Introduction to Dynamic Analysis of Android Application using DroidBox

Transcript

1. Introduction  to  Dynamic  Analysis   of  Android  Application   using

    DroidBox
   Kun  Yang                          [email protected]  

2. What  is  Dynamic  Analysis?
   •  Dynamic  program  analysis  is  the

    analysis  of   computer  so=ware  that  is  performed  by   execuAng  programs  built  from  that  so=ware   system  on  a  real  or  virtual  processor.  

3. Why  Dynamic  Analysis?
   •  Dynamic  analysis  is  precise   • 

   Overcome  AnA-­‐reverse-­‐engineering   •  As  fast  as  program  execuAon  

4. How  to  do  Dynamic  Analysis?
   •  Techniques   – Hooking
   – Dynamic

    Taint  Analysis   – InstrumentaAon   •  Levels   – ApplicaAon  Framework/Java  level   – NaAve  library  level   – Kernel/Driver  level   – Emulator/Qemu  level  

5. Android  Architecture
   QEMU  Based  Emulator
   

6. What  is  DroidBox?
   •  DroidBox  =  Dynamic  Taint  Analysis  +

    Hooking   (Both  are  in  ApplicaAon  framework  level)   •  Monitoring  AcAons   – InformaAon  leaks   – Network  IO  and  File  IO   – Cryptography  operaAons   – SMS  and  Phone  calls  

7. TaintDroid
   •  OSDI2010
   

8. TaintDroid  Architecture
   

9. DroidBox  Report
   

10. DroidBox  logs  

11. DroidBoxٳ༅Бۡ  

12. How  to  use  DroidBox?
    1.  Install  Android  SDK   2. 

    Download  DroidBox  package   3.  Setup  a  new  AVD  targeAng  Android  2.1   4.  ./startemu.sh  <AVD  name>   5.  ./droidbox.sh  <file.apk>
    

13. Demo  TimeĆ
    

14. How  to  Improve  DroidBox?
    •  PorAng  DroidBox  to  Android  2.3

      •  APK  instrumentaAon(*)   •  InteracAve  analysis  log   •  Cloud  Service  
    

15. PorAng  Logs
    dalvik  patch   vm/interp/Taint.h    Changed  TAINT_HISTORY  to

     TAINT_BROWSER    Added  value  definiAons  of  some  taint  tags   vm/naAve/dalvik_system_Taint.c    Changed  all  the  log  tags  from  TaintLog  to  DroidBox    Added  an  argument  of  random  value  to  funcAon  Dalvik_dalvik_system_Taint_logPathFromFd  to  match  FdAccess  log  and  FileRW  log,  which  can  tell  what  file  is  being  read  or  wrigen    (*)Excluded  some  file  path  started  with  “/dev/pts”,  “/system”,  “/data/app”  and  “/proc/”  which  is  legal    (*)Found  a  bug  in  TaintDroid  for  Android  2.3  that  will  make  the  log  analyzer  fail  to  output  the  correct  final  report  of  FileRW  acAons(I  will  fix  the  bug  in  the  future)   libcore  patch   libcore/crypto/src/main/java/javax/crypto/Cipher.java    Added  a  field  key  to  track  encrypAon  and  decrypAon  keys    Hacked  the  funcAon  init  to  save  encrypAon  and  decrypAon  keys    Hooked  the  funcAon  doFinal  to  log  cryptography  informaAon   libcore/crypto/src/main/java/javax/crypto/spec/SecretKeySpec.java    Modified  the  constructor  of  SecretKeySpec    Added  a  funcAon  getKey  for  other  module  to  log  with   libcore/dalvik/src/main/java/dalvik/system/DexClassLoader.java    Hooked  the  constructor  of  DexClassLoader  to  monitor  dynamic  load  and  execuAon   libcore/dalvik/src/main/java/dalvik/system/Taint.java    Added  and  changed  value  definiAons  of  some  taint  tags  as  we  did  in  Taint.h    Added  a  helper  funcAon  toHex  for  logging    Modified  declaraAon  of  naAve  funcAon  logPathFromFd     libcore/luni/src/main/java/java/io/FileDescriptor.java    Added  3  fields  to  FileDescriptor:  port,  id  and  readBuffer,  which  will  help  to  track.    Hacked  constructor  for  tracking    libcore/luni/src/main/java/java/uAl/ProperAes.java    Set  the  property  Keep-­‐Alive  to  false  by  default  to  avoid  socket  reuse   libcore/luni/src/main/java/org/apache/harmony/luni/planorm/OSFileSystem.java    Hooked  the  funcAons  read  and  write  to  log  file  operaAons  with  help  of  modified  logPathFromFd    libcore/luni/src/main/java/org/apache/harmony/luni/planorm/OSNetworkSystem.java    Replaced  the  funcAon  getHostAddress  with  getHostName    Added  taint  sinks  or  logging  in  the  funcAons  connect/connectNonBlocking/send/wirte/sendUrgentData    (*)Many  Network  IO  funcAons  such  as  read  in  Android  2.1  are  moved  to  naAve  code  in  Android  2.3  so  I  did  logging  with  naAve  LOGW  funcAon  in   org_apache_harmony_luni_planorm_OSNetworkSystem.cpp   libcore/security/src/main/java/java/security/MessageDigest.java    Added  2  fields  to  MessageDigest:  taintTrack  and  taintTag,  which  will  help  to  track    IniAalized  the  two  new  fields  in  the  constructor    Hooked  the  funcAon  digest  to  log   libcore/security/src/main/java/org/apache/harmony/security/PrivateKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPrivateKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPublicKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/PublicKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/x509/X509PublicKey.java    Added  a  funcAon  getKey  to  these  classes  for  other  module  to  log  with   libcore/security/src/main/java/org/bouncycastle/jce/    (*)JCE  library  was  not  found  in  source  code  of  Android  2.3   framework/base  patch   api/current.xml    AutomaAcally  generated  using  the  command:  make  update-­‐api   core/java/android/app/AcAvity.java    Captured  the  phone  call  acAon  in  the  funcAon  startAcAvity   core/java/android/app/ContextImpl.java    Added  taint  sources  in  the  funcAon  getInstalledApplica.on   core/java/android/content/ContentResolver.java    Taint  sources  were  added  by  official  team  of  TaintDroid  in  version  2.3  in  the  funcAon  query   Changed  TAINT_HISTORY  to  TAINT_BROWSER    (*)Instead  of  adding  argument  in  CursorWrapperInner  funcAon  to  log,  DroidBox  for  Android  2.1  also  added  taint  sources  here  by  modifing  the  CursorWrapperInner  funcAon  and  the  constructor  of  class    CursorWrapper,  in  the  Android  2.3  I  chose  the  method  of  TaintDroid  team  which  is  a  ligle  easier   core/java/android/content/ContextWrapper.java    Added  hook  in  the  funcAon  startService  to  log   telephony/java/android/telephony/SmsManager.java    Add  hooks  in  sendTextMessage  to  log   telephony/java/android/telephony/TelephonyManager.java    Add  hooks  in  getDeviceId  and  getSubscriberId  to  log   telephony/java/com/android/internal/telephony/PhoneSubInfo.java    Changed  the  return  values  of  getDeviceId  and  getSubscriberId  from  hardcoded  values  to  real  value  to  prevent  emulator  evasion  
    

16. Intermediate  RepresentaAon  of   Dalvik  Bytecode:  smali
    •  The  syntax

     is  loosely  based  on  Jasmin's/ dedexer's  syntax   – Jasmin  is  an  assembler/IR  for  the  Java  Virtual   Machine   – Dedexer  is  a  disassembler  tool  included  in  Android   SDK  for  DEX  files   •  smali/baksmali  is  an  assembler/disassembler   for  the  dex  format  used  by  Dalvik  

17. smali  example
    

18. APKIL
    •  Parsed  smali  files  into  tree  structure   • 

    Implemented  instrumentaAon  API
    

19. Demo  Time!
    

20. References   •  Android:  hgp://source.android.com   •  DroidBox:  hgp://code.google.com/p/ droidbox/

      •  TaintDroid:  hgp://appanalysis.org/   •  smali:  hgp://code.google.com/p/smali/   •  DroidBox  Improvements:   hgp://www.honeynet.org/gsoc/slot11   •  APKIL:  hgp://github.com/kelwin/apkil  

21. Q&A