How to Improve DroidBox?• PorAng DroidBox to Android 2.3 – TaintDroid has been ported to Android 2.3 • APK instrumentaAon(*) – PorAng is cumbersome • InteracAve analysis log • Cloud Service
PorAng Logsdalvik patch vm/interp/Taint.h Changed TAINT_HISTORY to TAINT_BROWSER Added value deﬁniAons of some taint tags vm/naAve/dalvik_system_Taint.c Changed all the log tags from TaintLog to DroidBox Added an argument of random value to funcAon Dalvik_dalvik_system_Taint_logPathFromFd to match FdAccess log and FileRW log, which can tell what ﬁle is being read or wriien (*)Excluded some ﬁle path started with “/dev/pts”, “/system”, “/data/app” and “/proc/” which is legal (*)Found a bug in TaintDroid for Android 2.3 that will make the log analyzer fail to output the correct ﬁnal report of FileRW acAons(I will ﬁx the bug in the future) libcore patch libcore/crypto/src/main/java/javax/crypto/Cipher.java Added a ﬁeld key to track encrypAon and decrypAon keys Hacked the funcAon init to save encrypAon and decrypAon keys Hooked the funcAon doFinal to log cryptography informaAon libcore/crypto/src/main/java/javax/crypto/spec/SecretKeySpec.java Modiﬁed the constructor of SecretKeySpec Added a funcAon getKey for other module to log with libcore/dalvik/src/main/java/dalvik/system/DexClassLoader.java Hooked the constructor of DexClassLoader to monitor dynamic load and execuAon libcore/dalvik/src/main/java/dalvik/system/Taint.java Added and changed value deﬁniAons of some taint tags as we did in Taint.h Added a helper funcAon toHex for logging Modiﬁed declaraAon of naAve funcAon logPathFromFd libcore/luni/src/main/java/java/io/FileDescriptor.java Added 3 ﬁelds to FileDescriptor: port, id and readBuﬀer, which will help to track. Hacked constructor for tracking libcore/luni/src/main/java/java/uAl/ProperAes.java Set the property Keep-‐Alive to false by default to avoid socket reuse libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSFileSystem.java Hooked the funcAons read and write to log ﬁle operaAons with help of modiﬁed logPathFromFd libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSNetworkSystem.java Replaced the funcAon getHostAddress with getHostName Added taint sinks or logging in the funcAons connect/connectNonBlocking/send/wirte/sendUrgentData (*)Many Network IO funcAons such as read in Android 2.1 are moved to naAve code in Android 2.3 so I did logging with naAve LOGW funcAon in org_apache_harmony_luni_plaporm_OSNetworkSystem.cpp libcore/security/src/main/java/java/security/MessageDigest.java Added 2 ﬁelds to MessageDigest: taintTrack and taintTag, which will help to track IniAalized the two new ﬁelds in the constructor Hooked the funcAon digest to log libcore/security/src/main/java/org/apache/harmony/security/PrivateKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPrivateKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPublicKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/PublicKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/x509/X509PublicKey.java Added a funcAon getKey to these classes for other module to log with libcore/security/src/main/java/org/bouncycastle/jce/ (*)JCE library was not found in source code of Android 2.3 framework/base patch api/current.xml AutomaAcally generated using the command: make update-‐api core/java/android/app/AcAvity.java Captured the phone call acAon in the funcAon startAcAvity core/java/android/app/ContextImpl.java Added taint sources in the funcAon getInstalledApplica7on core/java/android/content/ContentResolver.java Taint sources were added by oﬃcial team of TaintDroid in version 2.3 in the funcAon query Changed TAINT_HISTORY to TAINT_BROWSER (*)Instead of adding argument in CursorWrapperInner funcAon to log, DroidBox for Android 2.1 also added taint sources here by modiﬁng the CursorWrapperInner funcAon and the constructor of class CursorWrapper, in the Android 2.3 I chose the method of TaintDroid team which is a liile easier core/java/android/content/ContextWrapper.java Added hook in the funcAon startService to log telephony/java/android/telephony/SmsManager.java Add hooks in sendTextMessage to log telephony/java/android/telephony/TelephonyManager.java Add hooks in getDeviceId and getSubscriberId to log telephony/java/com/android/internal/telephony/PhoneSubInfo.java Changed the return values of getDeviceId and getSubscriberId from hardcoded values to real value to prevent emulator evasion
How to do InstrumentaAon?• bytecode or IR? • I chose smali.
What is smali?• smali is an IR(Intermediate RepresentaAon) of Dalvik Bytecode • The syntax is loosely based on Jasmin’s syntax – Jasmin is an assembler/IR for the Java Virtual Machine • smali/baksmali is an assembler/disassembler for the dex format used by Dalvik
smali typesBasic types: Classes/Objects: Lpackage/name/ObjectName V void (package.name.ObjectName) Z boolean Ljava/lang/String B byte (java.lang.String) S short C char Arrays: I int [I (int) [[I = int, [[[I = int J long (64 bits) F ﬂoat Arrays of objects: D double (64 bits) [Ljava/lang/String (an array of Strings)
smali methods&ﬁelds• Methods: Lpackage/name/ObjectName;-‐>MethodName(III)Z Example: method(I[[IILjava/lang/String;[Ljava/lang/Object;)Ljava/lang/String; is equivalent to : String method(int, int, int, String, Object) • Fields: Lpackage/name/ObjectName;-‐>FieldName:Ljava/lang/String;
APKIL: APK InstrumentaAon Library• Current Work – Parsed smali ﬁles into tree structure – Implemented some instrumentaAon API for Monitoring Android API speciﬁed • Future Work – Add more ﬂexible and richer instrumentaAon API