Improving DroidBox

Improving DroidBox

• 1.
  Improving our Android Application Sandbox (DroidBox) Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
• 2.
  Outline •  Goals   •  Current  design  and  work   •  Demos   •  Future  works
• 3.
  Goals •  Port  DroidBox  to  support  Android  2.3   •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
• 4.
  DroidBox  for  Android  2.3 •  Based  on  TaintDroid  2.3[1]   •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug   •  Hooked  sensiAve  API  like  previous  version   •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer   •  Released  beta  version  in  project  page
• 5.
  DroidBox APIMonitor •  Based  on  smali/baksmali   •  Parsed  smali  into  tree  structure   •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method   •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon   •  Build  API  database  to  detect  methods  inherited  from  API   •  Developed  APK  instrumentaAon  library(APKIL)  
• 6.
  APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
• 7.
  Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNode Insn35cNode Insn3rcNode
• 8.
  Method  Interception •  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]   •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
• 9.
  Intercept Instance Method AndroidAPI:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/ URLConnecAon;   Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon (Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;   opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
• 10.
  Intercept Static Method AndroidAPI:   Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/ net/Uri   Stub Method:   staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/ String;)Landrod/net/Uri   opcode: invoke-­‐staAc(/range)    
• 11.
  Intercept Constructor Android API:   Ljava/net/URL;-­‐><init>(Ljava/lang/String)V   Stub Method:   staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/ lang/String)Ljava/net/URL;   opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
• 12.
  Intercept Constructor ExcepAon: v19 is uninitialized!
• 13.
  Monitor Constructor We  can’t  intercept  constructors  by  replacing  them  with  the  stub   methods.     Just  insert  new  method  droidbox_cons  for  monitoring.
• 14.
  Parameters Output •  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
• 15.
  Parameters Output •  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
• 16.
  Build API Database apkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
• 17.
  Build API Database • Build  API  Database  to  detect  methods   inherited  from  API   •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
• 18.
  How to useAPIMonitor usage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]   filename     posiAonal  arguments:    filename                            path  of  APK  file   opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  program's  version  number  and  exit
• 19.
  Specify APIs inConfig File $./apimonitor.py  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
• 20.
  View logs •  DDMS   •  $adb  logcat
• 21.
  Demo logs •  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
• 22.
  Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
• 23.
  Demo logs Send  SMS  &  Phone  Call
• 24.
  Real-­‐world  malware •  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
• 25.
  Future  works •  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis   •  Move  APIMonitor  to  the  cloud(under   developing)   •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon   •  Modify  dalvik  to  support  dynamic   instrumentaAon    
• 26.
  References •  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones   •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
• 27.
  Links •  Project  Page:  hkp://code.google.com/p/ droidbox   •  APIMonitor  Wiki:  hkp://code.google.com/p/ droidbox/wiki/APIMonitor   •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil