Presentation is loading. Please wait.

Presentation is loading. Please wait.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Yan Heng Yin August 10, 2012.

Published byEthan Hudson Modified over 7 years ago

Similar presentations

Presentation on theme: "DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Yan Heng Yin August 10, 2012."— Presentation transcript:

1 DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Yan Heng Yin August 10, 2012

2 Android Java Components System Services Native Components Apps

3 Android Java Components System Services Native Components Apps

4 Motivation: Static Analysis
Dalvik/Java Static Analysis: ded, Dexpler, soot, Woodpecker, DroidMoss Native Static Analysis: IDA, binutils, BAP

5 Motivation: Dynamic Analysis
Android Analysis: TaintDroid, DroidRanger System Calls logcat, adb

6 Motivation: Dynamic Analysis
External Analysis: Anubis, Ether, TEMU, …

7 DroidScope Overview

8 Goals Dynamic binary instrumentation for Android
Leverage Android Emulator in SDK No changes to Android Virtual Devices External instrumentation Linux context Dalvik context Extensible: plugin-support / event-based interface Performance Partial JIT support Instrumentation optimization

9 Roadmap External instrumentation
Linux context Dalvik context Extensible: plugin-support / event-based interface Evaluation Performance Usage

10 Linux Context: Identify App(s)
Shadow task list pid, tid, uid, gid, euid, egid, parent pid, pgd, comm argv[0] Shadow memory map Address Space Layout Randomization (Ice Cream Sandwich) Update on fork, execve, clone, prctl and mmap2

11 Java/Dalvik View Dalvik virtual machine mterp Which Dalvik opcode?
register machine (all on stack) 256 opcodes saved state, glue, pointed to by ARM R6, on stack in x86 mterp offset-addressing: fetch opcode then jump to (dvmAsmInstructionStart + opcode * 64) dvmAsmSisterStart for emulation overflow Which Dalvik opcode? Locate dvmAsmInstructionStart in shadow memory map Calculate opcode = (R15 - dvmAsmInstructionStart) / 64.

12 Just In Time (JIT) Compiler
Designed to boost performance Triggered by counter - mterp is always the default Trace based Multiple basic blocks Multiple exits or chaining cells Complicates external introspection Complicates instrumentation

13 dvmGetCodeAddr(PC) != NULL
Disabling JIT dvmGetCodeAddr(PC) != NULL

14 Roadmap External instrumentation
Linux context Dalvik context Extensible: plugin-support / event-based interface Evaluation Performance Usage

15 Instrumentation Design
Event based interface Execution: e.g. native and Dalvik instructions Status: updated shadow task list Query and Set, e.g. interpret and change cpu state Performance Example: Native instructions vs. Dalvik instructions Instrumentation Optimization

16 Dynamic Instrumentation
Update PC Translate Execute inCache? yes no (un)registerCallback needFlush? flushType invalidateBlock(s) flushCache yes

17 Instrumentation

18 Dalvik Instruction Tracer (Example)
1. void opcode_callback(uint32_t opcode) { 2. printf("[%x] %s\n", GET_RPC, opcodeToStr(opcode)); 3. } 4. 5. void module_callback(int pid) { 6. if (bInitialized || (getIBase(pid) == 0)) return; 8. 9. gva_t startAddr = 0, endAddr = 0xFFFFFFFF; 10. 11. addDisableJITRange(pid, startAddr, endAddr); 12. disableJITInit(getGetCodeAddrAddress(pid)); 13. addMterpOpcodesRange(pid, startAddr, endAddr); 14. dalvikMterpInit(getIBase(pid)); 15. registerDalvikInsnBeginCb(&opcode_callback); 16. bInitialized = 1; 17. } 18. 19. void _init() { 20. setTargetByName("com.andhuhu.fengyinchuanshuo"); 21. registerTargetModulesUpdatedCb(&module_callback); 22. } &startAddr, &endAddr);

19 Plugins API Tracer Native and Dalvik Instruction Tracers Taint Tracker
System calls open, close, read, write, includes parameters and return values Native library calls Java API calls Java Strings converted to C Strings Native and Dalvik Instruction Tracers Taint Tracker Taints ARM instructions One bit per byte Data movement & Arithmetic instructions including barrel shifter Does not support control flow tainting

20 Roadmap External instrumentation
Linux context Dalvik context Extensible: plugin-support / event-based interface Evaluation Performance Usage

21 Implementation Configuration QEMU 0.10.50 – part of Gingerbread SDK
“user-eng” No changes to source Linux , QEMU kernel branch

22 Performance Evaluation
Seven free benchmark Apps AnTuTu Benchmark (ABenchMark) by AnTuTu CaffeineMark by Ravi Reddy CF-Bench by Chainfire Mobile processor benchmark (Multicore) by Andrei Karpushonak Benchmark by Softweg Linpack by GreeneComputing Six tests repeated five times each Baseline NO-JIT Baseline – uses a build with JIT disabled at runtime Context Only API Tracer Dalvik Instruction Trace Taint Tracker

23 Select Performance Results
APITracer vs. NOJIT Results are not perfect Dynamic Symbol Retrieval Overhead

24 Usage Evaluation Use DroidScope to analyze real world malware
API Tracer Dalvik Instruction Tracer + dexdump Taint Tracker – taint move_result_object after getIMEI/getIMSI Analyze included exploits Removed patches in Gingerbread Intercept system calls Native instruction tracer

25 Droid Kung Fu Three encrypted payloads Three execution methods
ratc (Rage Against The Cage) killall (ratc wrapper) gjsvro (udev exploit) Three execution methods piped commands to a shell (default execution path) Runtime.exec() Java API (instrumented path) JNI to native library terminal emulator (instrumented path) Instrumented return values for isVersion221 and getPermission methods

26 Droid Kung Fu: TaintTracker

27 DroidDream Same payloads as DroidKungFu Two processes
Normal droiddream process clears logcat droiddream:remote is malicious xor-encrypts private information before leaking Instrumented sys_connect and sys_write

28 Droid Dream: TaintTracker

29 DroidDream: crypt trace

30 Summary DroidScope Dynamic binary instrumentation for Android
Built on Android Emulator in SDK External Introspection & Instrumentation support Four plugins API Tracer Native Instruction Tracer Dalvik Instruction Tracers TaintTracker Partial JIT support

31 Related Works Static Analysis Dynamic Analysis Introspection
ded, Dexpler, soot Woodpecker, DroidMoss Dynamic Analysis TaintDroid DroidRanger PIN, Valgrind, DynamoRIO Anubis, TEMU, Ether, PinOS Introspection Virtuoso VMWatcher

32 Challenges JIT Emulation detection
Full JIT support Flushing JIT cache Emulation detection Real Sensors: GPS, Microphone, etc. Bouncer Timing assumptions, timeouts, events Closed source systems, e.g. iOS

33 Q0. Where can I get DroidScope?
Questions? Q0. Where can I get DroidScope?

34 ratc Vulnerability Three generation (stage) exploit
setuid() fails when RLIMIT_NPROC reached adbd fails to verify setuid() success Three generation (stage) exploit Locate adbd in /proc and spawns child Child fork() processes until -11 (-EAGAIN) is returned then spawns child – continues fork() Grandchild kill() adbd and waits for process to re-spawn

35 ratc: exploit diagnosis

36 Symbol Information Native library symbols - Static
From objdump of libraries Java symbols - Dynamic Dalvik data structures -> address of string Given address, load from Memory File mapped into memory dexdump as backup

37

38

Download ppt "DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Yan Heng Yin August 10, 2012."

Similar presentations

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
1 Created by Another Process Reason: modeling concurrent sub-tasks Fetch large amount data from network and process them Two sub-tasks: fetching  processing.

1 Created by Another Process Reason: modeling concurrent sub-tasks Fetch large amount data from network and process them Two sub-tasks: fetching  processing.
CSC 501 Lecture 2: Processes. Von Neumann Model Both program and data reside in memory Execution stages in CPU: Fetch instruction Decode instruction Execute.

CSC 501 Lecture 2: Processes. Von Neumann Model Both program and data reside in memory Execution stages in CPU: Fetch instruction Decode instruction Execute.
The Process Model.

The Process Model.
1 Processes and Pipes COS 217 Professor Jennifer Rexford.

1 Processes and Pipes COS 217 Professor Jennifer Rexford.
Processes CSCI 444/544 Operating Systems Fall 2008.

Processes CSCI 444/544 Operating Systems Fall 2008.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Computer System Overview

Computer System Overview
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.

CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
ThreadsThreads operating systems. ThreadsThreads A Thread, or thread of execution, is the sequence of instructions being executed. A process may have.

ThreadsThreads operating systems. ThreadsThreads A Thread, or thread of execution, is the sequence of instructions being executed. A process may have.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
Process in Unix, Linux, and Windows CS-3013 A-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux, and Windows CS-3013 A-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
OPERATING SYSTEM OVERVIEW. Contents Basic hardware elements.

OPERATING SYSTEM OVERVIEW. Contents Basic hardware elements.
Introduction to Processes CS 537 - Intoduction to Operating Systems.

Introduction to Processes CS Intoduction to Operating Systems.
Cellular Networks and Mobile Computing COMS , Spring 2014

Cellular Networks and Mobile Computing COMS , Spring 2014

Similar presentations

Ads by Google