Oliver Schranz - ARTist - A novel Instrumentation Framework for Customizing and Analyzing Apps

Transcript

1. Oliver Schranz ARTist - A novel Instrumentation Framework for Customizing

   and Analyzing Apps

2. Motivation Security Instrumentation is used a lot to implement security

   solutions:  Analyze & reverse apps  Monitor app behavior and enforce policy  Hot-patch vulnerabilities  Harden apps and system Customization Huge community of app and system modders for Android (XDA)  Patch out annoying parts: Ad blocking, keep Youtube video running in the background  Circumvent protection: save Snapchat pics, fake GPS  Customization: Change style of menu and bar  Add features: zoom for Instagram

3. APK dex code OAT dex2oat Optimizing Backend Compile Install Input

   Output Transform Code Generation Optimizations Write ELF Verify dex code native code IR native code dex2oat  State-of-the-art optimization framework  Support for x86(64), arm(64) and mips(64)  Output .oat file is a specialized ELF shared object

4. ARTist – The Android Runtime instrumentation and security toolkit 

   App signature preservation  Close to no runtime overhead for instrumentation procedure  Non-intrusive/easily revertible  Runs on rooted stock devices

5. ArtistGui  Regular Android app  Run ARTist as a

   binary  On-demand instrumentation of installed apps  Keep apps instrumented upon updates  Choose modules for each app  Later: Automatic updates of ARTist and modules Deployment: App

6. Replace system compiler  Custom ROM  Use ARTist as

   system compiler  instrument apps  instrument middleware & framework  Untested, but potentially also possible for rooted stock ROMs Deployment: OS dex2oat: DEX2OAT CMD LINE FULL: /system/bin/dex2oat --zip-fd=6 --zip-location=services.jar --oat-fd=7 --oat-location=/data/dalvik-cache/x86_64/ system@[email protected]@classes.dex --instruction-set=x86_64 --instruction-set-variant=x86_64 --instruction-set-features=default --runtime-arg -Xms64m --runtime-arg -Xmx512m --compiler-filter=everything --swap-fd=9

7. But there are already Xposed and Frida, so why bother?

   Prior Work

8. ARTist aims for a sweet spot that combines ease of

   deployment and non-invasiveness with fine-grained access and a focus on users and developers Framework Comparison Xposed Frida ARTist Scope Devs/Users Devs Devs/Users Expressiveness Same Required Privileges Root Deployment Custom recovery Adb + connected PC App Invasiveness Modify OS Modify Target Process Change Compiled App Granularity Method Method Instruction Architectures X86, arm(64) X86(64), arm(64) X86(64), arm(64), mips(64) Android Versions 4.1 - 8 4.2 - 8 6 - 8 Extension Language Java Javascript & Python C++ & Java

9.  What is an ARTist module? - ARTist “optimization” passes

   (.so) - CodeLib (.apk) - Manifest (.json) • Version • Maintainer • ...  Self-contained package that represents an abstract functionality  Contains everything needed by ArtistGui & ARTist to manage and execute your module Modules

10.  Stetho Debug Bridge - Intercept network traffic - Read

    and modify files - Access databases - Inspect and change layout - JS code exec in app context  Meant to be included in debug build of own app  ...  What if someone injects this into arbitrary third-party apps? Module: Stetho

11. Module: Stetho

12. Module: Stetho – cont’d

13. Advanced Modules ARTist - The Android Runtime Instrumentation and Security

    Toolkit – IEEE EuroS&P 2017 Host App Host Components Primitives Strings ... WrapClass Ad Helper Stub Proxy Ad Invocation APIs Sync APIs Ad Lib App Ad Lib Components Primitives Strings ... Ad Lib Object Ad Service Proxy Callback APIs Stub Ad Lib Object identifies Binder Module Linux Kernel WrapClass Identity: <ID> Class: <Ad Lib Class> LocalId: <LocalID> Primitive Ad Library Compartmentalization Intra-App Taint Tracking IRM-based Permission Refinement Test coverage for arbitrary apps … The ART of App Compartmentalization: Compiler-based Library Privilege Separation on Stock Android – ACM CCS 2017 Method tracing Fault Injection

14. Basic workflow for the app deployment (system deployment differs) 1.

    Install SDK 2. Fork template-module & codelib 3. Implement your module 4. Build & deploy 5. Import in ArtistGui 6. Profit More information at https://artist.cispa.saarland Creating own modules

15.  We just entered the beta phase - Artist Module

    SDK - Module management in ArtistGui - Semantic versioning - Documentation v2  Later™: - Automated testing & release - Public module marketplace - Support for Xposed modules - Systemserver and framework support for rooted stock devices? Outlook

16.  ARTist is still a young project - We just

    released the beta =) - Many APIs not yet fixed  We want to build a community around ARTist - We are looking for feedback to guide future development - Your chance to get a say in the project If you are curious now, check out our Gitter & GitHub https://gitter.im/project-artist/ https://github.com/Project-ARTist/ Community

17. ARTist - A novel Instrumentation Framework for Customizing and Analyzing

    Apps Thank you! Web: https://artist.cispa.saarland Gitter: https://gitter.im/project-artist/ Twitter: @schrnz Email: [email protected]