Improving DroidBox
Upcoming SlideShare
Loading in...5
×
 

Improving DroidBox

on

  • 3,862 views

 

Statistics

Views

Total Views
3,862
Views on SlideShare
3,859
Embed Views
3

Actions

Likes
4
Downloads
108
Comments
0

2 Embeds 3

https://twitter.com 2
https://twimg0-a.akamaihd.net 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Improving DroidBox Improving DroidBox Presentation Transcript

  • Improving our Android Application Sandbox (DroidBox)Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
  • Outline•  Goals  •  Current  design  and  work  •  Demos  •  Future  works
  • Goals•  Port  DroidBox  to  support  Android  2.3  •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
  • DroidBox  for  Android  2.3•  Based  on  TaintDroid  2.3[1]  •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug  •  Hooked  sensiAve  API  like  previous  version  •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer  •  Released  beta  version  in  project  page
  • DroidBox APIMonitor•  Based  on  smali/baksmali  •  Parsed  smali  into  tree  structure  •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method  •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon  •  Build  API  database  to  detect  methods  inherited  from  API  •  Developed  APK  instrumentaAon  library(APKIL)  
  • APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
  • Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNodeInsn35cNode Insn3rcNode
  • Method  Interception•  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]  •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
  • Intercept Instance MethodAndroid API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/URLConnecAon;  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon(Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;  opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
  • Intercept Static MethodAndroid API:  Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  Stub Method:  staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  opcode: invoke-­‐staAc(/range)    
  • Intercept ConstructorAndroid API:  Ljava/net/URL;-­‐><init>(Ljava/lang/String)V  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/lang/String)Ljava/net/URL;  opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
  • Intercept ConstructorExcepAon: v19 is uninitialized!
  • Monitor ConstructorWe  can’t  intercept  constructors  by  replacing  them  with  the  stub  methods.    Just  insert  new  method  droidbox_cons  for  monitoring.
  • Parameters Output•  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
  • Parameters Output•  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
  • Build API Databaseapkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
  • Build API Database•  Build  API  Database  to  detect  methods   inherited  from  API  •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
  • How to use APIMonitorusage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]  filename    posiAonal  arguments:    filename                            path  of  APK  file  opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  programs  version  number  and  exit
  • Specify APIs in Config File $./apimonitor.py  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
  • View logs•  DDMS  •  $adb  logcat
  • Demo logs•  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
  • Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
  • Demo logsSend  SMS  &  Phone  Call
  • Real-­‐world  malware•  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
  • Future  works•  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis  •  Move  APIMonitor  to  the  cloud(under   developing)  •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon  •  Modify  dalvik  to  support  dynamic   instrumentaAon    
  • References•  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones  •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
  • Links•  Project  Page:  hkp://code.google.com/p/ droidbox  •  APIMonitor  Wiki:  hkp://code.google.com/p/ droidbox/wiki/APIMonitor  •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil