SlideShare uma empresa Scribd logo

Improving DroidBox

Kelwin Yang
Kelwin Yang

This document discusses improving the Android Application Sandbox (DroidBox) by porting it to support Android 2.3, repackaging APKs to monitor API calls, and developing a new APIMonitor tool. The APIMonitor intercepts API calls by parsing smali code and outputting parameter and return values. It builds an API database to detect inherited methods. Future work includes classifying sensitive APIs and moving analysis to the cloud.

EsportesTecnologiaEducação
1 de 27
Baixar para ler offline
Improving our Android Application Sandbox (DroidBox) Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
Outline •  Goals   •  Current  design  and  work   •  Demos   •  Future  works
Goals •  Port  DroidBox  to  support  Android  2.3   •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
DroidBox  for  Android  2.3 •  Based  on  TaintDroid  2.3[1]   •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug   •  Hooked  sensiAve  API  like  previous  version   •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer   •  Released  beta  version  in  project  page
DroidBox APIMonitor •  Based  on  smali/baksmali   •  Parsed  smali  into  tree  structure   •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method   •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon   •  Build  API  database  to  detect  methods  inherited  from  API   •  Developed  APK  instrumentaAon  library(APKIL)  
APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNode Insn35cNode Insn3rcNode
Method  Interception •  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]   •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
Intercept Instance Method Android API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/ URLConnecAon;   Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon (Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;   opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
Intercept Static Method Android API:   Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/ net/Uri   Stub Method:   staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/ String;)Landrod/net/Uri   opcode: invoke-­‐staAc(/range)    
Intercept Constructor Android API:   Ljava/net/URL;-­‐><init>(Ljava/lang/String)V   Stub Method:   staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/ lang/String)Ljava/net/URL;   opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
Intercept Constructor ExcepAon: v19 is uninitialized!
Monitor Constructor We  can’t  intercept  constructors  by  replacing  them  with  the  stub   methods.     Just  insert  new  method  droidbox_cons  for  monitoring.
Parameters Output •  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
Parameters Output •  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
Build API Database apkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
Build API Database •  Build  API  Database  to  detect  methods   inherited  from  API   •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
How to use APIMonitor usage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]   filename     posiAonal  arguments:    filename                            path  of  APK  file   opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  program's  version  number  and  exit
Specify APIs in Config File $./apimonitor.py  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
View logs •  DDMS   •  $adb  logcat
Demo logs •  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
Demo logs Send  SMS  &  Phone  Call
Real-­‐world  malware •  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
Future  works •  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis   •  Move  APIMonitor  to  the  cloud(under   developing)   •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon   •  Modify  dalvik  to  support  dynamic   instrumentaAon    
References •  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones   •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
Links •  Project  Page:  hkp://code.google.com/p/ droidbox   •  APIMonitor  Wiki:  hkp://code.google.com/p/ droidbox/wiki/APIMonitor   •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil  

Recomendados

Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
Kelwin Yang
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
ZongXian Shen
 
Infinum Android Talks #14 - Log4j
Infinum Android Talks #14 - Log4jInfinum Android Talks #14 - Log4j
Infinum Android Talks #14 - Log4j
Infinum
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android apps
Gaurav Lochan
 
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ZongXian Shen
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 

Recomendados

Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
Kelwin Yang
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine
ZongXian Shen
 
Infinum Android Talks #14 - Log4j
Infinum Android Talks #14 - Log4jInfinum Android Talks #14 - Log4j
Infinum Android Talks #14 - Log4j
Infinum
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android apps
Gaurav Lochan
 
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ZongXian Shen
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
n|u - The Open Security Community
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 
Log4j Logging Mechanism
Log4j Logging MechanismLog4j Logging Mechanism
Log4j Logging Mechanism
Kunal Dabir
 
Net serialization
Net serializationNet serialization
Net serialization
Greg Sohl
 
Ida python intro
Ida python introIda python intro
Ida python intro
小静 安
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
Max Bazaliy
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
Java byte code & virtual machine
Java byte code & virtual machineJava byte code & virtual machine
Java byte code & virtual machine
Laxman Puri
 
Log4j in 8 slides
Log4j in 8 slidesLog4j in 8 slides
Log4j in 8 slides
Tarin Gamberini
 
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
ZongXian Shen
 
Log4j2
Log4j2Log4j2
Log4j2
joergreichert
 
.NET Overview
.NET Overview.NET Overview
.NET Overview
Greg Sohl
 
What is-java
What is-javaWhat is-java
What is-java
Shahid Rasheed
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 
Mixing Python and Java
Mixing Python and JavaMixing Python and Java
Mixing Python and Java
Andreas Schreiber
 
.NET Profilers and IL Rewriting - DDD Melbourne 2
.NET Profilers and IL Rewriting - DDD Melbourne 2.NET Profilers and IL Rewriting - DDD Melbourne 2
.NET Profilers and IL Rewriting - DDD Melbourne 2
Shaun Wilde
 
Logging
LoggingLogging
Logging
Марія Русин
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Apkudo
 
Java Basic PART I
Java Basic PART IJava Basic PART I
Java Basic PART I
Soumen Santra
 
Log4j
Log4jLog4j
Log4j
Krishnakanth Goud
 
Flying Presentation
Flying PresentationFlying Presentation
Flying Presentation
dpatrikios
 
Klíma
KlímaKlíma
Klíma
LNA Group Kft Klímaszerelés
 

Mais conteúdo relacionado

Mais procurados

Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 
Net serialization
Net serializationNet serialization
Net serialization
Greg Sohl
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 

Mais procurados (20)

Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
 
Log4j Logging Mechanism
Log4j Logging MechanismLog4j Logging Mechanism
Log4j Logging Mechanism
 
Net serialization
Net serializationNet serialization
Net serialization
 
Ida python intro
Ida python introIda python intro
Ida python intro
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
 
Java byte code & virtual machine
Java byte code & virtual machineJava byte code & virtual machine
Java byte code & virtual machine
 
Log4j in 8 slides
Log4j in 8 slidesLog4j in 8 slides
Log4j in 8 slides
 
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
(CISC 2013) Real-Time Record and Replay on Android for Malware Analysis
 
Log4j2
Log4j2Log4j2
Log4j2
 
.NET Overview
.NET Overview.NET Overview
.NET Overview
 
What is-java
What is-javaWhat is-java
What is-java
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
 
Mixing Python and Java
Mixing Python and JavaMixing Python and Java
Mixing Python and Java
 
.NET Profilers and IL Rewriting - DDD Melbourne 2
.NET Profilers and IL Rewriting - DDD Melbourne 2.NET Profilers and IL Rewriting - DDD Melbourne 2
.NET Profilers and IL Rewriting - DDD Melbourne 2
 
Logging
LoggingLogging
Logging
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
 
Java Basic PART I
Java Basic PART IJava Basic PART I
Java Basic PART I
 
Log4j
Log4jLog4j
Log4j
 

Destaque

Flying Presentation
Flying PresentationFlying Presentation
Flying Presentation
dpatrikios
 
Childrens hospital-seattle
Childrens hospital-seattleChildrens hospital-seattle
Childrens hospital-seattle
Kemi Olojede
 
Tizen の未来と可能性
Tizen の未来と可能性Tizen の未来と可能性
Tizen の未来と可能性
Naruto TAKAHASHI
 
Universidad de san bueneventura –cartagena2
Universidad de san bueneventura –cartagena2Universidad de san bueneventura –cartagena2
Universidad de san bueneventura –cartagena2
stefany
 
New test
New testNew test
New test
IQM123
 
NewTest-910080.ppt
NewTest-910080.pptNewTest-910080.ppt
NewTest-910080.ppt
IQM123
 
introaspnet-3030384.ppt
introaspnet-3030384.pptintroaspnet-3030384.ppt
introaspnet-3030384.ppt
IQM123
 

Destaque (20)

Flying Presentation
Flying PresentationFlying Presentation
Flying Presentation
 
Klíma
KlímaKlíma
Klíma
 
Brookings ua version ef
Brookings ua version efBrookings ua version ef
Brookings ua version ef
 
Childrens hospital-seattle
Childrens hospital-seattleChildrens hospital-seattle
Childrens hospital-seattle
 
コミュニケーションのビジュアル化によるサービス品質向上とビジネスサイクル最適化
コミュニケーションのビジュアル化によるサービス品質向上とビジネスサイクル最適化コミュニケーションのビジュアル化によるサービス品質向上とビジネスサイクル最適化
コミュニケーションのビジュアル化によるサービス品質向上とビジネスサイクル最適化
 
freeCodeCamp Tokyo meetup 19
freeCodeCamp Tokyo meetup 19freeCodeCamp Tokyo meetup 19
freeCodeCamp Tokyo meetup 19
 
Universidad de san bueneventura –cartagena2
Universidad de san bueneventura –cartagena2Universidad de san bueneventura –cartagena2
Universidad de san bueneventura –cartagena2
 
Hoa quynh
Hoa quynhHoa quynh
Hoa quynh
 
Tizen の未来と可能性
Tizen の未来と可能性Tizen の未来と可能性
Tizen の未来と可能性
 
MOVR 2014 Q3
MOVR 2014 Q3MOVR 2014 Q3
MOVR 2014 Q3
 
Doma natural: Esteban Labari i Lucy Rees
Doma natural: Esteban Labari i Lucy ReesDoma natural: Esteban Labari i Lucy Rees
Doma natural: Esteban Labari i Lucy Rees
 
Equipamentos de redes
Equipamentos de redesEquipamentos de redes
Equipamentos de redes
 
Universidad de san bueneventura –cartagena2
Universidad de san bueneventura –cartagena2Universidad de san bueneventura –cartagena2
Universidad de san bueneventura –cartagena2
 
Urdu Tutor for Beginners
Urdu Tutor for BeginnersUrdu Tutor for Beginners
Urdu Tutor for Beginners
 
New test
New testNew test
New test
 
I linguaggi delle nostre professioni: l'ingegneria
I linguaggi delle nostre professioni: l'ingegneriaI linguaggi delle nostre professioni: l'ingegneria
I linguaggi delle nostre professioni: l'ingegneria
 
NewTest-910080.ppt
NewTest-910080.pptNewTest-910080.ppt
NewTest-910080.ppt
 
Sensorize FreeRehab
Sensorize FreeRehabSensorize FreeRehab
Sensorize FreeRehab
 
introaspnet-3030384.ppt
introaspnet-3030384.pptintroaspnet-3030384.ppt
introaspnet-3030384.ppt
 
Tests de carga en la nube
Tests de carga en la nubeTests de carga en la nube
Tests de carga en la nube
 

Semelhante a Improving DroidBox

Practices and tools for building better APIs
Practices and tools for building better APIsPractices and tools for building better APIs
Practices and tools for building better APIs
NLJUG
 
Practices and tools for building better API (JFall 2013)
Practices and tools for building better API (JFall 2013)Practices and tools for building better API (JFall 2013)
Practices and tools for building better API (JFall 2013)
Peter Hendriks
 
Enforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code GenerationEnforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code Generation
Tim Burks
 

Semelhante a Improving DroidBox (20)

Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learning
 
Practices and Tools for Building Better APIs
Practices and Tools for Building Better APIsPractices and Tools for Building Better APIs
Practices and Tools for Building Better APIs
 
Practices and tools for building better APIs
Practices and tools for building better APIsPractices and tools for building better APIs
Practices and tools for building better APIs
 
Practices and tools for building better API (JFall 2013)
Practices and tools for building better API (JFall 2013)Practices and tools for building better API (JFall 2013)
Practices and tools for building better API (JFall 2013)
 
In app search 1
In app search 1In app search 1
In app search 1
 
Android Auto instrumentation
Android Auto instrumentationAndroid Auto instrumentation
Android Auto instrumentation
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
Women Who Code - RSpec JSON API Workshop
Women Who Code - RSpec JSON API WorkshopWomen Who Code - RSpec JSON API Workshop
Women Who Code - RSpec JSON API Workshop
 
Kubernetes API code-base tour
Kubernetes API code-base tourKubernetes API code-base tour
Kubernetes API code-base tour
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzer
 
Swift Micro-services and AWS Technologies
Swift Micro-services and AWS TechnologiesSwift Micro-services and AWS Technologies
Swift Micro-services and AWS Technologies
 
Enforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code GenerationEnforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code Generation
 
Decompiling Android
Decompiling AndroidDecompiling Android
Decompiling Android
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)
 
From System Engineer to Gopher
From System Engineer to GopherFrom System Engineer to Gopher
From System Engineer to Gopher
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Bada familiar foundations
Bada familiar foundationsBada familiar foundations
Bada familiar foundations
 

Último

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Hire 💕 8617370543 Amethi Call Girls Service Call Girls Agency
Hire 💕 8617370543 Amethi Call Girls Service Call Girls AgencyHire 💕 8617370543 Amethi Call Girls Service Call Girls Agency
Hire 💕 8617370543 Amethi Call Girls Service Call Girls Agency
Nitya salvi
 
Genuine 8617370543 Hot and Beautiful 💕 Etah Escorts call Girls
Genuine 8617370543 Hot and Beautiful 💕 Etah Escorts call GirlsGenuine 8617370543 Hot and Beautiful 💕 Etah Escorts call Girls
Genuine 8617370543 Hot and Beautiful 💕 Etah Escorts call Girls
Nitya salvi
 

Último (16)

Albania Vs Spain South American coaches lead Albania to Euro 2024 spot.docx
Albania Vs Spain South American coaches lead Albania to Euro 2024 spot.docxAlbania Vs Spain South American coaches lead Albania to Euro 2024 spot.docx
Albania Vs Spain South American coaches lead Albania to Euro 2024 spot.docx
 
basketball evolution History Slides.pdf
basketball evolution History Slides.pdfbasketball evolution History Slides.pdf
basketball evolution History Slides.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdfJORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
 
Personal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley DennisPersonal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley Dennis
 
Spain Vs Italy Spain to be banned from participating in Euro 2024.docx
Spain Vs Italy Spain to be banned from participating in Euro 2024.docxSpain Vs Italy Spain to be banned from participating in Euro 2024.docx
Spain Vs Italy Spain to be banned from participating in Euro 2024.docx
 
Belgium Vs Slovakia Belgium at Euro 2024 Teams in group, fixtures, schedule, ...
Belgium Vs Slovakia Belgium at Euro 2024 Teams in group, fixtures, schedule, ...Belgium Vs Slovakia Belgium at Euro 2024 Teams in group, fixtures, schedule, ...
Belgium Vs Slovakia Belgium at Euro 2024 Teams in group, fixtures, schedule, ...
 
Netherlands Players expected to miss UEFA Euro 2024 due to injury.docx
Netherlands Players expected to miss UEFA Euro 2024 due to injury.docxNetherlands Players expected to miss UEFA Euro 2024 due to injury.docx
Netherlands Players expected to miss UEFA Euro 2024 due to injury.docx
 
Hire 💕 8617370543 Amethi Call Girls Service Call Girls Agency
Hire 💕 8617370543 Amethi Call Girls Service Call Girls AgencyHire 💕 8617370543 Amethi Call Girls Service Call Girls Agency
Hire 💕 8617370543 Amethi Call Girls Service Call Girls Agency
 
Cricket Api Solution.pdfCricket Api Solution.pdf
Cricket Api Solution.pdfCricket Api Solution.pdfCricket Api Solution.pdfCricket Api Solution.pdf
Cricket Api Solution.pdfCricket Api Solution.pdf
 
Genuine 8617370543 Hot and Beautiful 💕 Etah Escorts call Girls
Genuine 8617370543 Hot and Beautiful 💕 Etah Escorts call GirlsGenuine 8617370543 Hot and Beautiful 💕 Etah Escorts call Girls
Genuine 8617370543 Hot and Beautiful 💕 Etah Escorts call Girls
 
Croatia vs Italy Inter Milan Looking to Carry On Success at Euro 2024.pdf
Croatia vs Italy Inter Milan Looking to Carry On Success at Euro 2024.pdfCroatia vs Italy Inter Milan Looking to Carry On Success at Euro 2024.pdf
Croatia vs Italy Inter Milan Looking to Carry On Success at Euro 2024.pdf
 
Slovenia Vs Serbia Eurovision odds Slovenia have top.docx
Slovenia Vs Serbia Eurovision odds Slovenia have top.docxSlovenia Vs Serbia Eurovision odds Slovenia have top.docx
Slovenia Vs Serbia Eurovision odds Slovenia have top.docx
 
Unveiling the Mystery of Main Bazar Chart
Unveiling the Mystery of Main Bazar ChartUnveiling the Mystery of Main Bazar Chart
Unveiling the Mystery of Main Bazar Chart
 
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeTechnical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
 
Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...
Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...
Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...
 

Improving DroidBox

  • 1. Improving our Android Application Sandbox (DroidBox) Student: Kun Yang <kelwya@gmail.com> ORG: The Honeynet Project Primary mentor: Patrik Lantz Felix Leder Backup mentor: Anthony Desnos Jianwei Zhuge
  • 2. Outline •  Goals   •  Current  design  and  work   •  Demos   •  Future  works
  • 3. Goals •  Port  DroidBox  to  support  Android  2.3   •  Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
  • 4. DroidBox  for  Android  2.3 •  Based  on  TaintDroid  2.3[1]   •  Fixed  some  bugs   –  output  string  processing  related  bug   –  network  file  descriptor  idenAfier  related  bug   •  Hooked  sensiAve  API  like  previous  version   •  Adjusted  some  hooking   –  Moved  IO  hooking  to  naAve  code  layer   •  Released  beta  version  in  project  page
  • 5. DroidBox APIMonitor •  Based  on  smali/baksmali   •  Parsed  smali  into  tree  structure   •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method   •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon   •  Build  API  database  to  detect  methods  inherited  from  API   •  Developed  APK  instrumentaAon  library(APKIL)  
  • 6. APIMonitor Architecture API API List Database NEW APK APIMonitor APK Real Emulators Devices Logs ADB
  • 7. Smali Parsing SmaliTree ClassNode FieldNode MethodNode InsnNode LabelNode TryNode SwitchNode ArrayDataNode Insn35cNode Insn3rcNode
  • 8. Method  Interception •  Use  the  similar  framework  design  of  I-­‐ARM-­‐ Droid[2]   •  Basic  workflow  example:   –  Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
  • 9. Intercept Instance Method Android API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/ URLConnecAon;   Stub Method:  staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon (Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;   opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
  • 10. Intercept Static Method Android API:   Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/ net/Uri   Stub Method:   staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/ String;)Landrod/net/Uri   opcode: invoke-­‐staAc(/range)    
  • 11. Intercept Constructor Android API:   Ljava/net/URL;-­‐><init>(Ljava/lang/String)V   Stub Method:   staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/ lang/String)Ljava/net/URL;   opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
  • 12. Intercept Constructor ExcepAon: v19 is uninitialized!
  • 13. Monitor Constructor We  can’t  intercept  constructors  by  replacing  them  with  the  stub   methods.     Just  insert  new  method  droidbox_cons  for  monitoring.
  • 14. Parameters Output •  Basic  Type   –  String.valueOf(int)   –  String.valueOf(long)   –  String.valueOf(double)   –  String.valueOf(fload)   –  String.valueOf(short)   –  String.valueOf(boolean)   –  String.valueOf(byte)   –  String.valueOf(char)
  • 15. Parameters Output •  Object  and  Array   –  Implement  droidbox.apimonitor.Helper.toString(Object)  
  • 16. Build API Database apkil.tests.APKIL;-­‐>openFileOutput:  NOT  ANDROID  API Inherited from: Landroid/content/ContextWrapper;-­‐>   openFileOutput(Ljava/lang/String;I)  
  • 17. Build API Database •  Build  API  Database  to  detect  methods   inherited  from  API   •  How  to  find  connecAons  of  classes  in  API   –  find  all  class  names:  jar  –f  android.jar   –  find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
  • 18. How to use APIMonitor usage:  apimonitor.py  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]  [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]   filename     posiAonal  arguments:    filename                            path  of  APK  file   opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  program's  version  number  and  exit
  • 19. Specify APIs in Config File $./apimonitor.py  –a  config_file  –o  outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
  • 20. View logs •  DDMS   •  $adb  logcat
  • 21. Demo logs •  APKILTests.apk   –  Developed  to  test  APIMonitor   –  Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
  • 22. Demo logs AES   Cipher File  IO Get  installed   applicaAon  list
  • 23. Demo logs Send  SMS  &  Phone  Call
  • 24. Real-­‐world  malware •  fishbot   –  It  was  found  in  China   –  Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
  • 25. Future  works •  Collect  and  classify  sensiAve  Android  APIs  for   different  use  of  analysis   •  Move  APIMonitor  to  the  cloud(under   developing)   •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon   •  Modify  dalvik  to  support  dynamic   instrumentaAon    
  • 26. References •  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones   •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons  
  • 27. Links •  Project  Page:  hkp://code.google.com/p/ droidbox   •  APIMonitor  Wiki:  hkp://code.google.com/p/ droidbox/wiki/APIMonitor   •  APIMonitor  repo:  hkp://github.com/kelwin/ apkil