Improving our Android Application Sandbox      (DroidBox)Student: Kun Yang <kelwya@gmail.com>      ORG: The Honeynet Proje...
Outline•    Goals	  •    Current	  design	  and	  work	  •    Demos	  •    Future	  works
Goals•  Port	  DroidBox	  to	  support	  Android	  2.3	  •  Repackage	  APK	  to	  monitor	  API	  in	  runAme	  to	     a...
DroidBox	  for	  Android	  2.3•  Based	  on	  TaintDroid	  2.3[1]	  •  Fixed	  some	  bugs	     –  output	  string	  proce...
DroidBox APIMonitor•  Based	  on	  smali/baksmali	  •  Parsed	  smali	  into	  tree	  structure	  •  Intercepted	  differen...
APIMonitor Architecture                           API           API List                         Database                 ...
Smali Parsing                                 SmaliTree                                 ClassNode                     Fiel...
Method	  Interception•  Use	  the	  similar	  framework	  design	  of	  I-­‐ARM-­‐   Droid[2]	  •  Basic	  workflow	  examp...
Intercept Instance MethodAndroid API:    	  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/URLConnecAon;	  Stub Method:      	...
Intercept Static MethodAndroid API:	  Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri	  Stub Method:	  staAc...
Intercept ConstructorAndroid API:	  Ljava/net/URL;-­‐><init>(Ljava/lang/String)V	  Stub Method:	  staAc	  Ldroidbox/java/n...
Intercept ConstructorExcepAon:            v19 is uninitialized!
Monitor ConstructorWe	  can’t	  intercept	  constructors	  by	  replacing	  them	  with	  the	  stub	  methods.	  	  Just	...
Parameters Output•  Basic	  Type	      –  String.valueOf(int)	      –  String.valueOf(long)	      –  String.valueOf(double...
Parameters Output•  Object	  and	  Array	      –  Implement	  droidbox.apimonitor.Helper.toString(Object)	  
Build API Databaseapkil.tests.APKIL;-­‐>openFileOutput:	  NOT	  ANDROID	  API                                          Inh...
Build API Database•  Build	  API	  Database	  to	  detect	  methods	     inherited	  from	  API	  •  How	  to	  find	  conn...
How to use APIMonitorusage:	  apimonitor.py	  [-­‐h]	  [-­‐o,	  -­‐-­‐output	  dirpath]	  [-­‐a,	  -­‐-­‐api	  apilist]	  ...
Specify APIs in Config File  $./apimonitor.py	  –a	  config_file	  –o	  outdir	  sample.apk  •  API	  configuraAon	  file	     ...
View logs•  DDMS	  •  $adb	  logcat
Demo logs•  APKILTests.apk	     –  Developed	  to	  test	  APIMonitor	     –  Called	  some	  common	  sensiAve	  API	  fo...
Demo logs                         AES	                           Cipher            File	  IO            Get	  installed	  ...
Demo logsSend	  SMS	  &	  Phone	  Call
Real-­‐world	  malware•  fishbot	     –  It	  was	  found	  in	  China	     –  Goal:	  Find	  C&C	  server	  URL	  which	  ...
Future	  works•  Collect	  and	  classify	  sensiAve	  Android	  APIs	  for	       different	  use	  of	  analysis	  •  Mov...
References•  [1]	  TaintDroid:	  RealAme	  Privacy	  Monitoring	  on	     Smartphones	  •  [2]	  I-­‐ARM-­‐Droid:A	  Rewri...
Links•  Project	  Page:	  hkp://code.google.com/p/   droidbox	  •  APIMonitor	  Wiki:	  hkp://code.google.com/p/   droidbo...
Upcoming SlideShare
Loading in...5
×

Improving DroidBox

4,226

Published on

Published in: Sports, Technology, Education
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,226
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
137
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Improving DroidBox

  1. 1. Improving our Android Application Sandbox (DroidBox)Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
  2. 2. Outline•  Goals  •  Current  design  and  work  •  Demos  •  Future  works
  3. 3. Goals•  Port  DroidBox  to  support  Android  2.3  •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
  4. 4. DroidBox  for  Android  2.3•  Based  on  TaintDroid  2.3[1]  •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug  •  Hooked  sensiAve  API  like  previous  version  •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer  •  Released  beta  version  in  project  page
  5. 5. DroidBox APIMonitor•  Based  on  smali/baksmali  •  Parsed  smali  into  tree  structure  •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method  •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon  •  Build  API  database  to  detect  methods  inherited  from  API  •  Developed  APK  instrumentaAon  library(APKIL)  
  6. 6. APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
  7. 7. Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNodeInsn35cNode Insn3rcNode
  8. 8. Method  Interception•  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]  •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
  9. 9. Intercept Instance MethodAndroid API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/URLConnecAon;  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon(Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;  opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
  10. 10. Intercept Static MethodAndroid API:  Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  Stub Method:  staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  opcode: invoke-­‐staAc(/range)    
  11. 11. Intercept ConstructorAndroid API:  Ljava/net/URL;-­‐><init>(Ljava/lang/String)V  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/lang/String)Ljava/net/URL;  opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
  12. 12. Intercept ConstructorExcepAon: v19 is uninitialized!
  13. 13. Monitor ConstructorWe  can’t  intercept  constructors  by  replacing  them  with  the  stub  methods.    Just  insert  new  method  droidbox_cons  for  monitoring.
  14. 14. Parameters Output•  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
  15. 15. Parameters Output•  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
  16. 16. Build API Databaseapkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
  17. 17. Build API Database•  Build  API  Database  to  detect  methods   inherited  from  API  •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
  18. 18. How to use APIMonitorusage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]  filename    posiAonal  arguments:    filename                            path  of  APK  file  opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  programs  version  number  and  exit
  19. 19. Specify APIs in Config File $./apimonitor.py  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
  20. 20. View logs•  DDMS  •  $adb  logcat
  21. 21. Demo logs•  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
  22. 22. Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
  23. 23. Demo logsSend  SMS  &  Phone  Call
  24. 24. Real-­‐world  malware•  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
  25. 25. Future  works•  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis  •  Move  APIMonitor  to  the  cloud(under   developing)  •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon  •  Modify  dalvik  to  support  dynamic   instrumentaAon    
  26. 26. References•  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones  •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
  27. 27. Links•  Project  Page:  hkp://code.google.com/p/ droidbox  •  APIMonitor  Wiki:  hkp://code.google.com/p/ droidbox/wiki/APIMonitor  •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×