Improving DroidBox

Transcript

1. Improving our Android Application Sandbox (DroidBox)
   Student: Kun Yang <[email protected]>

   ORG: The Honeynet Project Primary mentor: Patrik Lantz Backup mentor:
   Felix Leder Anthony Desnos Jianwei Zhuge
   

2. Outline
   •  Goals   •  Current  design  and  work  

   •  Demos   •  Future  works
   

3. Goals
   •  Port  DroidBox  to  support  Android  2.3   • 

   Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
   

4. DroidBox  for  Android  2.3
   •  Based  on  TaintDroid  2.3[1]  

   •  Fixed  some  bugs   – output  string  processing  related  bug   – network  file  descriptor  idenAfier  related  bug   •  Hooked  sensiAve  API  like  previous  version   •  Adjusted  some  hooking   – Moved  IO  hooking  to  naAve  code  layer   •  Released  beta  version  in  project  page
   

5. DroidBox APIMonitor
   •  Based  on  smali/baksmali   •  Parsed  smali

    into  tree  structure   •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method   •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon   •  Build  API  database  to  detect  methods  inherited  from  API   •  Developed  APK  instrumentaAon  library(APKIL)  

6. APIMonitor Architecture
   API List NEW APK APIMonitor APK API Database

   Real Devices Emulators ADB Logs

7. Smali Parsing
   SmaliTree ClassNode FieldNode MethodNode InsnNode TryNode LabelNode SwitchNode

   ArrayDataNode Insn35cNode Insn3rcNode

8. Method  Interception
   •  Use  the  similar  framework  design  of  I-­‐ARM-­‐

   Droid[2]   •  Basic  workflow  example:   – Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
   

9. Intercept Instance Method
   Android API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/ URLConnecAon;   Stub Method:

    staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon (Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;   opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  

10. Intercept Static Method
    Android API:   Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/ net/Uri   Stub

    Method:   staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/ String;)Landrod/net/Uri   opcode: invoke-­‐staAc(/range)    

11. Intercept Constructor
    Android API:   Ljava/net/URL;-­‐><init>(Ljava/lang/String)V   Stub Method:  

    staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/ lang/String)Ljava/net/URL;   opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
    

12. Intercept Constructor
    ExcepAon:
    v19 is uninitialized!
    

13. Monitor Constructor
    We  can’t  intercept  constructors  by  replacing  them  with

     the  stub   methods.     Just  insert  new  method  droidbox_cons  for  monitoring.
    

14. Parameters Output
    •  Basic  Type   – String.valueOf(int)   – String.valueOf(long)  

    – String.valueOf(double)   – String.valueOf(fload)   – String.valueOf(short)   – String.valueOf(boolean)   – String.valueOf(byte)   – String.valueOf(char)
    

15. Parameters Output
    •  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)

     

16. Build API Database
    Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
    

    apkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API
    

17. Build API Database
    •  Build  API  Database  to  detect  methods

      inherited  from  API   •  How  to  find  connecAons  of  classes  in  API   – find  all  class  names:  jar  –f  android.jar   – find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
    

18. How to use APIMonitor
    usage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]

     [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]   filename     posiAonal  arguments:    filename                            path  of  APK  file   opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  program's  version  number  and  exit
    

19. Specify APIs in Config File
    $./apimonitor.py  –a  config_file  –o

     outdir  sample.apk
    •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  

20. View logs
    •  DDMS   •  $adb  logcat
    

21. Demo logs
    •  APKILTests.apk   – Developed  to  test  APIMonitor  

    – Called  some  common  sensiAve  API  for  tesAng
    Get  IMEI/IMSI  &  MD5  hash
    

22. Demo logs
    AES   Cipher
    File  IO
    Get  installed  

    applicaAon  list
    

23. Demo logs
    Send  SMS  &  Phone  Call
    

24. Real-­‐world  malware
    •  fishbot   – It  was  found  in  China

      – Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
    

25. Future  works
    •  Collect  and  classify  sensiAve  Android  APIs  for

      different  use  of  analysis   •  Move  APIMonitor  to  the  cloud(under   developing)   •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon   •  Modify  dalvik  to  support  dynamic   instrumentaAon    

26. References
    •  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones

      •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
    

27. Links
    •  Project  Page:  hkp://code.google.com/p/ droidbox   •  APIMonitor  Wiki:

     hkp://code.google.com/p/ droidbox/wiki/APIMonitor   •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil