Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Improving DroidBox


Published on

Published in: Sports, Technology, Education
  • Hey guys! Who wants to chat with me? More photos with me here 👉
    Are you sure you want to  Yes  No
    Your message goes here

Improving DroidBox

  1. 1. Improving our Android Application Sandbox (DroidBox)Student: Kun Yang <> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
  2. 2. Outline•  Goals  •  Current  design  and  work  •  Demos  •  Future  works
  3. 3. Goals•  Port  DroidBox  to  support  Android  2.3  •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
  4. 4. DroidBox  for  Android  2.3•  Based  on  TaintDroid  2.3[1]  •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug  •  Hooked  sensiAve  API  like  previous  version  •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer  •  Released  beta  version  in  project  page
  5. 5. DroidBox APIMonitor•  Based  on  smali/baksmali  •  Parsed  smali  into  tree  structure  •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method  •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon  •  Build  API  database  to  detect  methods  inherited  from  API  •  Developed  APK  instrumentaAon  library(APKIL)  
  6. 6. APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
  7. 7. Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNodeInsn35cNode Insn3rcNode
  8. 8. Method  Interception•  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]  •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
  9. 9. Intercept Instance MethodAndroid API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/URLConnecAon;  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon(Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;  opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
  10. 10. Intercept Static MethodAndroid API:  Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  Stub Method:  staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/net/Uri  opcode: invoke-­‐staAc(/range)    
  11. 11. Intercept ConstructorAndroid API:  Ljava/net/URL;-­‐><init>(Ljava/lang/String)V  Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/lang/String)Ljava/net/URL;  opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
  12. 12. Intercept ConstructorExcepAon: v19 is uninitialized!
  13. 13. Monitor ConstructorWe  can’t  intercept  constructors  by  replacing  them  with  the  stub  methods.    Just  insert  new  method  droidbox_cons  for  monitoring.
  14. 14. Parameters Output•  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
  15. 15. Parameters Output•  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
  16. 16. Build API Databaseapkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
  17. 17. Build API Database•  Build  API  Database  to  detect  methods   inherited  from  API  •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
  18. 18. How to use APIMonitorusage:  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]  filename    posiAonal  arguments:    filename                            path  of  APK  file  opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  programs  version  number  and  exit
  19. 19. Specify APIs in Config File $./  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
  20. 20. View logs•  DDMS  •  $adb  logcat
  21. 21. Demo logs•  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
  22. 22. Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
  23. 23. Demo logsSend  SMS  &  Phone  Call
  24. 24. Real-­‐world  malware•  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
  25. 25. Future  works•  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis  •  Move  APIMonitor  to  the  cloud(under   developing)  •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon  •  Modify  dalvik  to  support  dynamic   instrumentaAon    
  26. 26. References•  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones  •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
  27. 27. Links•  Project  Page:  hkp:// droidbox  •  APIMonitor  Wiki:  hkp:// droidbox/wiki/APIMonitor  •  APIMonitor  repo:  hkp:// apkil