Your SlideShare is downloading. ×
0
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Improving DroidBox
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Improving DroidBox

4,105

Published on

Published in: Sports, Technology, Education
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,105
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
136
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Improving our Android Application Sandbox (DroidBox)Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
  • 2. Outline•  Goals  •  Current  design  and  work  •  Demos  •  Future  works
  • 3. Goals•  Port  DroidBox  to  support  Android  2.3  •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
  • 4. DroidBox  for  Android  2.3•  Based  on  TaintDroid  2.3[1]  •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug  •  Hooked  sensiAve  API  like  previous  version  •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer  •  Released  beta  version  in  project  page
  • 5. DroidBox APIMonitor•  Based  on  smali/baksmali  •  Parsed  smali  into  tree  structure  •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method  •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon  •  Build  API  database  to  detect  methods  inherited  from  API  •  Developed  APK  instrumentaAon  library(APKIL)  
  • 6. APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
  • 7. Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNodeInsn35cNode Insn3rcNode
  • 8. Method  Interception•  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]  •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
  • 9. Intercept Instance MethodAndroid API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/URLConnecAon;  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon(Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;  opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
  • 10. Intercept Static MethodAndroid API:  Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  Stub Method:  staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  opcode: invoke-­‐staAc(/range)    
  • 11. Intercept ConstructorAndroid API:  Ljava/net/URL;-­‐><init>(Ljava/lang/String)V  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/lang/String)Ljava/net/URL;  opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
  • 12. Intercept ConstructorExcepAon: v19 is uninitialized!
  • 13. Monitor ConstructorWe  can’t  intercept  constructors  by  replacing  them  with  the  stub  methods.    Just  insert  new  method  droidbox_cons  for  monitoring.
  • 14. Parameters Output•  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
  • 15. Parameters Output•  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
  • 16. Build API Databaseapkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
  • 17. Build API Database•  Build  API  Database  to  detect  methods   inherited  from  API  •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
  • 18. How to use APIMonitorusage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]  filename    posiAonal  arguments:    filename                            path  of  APK  file  opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  programs  version  number  and  exit
  • 19. Specify APIs in Config File $./apimonitor.py  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
  • 20. View logs•  DDMS  •  $adb  logcat
  • 21. Demo logs•  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
  • 22. Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
  • 23. Demo logsSend  SMS  &  Phone  Call
  • 24. Real-­‐world  malware•  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
  • 25. Future  works•  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis  •  Move  APIMonitor  to  the  cloud(under   developing)  •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon  •  Modify  dalvik  to  support  dynamic   instrumentaAon    
  • 26. References•  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones  •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
  • 27. Links•  Project  Page:  hkp://code.google.com/p/ droidbox  •  APIMonitor  Wiki:  hkp://code.google.com/p/ droidbox/wiki/APIMonitor  •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil  

×