lok kwong yan, and heng yin syracuse university air force research laboratory usenix 2012
DESCRIPTION
DroidScope : Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. Lok Kwong Yan, and Heng Yin Syracuse University Air Force Research Laboratory USENIX 2012. Presentation: 2012-09-11 曾毓傑. Outline. Introduction Background Architecture - PowerPoint PPT PresentationTRANSCRIPT
1
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware AnalysisLok Kwong Yan, and Heng YinSyracuse UniversityAir Force Research Laboratory
USENIX 2012
Presentation: 2012-09-11 曾毓傑
2
Outline• Introduction• Background• Architecture• Interface & Plugins• Evaluation• Discussion & Conclusion
3
INTRODUCTION
4
Introduction• Malicious applications exist in official and unofficial
marketplace with a rate of 0.02% and 0.2% respectively
• Virtualization-based analysis approach• Analysis runs underneath the entire virtual machine• Difficult for an attack within VM to disrupt the analysis• Loss the semantic contextual information when the analysis
component is moved out of the box
• We need to intercept certain kernel events and parse kernel data structure to reconstruct the semantic knowledge
5
DroidScope• Reconstruct two levels of semantic knowledge
• OS-level: to understand the activities of the malware process and its native components
• Java-level: comprehend the behaviors in the Java components
• Built on top of QEMU emulator
• Build tools for analysis• Native instruction tracer• Dalvik instruction tracer• API tracer• Taint tracker
6
BACKGROUND
7
Android System Overview
Android System
Parent process for all Android processes
libdvm.so provide Java-level abstraction
Kernel data structure
8
DroidScope Overview
9
ARCHITECTURE
10
Architecture• Integrating the changes into the QEMU emulator
• Came from Android SDK• Leave Android system unchanged
• For different virtual devices can be loaded
• Reconstruct OS-level and Java-level views• Monitors how malware’s Java components communicate with
Android Java Framework• Monitors how malware’s native components interact with the Linux
Kernel• Monitors how malware’s Java components and native components
communicate through the JNI interface
11
Reconstructing OS-level View• Basic Instrumentation
• Insert extra instructions during the code translation phase for system status
Target Instructions
Tiny Code Generator(TCG)
Native Instructions
Add additional code for detection
12
Reconstructing OS-level View (Cont.)• For example, context switch in ARM architecture would
change the c2_base0 and c2_base1 registers, which stores the page table address
• Extract semantic knowledge• System calls• Running processes, threads• Memory maps
13
Reconstructing OS-level View (Cont.)• System calls
• ARM architecture use service zero instruction svc #0 as making system calls, and system call number is in register R7
• Processes and Threads• Read task_struct structure for process information• pid, tgid, pgd, uid, gid, euid, egid, comm, cmdline, thread_info• sys_fork, sys_execve, sys_clone, and sys_prctl system
calls trigger the information update
• Memory maps• mm_struct• sys_mmap2 triggers the information update
14
Reconstructing Java-level View• Dalvik Instructions
• Knowing which instruction is executing right now• Register R15 points to the currently executing Dalvik instruction
15
Reconstructing Java-level View (Cont.)
• Just-In-Time Compiler• Some hot, heavily used instructions are compiled into native
machine code• Those code execution would skip the mterp component
Call dvmGetCodeAddr() for address of compiled code
Flush JIT cache, return NULL and reset counter to disable JIT function
16
Reconstructing Java-level View (Cont.)
• Dalvik Virtual Machine States• Record Register R4 to R8 for storing DVM states
R4: Program CounterR5: Stack Frame PointerR6: InterpState StructureR7: Instruction CounterR8: mterp Base Address
17
Reconstructing Java-level View (Cont.)
• Java Objects• Obtaining data inside Java objects such as string data
18
Symbol Information• Native library symbols
• Use objdump to retrieve symbol information• Some malwares often stripped of all symbol information
• Dalvik or Java symbols• Use dexdump to retrieve symbol information• Data structures of DVM also contains some symbol information• InterpState Structure (Register R6) has a method field points
to the Method structure for the currently executing method• Method structure has a name field points to method name
19
INTERFACE & PLUGINS
20
Interface & Plugins• APIs for analysis customization
• The instrumentation logic in DroidScope is complex and dynamic• An event based interface to facilitate custom analysis tool
developement
21
Sample Plugin• Setup which program to be analyzed and print all Dalvik
opcode information
22
API Implementation• API tracer
• Instrument the invoke* and execute* Dalvik bytecodes to identify and log method invocations
• Native instruction tracer• Gather each instruction including the raw instruction, its operands,
and their values• Dalvik instruction tracer
• Decode instructions into dexdump format, including values and all available symbol information
• Taint Tracker• Monitor sensitive information and keep track data propagation
23
EVALUATION
24
Evaluation• Benchmark checking efficiency and capability• 7 benchmark apps
• AnTuTu Benchmark• AnTuTu CaffeineMark• CaffeineMark• CF-Bench• Mobile Processor Benchmark• Benchmark by Softweg• Linpack
25
Evaluation• Performance
• Capability• Analysis of DroidKongFu• Analysis of DroidDream
26
DISCUSSION & CONCLUSION
27
Discussion• Limited Code Coverage
• One drawback of dynamic analysis• By manipulating the return value of function call, we may increase
the code coverage
• Other Dalvik Analysis Tools• Dalvik/Java Static Analysis: Woodpecker, DroidMoss• Native Static Analysis: IDA, binutils, BAP• Android Dynamic Analysis: TaintDroid, DroidRanger• Linux Kernel Dynamic Analysis: logcat, adb
28
Conclusion• We presented DroidScope, a fine grained dynamic binary
instrumentation tool for Android that rebuilds two levels of semantic information