Improving our Android Application Sandbox (DroidBox
•
6 gefällt mir•4,619 views
This document discusses improving the Android Application Sandbox (DroidBox) by porting it to support Android 2.3, repackaging APKs to monitor API calls, and developing a new APIMonitor tool. The APIMonitor intercepts API calls by parsing smali code and outputting parameter and return values. It builds an API database to detect inherited methods. Future work includes classifying sensitive APIs and moving analysis to the cloud.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Improving our Android Application Sandbox (DroidBox
Ähnlich wie Improving our Android Application Sandbox (DroidBox (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Improving our Android Application Sandbox (DroidBox
- 1. Improving our Android Application Sandbox (DroidBox) Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
- 2. Outline • Goals • Current design and work • Demos • Future works
- 3. Goals • Port DroidBox to support Android 2.3 • Repackage APK to monitor API in runAme to avoid endless upgrade of DroidBox
- 4. DroidBox for Android 2.3 • Based on TaintDroid 2.3[1] • Fixed some bugs – output string processing related bug – network file descriptor idenAfier related bug • Hooked sensiAve API like previous version • Adjusted some hooking – Moved IO hooking to naAve code layer • Released beta version in project page
- 5. DroidBox APIMonitor • Based on smali/baksmali • Parsed smali into tree structure • Intercepted different kinds of methods – Instance method – Constructor – StaAc method • Output parameters and return value of different types – Basic type: String.valueOf(type) – Object: object.toString() – Array: Java ReflecAon • Build API database to detect methods inherited from API • Developed APK instrumentaAon library(APKIL)
- 6. APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
- 7. Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNode Insn35cNode Insn3rcNode
- 8. Method Interception • Use the similar framework design of I-‐ARM-‐ Droid[2] • Basic workflow example: – Intercept methods in class Ljava/net/URL 1. Define new class Ldroidbox/java/net/URL 2. Implement corresponding staAc methods to monitor (do the real API call in it) 3. Replace API calls with new methods
- 9. Intercept Instance Method Android API: Ljava/net/URL;-‐>openConnecAon()Ljava/net/ URLConnecAon; Stub Method: staAc Ldroidbox/java/net/URL;-‐>openConnecAon (Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon; opcode: invoke-‐virtual, invoke-‐super, invoke-‐interface(/range)
- 10. Intercept Static Method Android API: Landroid/net/Uri;-‐>parse(Ljava/lang/String;)Landrod/ net/Uri Stub Method: staAc Ldroidbox/android/net/Uri;-‐>parse(Ljava/lang/ String;)Landrod/net/Uri opcode: invoke-‐staAc(/range)
- 11. Intercept Constructor Android API: Ljava/net/URL;-‐><init>(Ljava/lang/String)V Stub Method: staAc Ldroidbox/java/net/URL;-‐>droidbox_cons(Ljava/ lang/String)Ljava/net/URL; opcode: invoke-‐direct(/range) Does it always work? No!
- 12. Intercept Constructor ExcepAon: v19 is uninitialized!
- 13. Monitor Constructor We can’t intercept constructors by replacing them with the stub methods. Just insert new method droidbox_cons for monitoring.
- 14. Parameters Output • Basic Type – String.valueOf(int) – String.valueOf(long) – String.valueOf(double) – String.valueOf(fload) – String.valueOf(short) – String.valueOf(boolean) – String.valueOf(byte) – String.valueOf(char)
- 15. Parameters Output • Object and Array – Implement droidbox.apimonitor.Helper.toString(Object)
- 16. Build API Database apkil.tests.APKIL;-‐>openFileOutput: NOT ANDROID API Inherited from: Landroid/content/ContextWrapper;-‐> openFileOutput(Ljava/lang/String;I)
- 17. Build API Database • Build API Database to detect methods inherited from API • How to find connecAons of classes in API – find all class names: jar –f android.jar – find all method signatures in a class: javap – bootclasspath android.jar –s classname
- 18. How to use APIMonitor usage: apimonitor.py [-‐h] [-‐o, -‐-‐output dirpath] [-‐a, -‐-‐api apilist] [-‐v, -‐-‐version] filename posiAonal arguments: filename path of APK file opAonal arguments: -‐h, -‐-‐help show this help message and exit -‐o, -‐-‐output dirpath output directory -‐a, -‐-‐api apilist config file of API list -‐v, -‐-‐version show program's version number and exit
- 19. Specify APIs in Config File $./apimonitor.py –a config_file –o outdir sample.apk • API configuraAon file – One method: Method signature without return value • Landroid/content/Intent;-‐><init>(Ljava/lang/String;) – All methods with same name: Method signature without parameters and return value • Landroid/content/Intent;-‐><init> – All methods of the same Class: Class signature • Landroid/content/Intent;
- 20. View logs • DDMS • $adb logcat
- 21. Demo logs • APKILTests.apk – Developed to test APIMonitor – Called some common sensiAve API for tesAng Get IMEI/IMSI & MD5 hash
- 22. Demo logs AES Cipher File IO Get installed applicaAon list
- 23. Demo logs Send SMS & Phone Call
- 24. Real-‐world malware • fishbot – It was found in China – Goal: Find C&C server URL which is encrypted in bytecode C&C Server address
- 25. Future works • Collect and classify sensiAve Android APIs for different use of analysis • Move APIMonitor to the cloud(under developing) • Do deep analysis on monitoring logs to dig more informaAon • Modify dalvik to support dynamic instrumentaAon
- 26. References • [1] TaintDroid: RealAme Privacy Monitoring on Smartphones • [2] I-‐ARM-‐Droid:A RewriAng Framework for In-‐ App Reference Monitors for Android ApplicaAons
- 27. Links • Project Page: hkp://code.google.com/p/ droidbox • APIMonitor Wiki: hkp://code.google.com/p/ droidbox/wiki/APIMonitor • APIMonitor repo: hkp://github.com/kelwin/ apkil