Your SlideShare is downloading. ×

Improving DroidBox

4,026

Published on

Published in: Sports, Technology, Education
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,026
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
136
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Improving our Android Application Sandbox (DroidBox)Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
  • 2. Outline•  Goals  •  Current  design  and  work  •  Demos  •  Future  works
  • 3. Goals•  Port  DroidBox  to  support  Android  2.3  •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
  • 4. DroidBox  for  Android  2.3•  Based  on  TaintDroid  2.3[1]  •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug  •  Hooked  sensiAve  API  like  previous  version  •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer  •  Released  beta  version  in  project  page
  • 5. DroidBox APIMonitor•  Based  on  smali/baksmali  •  Parsed  smali  into  tree  structure  •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method  •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon  •  Build  API  database  to  detect  methods  inherited  from  API  •  Developed  APK  instrumentaAon  library(APKIL)  
  • 6. APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
  • 7. Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNodeInsn35cNode Insn3rcNode
  • 8. Method  Interception•  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]  •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
  • 9. Intercept Instance MethodAndroid API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/URLConnecAon;  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon(Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;  opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
  • 10. Intercept Static MethodAndroid API:  Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  Stub Method:  staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  opcode: invoke-­‐staAc(/range)    
  • 11. Intercept ConstructorAndroid API:  Ljava/net/URL;-­‐><init>(Ljava/lang/String)V  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/lang/String)Ljava/net/URL;  opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
  • 12. Intercept ConstructorExcepAon: v19 is uninitialized!
  • 13. Monitor ConstructorWe  can’t  intercept  constructors  by  replacing  them  with  the  stub  methods.    Just  insert  new  method  droidbox_cons  for  monitoring.
  • 14. Parameters Output•  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
  • 15. Parameters Output•  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
  • 16. Build API Databaseapkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
  • 17. Build API Database•  Build  API  Database  to  detect  methods   inherited  from  API  •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
  • 18. How to use APIMonitorusage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]  filename    posiAonal  arguments:    filename                            path  of  APK  file  opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  programs  version  number  and  exit
  • 19. Specify APIs in Config File $./apimonitor.py  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
  • 20. View logs•  DDMS  •  $adb  logcat
  • 21. Demo logs•  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
  • 22. Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
  • 23. Demo logsSend  SMS  &  Phone  Call
  • 24. Real-­‐world  malware•  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
  • 25. Future  works•  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis  •  Move  APIMonitor  to  the  cloud(under   developing)  •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon  •  Modify  dalvik  to  support  dynamic   instrumentaAon    
  • 26. References•  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones  •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
  • 27. Links•  Project  Page:  hkp://code.google.com/p/ droidbox  •  APIMonitor  Wiki:  hkp://code.google.com/p/ droidbox/wiki/APIMonitor  •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil  

×