the study is a good resource for gaining insight into both the methods used to create malicious PDFs and the options available for providing security from such files.  If a future study is conducted on this topic, it should explore whether the methods mentioned in this article have been as effective as they promised to be.  In the meantime, businesses can benefit from the information this study contains by using that information to decrease the likelihood of successful malicious attacks against them originating from PDFs.

            If businesses implement some or all of the methods found in the results of this survey, there is a strong chance that both the efficiency and detection of malicious PDFs will improve.  Due to the fact that many people are less cautious with suspicious non-executable files than they are with similarly suspicious executable files (Nissim et al., 2015), businesses should first educate their employees about the dangers of opening unknown PDFs.  In addition, as with all programs, the next action that businesses should take to increase their security is updating their program for viewing PDF files, since more recent versions can offer some protection from malicious PDFs by preventing the embedded JavaScript code from accessing the operating system (Nissim et al., 2015). 

Even with this added layer of security, PDFs should still be analyzed for malicious code.  As outlined in Nissim et al. (2015), the first step is comparing the file’s information to a list of known malicious PDFs.  If the file passes this test, the next step is to ensure it is compatible with the PDF file format (Nissim et al., 2015).  If the file is compatible, a program must then analyze it thoroughly, preferably with a combination of several different methods, starting with the less costly static analysis (Nissim et al., 2015).  Of the different types of static analysis mentioned in Nissim et al. (2015), the one that was both fast and highly successful was structural paths analysis, so businesses should use this as one type of static analysis.  If the file is not found to be malicious by static analysis, it can then be examined with dynamic analysis. 

This type of analysis, though more costly than static analysis, examines embedded JavaScript code more thoroughly, and is not susceptible to methods intended to obscure the code, but as mentioned in Nissim et al. (2015), this method is not infallible.  However, due to the development of more recent methods such as MALGENE, which helps detect malware’s attempts to evade notice by dynamic analysis (Sujyothi & Achara, 2017), and since it is being utilized in conjunction with static analysis, businesses can use dynamic analysis.  Therefore, in order to protect their systems and data, businesses can educate their employees on the danger presented by both executable and non-executable files, make sure their software is always up-to-date, and use programs to filter out known malicious files, incompatible PDFs, and any PDFs which a varied selection of static or dynamic analysis methods find to be malicious.

References

Galal, H. S., Mahdy, Y. B., & Atiea, M. A. (2016). Behavior-based features model for malware detection. Journal of Computer Virology and Hacking Techniques, 12(2), 59–67. doi:10.1007/s11416-015-0244-0

Nissim, N., Cohen, A., Glezer, C., & Elovici, Y. (2015). Detection of malicious PDF files and directions for enhancements: A state-of-the art survey. Computers & Security, 48, 246–266. 

Sujyothi, A., & Acharya, S. (2017). Dynamic malware analysis and detection in virtual environment. International Journal of Modern Education and Computer Science, 9(3), 48–55. doi:10.5815/ijmecs.2017.03.06

Overview of Malicious PDFs

Over the past decade, we have observed a massive adoption of technology in all sectors of our lives. Mobile technology has greatly influenced our lives, and over the decade, significant advances have been towards its advancement. Mobile applications popularly known as apps are types of applications designed to run on mobile devices.

 Apps enable the mobile users to get the same service or even better as those available in the PCs. Apps were first offered to improve productivity and the retrieval of information from online platforms such as email, weather channels, and stock market sites (Dwivedi, Clark, & Thiel, 2015). Eventually, their usage has spread to mobile gaming, GPS, automation, mobile banking, ticketing and social usage. The usage of mobile applications has significantly been adopted with the emergence of smartphones and has seen usage in sectors such as banking, health, and e-commerce sites (Basavala, Kumar, & Agarrwal, 2013).

This paper will outline the inherent risks brought about by the usage of mobile applications by organizations and individuals. Finally, we will look into ways in which these risks are mitigated through policy change, use of security software and technical controls.  These mitigation techniques all makeup best practices, which are then applied at various levels of app development such as design, source code development and the deployment of such applications.

A mobile application often runs on smartphones, tablets, and mobile devices and are usually available in a distributed platform or stores operated by the owner of the platform such as Google Play store, Apple app store, Windows Phone Store and BlackBerry App world.

            With the increase in the capabilities of mobile devices and the massive consumer adoption, mobile applications have become integral in people’s lives. With the high usage of such applications in areas such as banking and finance, attackers have found a new platform in which to exploit and target a large population. The nature of deployment of such applications makes it possible for an attacker to use a standard vector of attack to affect millions of device. This is because mobile applications are usually in common platforms such as iOS, Android, Windows, and BlackBerry (Basavala et al., 2013).

For example, Android devices have adopted an “open application” model in application development which has led to many apps which have hidden functionality which can be used as attack vectors with devastating results. Many companies have deployed mobile applications to be used in their operations and service intake without further interaction save from the app. Companies such as Uber offer their services entirely in an app and have reaped the rewards and benefits by use of applications.

Unfortunately, with the benefits and flexibility of mobile applications come insecurities and complexities, which bring about fraud and security risks.  While most platforms have attempted to build secure platforms to deploy mobile applications, such apps are often designed and coded using questionable and insecure practices leading to insecure applications (Basavala et al., 2013). Application security is often an afterthought during application development; the quid pro quo often lies in delivering functional applications within the given timelines at the expense of app security.  

Detection Methods for Malicious PDFs

Results

            Basavala et al., (2013) found risks in every layer of mobile devices such as mobile network, hardware level, operating system layer and the application layer. Such layers often lead to different levels of vulnerabilities in the applications. In the mobile network level, data sent to and from applications can be intercepted and manipulated by an attacker. In the baseband layer referred to as the hardware level, an attacker can use the buffer overflow attack and root the device which enables him to control the mobile device and all the applications fully. For the operating system, the kernel code often presents vulnerabilities which can be used to attack applications (Cifuentes, Beltrán, & Ramírez, 2015).

Jailbreaking, which is the removal of manufacturer restraints usually, exploits the kernel code vulnerabilities. The application layer is often the most exploited level when attacking mobile applications. Malicious code can be injected in various applications and is used by an attacker to steal user data and initiate transactions. This paper discusses some of the common vulnerabilities that are present in mobile applications irrespective of the platform in which the application is sitting.

            Insecure storage of data in client-side is a security risk, which is concerned with personal identifiable information (PII), and other sensitive data stored in the mobile device of the user. Developers must ensure that only data, which is critical for the application use, is stored in the physical device (Dhillon, 2017). Such data must be protected through encryption and should not lie in plain text. Platforms like iOS already provide encryption to data that lies on the devices through methods like NSData and NSFileManager, which protect the mobile application from the file system, and other protection attributes.

            Insufficient protection of data during transmit is a risk which arises when data passes through the transport layer. After the PII has been secured, the next vulnerability can occur when the application is transmitting data to the app server. Encryption must be used in this communication channel. SSL certificates are used to establish an encrypted link between the app server and the application. Data should be sent in a manner that guarantees that information is not changed as it travels through the channels.

            Data leakage is a common risk in mobile application which can lead to the loss of user information such as social security number, emails, usernames, and passwords. Applications developers should ensure that user data is protected on their servers. Previously mentioned data protection methods such as encryption can be used to protect user data. In addition, the design of the mobile application should have data protection in mind and not as an afterthought (Basavala et al., 2013). With the enactment of policies such as the GDPR, data protection is now an area which developers should take into consideration in the app development cycle.

            Improper authentication between the client and the application server usually is a risk that can lead to vulnerable applications. By design, the authentication mechanisms between mobile applications and the server are often done on the server side. Secure authentication is necessary to identify a mobile application user to prevent session hijacking uniquely.

Static Analysis Methods

            Mobile applications should request permissions only when necessary. There are cases of applications such as a basic calculator requesting for critical information such as GPS, contact access, call log access and messaging. Is this an implementation of least privilege policy? Applications should be practical with the information they request from the client device to prevent exploitation of common vulnerabilities which can be used to exploit the app. Additionally, the app server should not allow a user with fewer privileges to access other parts of the application, especially in shared applications. Vertical privilege escalations can be used in a case of an application such as Uber where a user can access the business side of the application and award themselves unlimited trips or clear charges on their part (Dhillon, 2017). Horizontal escalation allows the users to bypass any authorizations which may be present in the app and the case of a mobile banking application; it can allow a user to view the transactions and accounting details of another user.

            Vulnerabilities such as injections can lead to various risks depending on how they are exploited. SQL injection is used to attack mobile applications that use SQLite database to store data in the client’s device. Furthermore, cross site scripting (XSS) is another attack that results from injection vulnerability. The attacks take advantage of the applications which trust user inputs implicitly.  XSS allows for remote code execution with devastating consequences. Applications should be implemented such that they can only accept specific data format and length. User input should only accept certain data types and should not accept special characters such as single and double quote (', ") and backslash () which are used in SQL injection. 

Discussion

            Basavala et al., (2013) suggested best practices to counter with the vulnerabilities present in mobile applications. For the general mobile application security, the paper suggested enforcing ADFS 2.0 authentication or multi-factor authentication as an alternative to prevent authentication vulnerabilities. The application server should also utilize SSL and a certificate placed on the user device for authentication. Authentication vulnerabilities are also mitigated by the use of digital certificates which provide a second authentication factor between the mobile application and the app server.

            For vulnerabilities arising from authorization, Basavala et al., (2013) suggest the use of different domain oaths to access static resources in the mobile application. This results in cookies not being exchanged unless when needed by the mobile application. Access control policy path must not be used in URls that have special characters in them so as to prevent injection attacks in mobile applications.

            For vulnerabilities arising from configuration management, the paper suggests limiting information document model using techniques such as pagination. Similarly, JavaScript must be placed at the bottom of the page. When a mobile application requests multiple requests from the server, such requests are batched. Finally, third-party codes and API’s must never be used by the application when it is sending data over the web.

            Sensitive information leakage results due to multiple vulnerabilities. Keeping the data in the device encrypted ensures that personal information is not leaked. For an application server that shares data with other devices, for example, a gaming server, the data which has to be shared must be replicated back to the server to assist in recovery in case of leakages. Lastly, HTML extensions needed for mobile application functionality should be standard, and the developer should replace the open sourced ones.

Dynamic Analysis Methods

            Session management, which can result in session hijacking, is integral in vulnerability mitigation. Since many mobile devices disable cookies due to its configurations, mobile applications should be developed to function without the cookies. For the applications that use cookies, the application server should be configured not to trust the information it receives from the app without proper authentication. The application should use a security token that is stored locally on the mobile device to enable automatic sign-in. For mobile application, like a mail application, which connects to a web site which has encryption but has links which point to the untrusted certificate, agents should act and report to the application similar to when the resource is unavailable. This prevents man-in-the-middle attacks, which exploits this vulnerability.  

            Input validation vulnerabilities are mitigated by sanitizing input parameters and having blacklist and whitelist characters. Data entered in forms by mobile applications and then passed to the backend for processing must have proper validations. Both the client and the application server along with processing JavaScript separately to remove whitespace should validate input data.

            For vulnerabilities that exploit encryption, organizations, which have deployed mobile applications, should use cryptography. For example, strong policy restrictions should be effected to prevent storing manifest on the network used by the organization internally. Also, dynamic resources must be cached by identifying them with a resource identifier which has a hash of the identifier.

            Mobile applications must have proper logging and auditing to check for new vulnerabilities that may seek to abuse the application layers. For an application with authentication, invalid access logs should always be monitored to ensure that strong mitigation processes are in place for new vulnerabilities. For such an application, Qian, Luo, Le, & Gu, (2015) recommend that a user should be identified, an event requested described and flagged. Additionally, the IP used to access the mobile application should be logged together with the timestamp.

            With the analysis of the paper, it is possible to detect vulnerabilities which can lead to data threats and other risks and come up with mitigating procedures. Developers of mobile applications and organizations which use mobile applications must deploy and develop such apps with security in mind. Vulnerability assessment and penetration testing should be carried out on mobile applications to find mitigate risks to information security. In addition to such manual and automated tests, emulators should be used to test if the mobile applications are vulnerable. Mobile applications deal with sensitive data and vulnerabilities should be patched in a timely manner to ensure that information is secure. For large organizations that use mobile applications as a service for example banks, outsourcing is an option to ensure the mobile applications are secure. 

References

Basavala, S. R., Kumar, N., & Agarrwal, A. (2013). Mobile Applications -Vulnerability Assessment Through the Static and Dynamic Analysis, 2013(Cac2s).

Cifuentes, Y., Beltrán, L., & Ramírez, L. (2015). Analysis of Security Vulnerabilities for Mobile Health Applications. International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering, 9(9), 999–1004.

Dhillon, G. S. (2017). Vulnerabilities & Attacks in Mobile Adhoc Networks ( MANET ). International Journal of Advanced Research in Computer Science, 8(4), 2015–2017.

Dwivedi, H., Clark, C., & Thiel, D. (2015). Mobile Application Security.

Qian, C., Luo, X., Le, Y., & Gu, G. (2015). VulHunter: Toward discovering vulnerabilities in android applications. IEEE Micro, 35(1), 44–53.