1 / 28

Lok Kwong Yan, and Heng Yin Syracuse University Air Force Research Laboratory USENIX 2012

DroidScope : Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. Lok Kwong Yan, and Heng Yin Syracuse University Air Force Research Laboratory USENIX 2012. Presentation: 2012-09-11 曾毓傑. Outline. Introduction Background Architecture

santos
Download Presentation

Lok Kwong Yan, and Heng Yin Syracuse University Air Force Research Laboratory USENIX 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis LokKwong Yan, and Heng Yin Syracuse University Air Force Research Laboratory USENIX 2012 Presentation: 2012-09-11 曾毓傑

  2. Outline • Introduction • Background • Architecture • Interface & Plugins • Evaluation • Discussion& Conclusion

  3. Introduction

  4. Introduction • Malicious applications exist in official and unofficial marketplace with a rate of 0.02% and 0.2% respectively • Virtualization-based analysis approach • Analysis runs underneath the entire virtual machine • Difficult for an attack within VM to disrupt the analysis • Loss the semantic contextual information when the analysis component is moved out of the box • We need to intercept certain kernel events and parse kernel data structure to reconstruct the semantic knowledge

  5. DroidScope • Reconstruct two levels of semantic knowledge • OS-level: to understand the activities of the malware process and its native components • Java-level: comprehend the behaviors in the Java components • Built on top of QEMU emulator • Build tools for analysis • Native instruction tracer • Dalvik instruction tracer • API tracer • Taint tracker

  6. BACKGROUND

  7. Android System Overview Android System Parent process for all Android processes libdvm.so provide Java-level abstraction Kernel data structure

  8. DroidScope Overview

  9. ARCHITECTURE

  10. Architecture • Integrating the changes into the QEMU emulator • Came from Android SDK • Leave Android system unchanged • For different virtual devices can be loaded • Reconstruct OS-level and Java-level views • Monitors how malware’s Java components communicate with Android Java Framework • Monitors how malware’s native components interact with the Linux Kernel • Monitors how malware’s Java components and native components communicate through the JNI interface

  11. Reconstructing OS-level View • Basic Instrumentation • Insert extra instructions during the code translation phase for system status Target Instructions Add additional code for detection Tiny Code Generator(TCG) Native Instructions

  12. Reconstructing OS-level View(Cont.) • For example, context switch in ARM architecture would change the c2_base0 and c2_base1 registers, which stores the page table address • Extract semantic knowledge • System calls • Running processes, threads • Memory maps

  13. Reconstructing OS-level View(Cont.) • System calls • ARM architecture use service zero instruction svc #0 as making system calls, and system call number is in register R7 • Processes and Threads • Read task_struct structure for process information • pid,tgid, pgd, uid, gid, euid, egid, comm, cmdline, thread_info • sys_fork, sys_execve, sys_clone, and sys_prctl system calls trigger the information update • Memory maps • mm_struct • sys_mmap2 triggers the information update

  14. Reconstructing Java-level View • Dalvik Instructions • Knowing which instruction is executing right now • Register R15 points to the currently executing Dalvik instruction

  15. Reconstructing Java-level View (Cont.) • Just-In-Time Compiler • Some hot, heavily used instructions are compiled into native machine code • Those code execution would skip the mterp component Call dvmGetCodeAddr() for address of compiled code Flush JIT cache, return NULL and reset counter to disable JIT function

  16. Reconstructing Java-level View (Cont.) • Dalvik Virtual Machine States • Record Register R4 to R8 for storing DVM states R4: Program Counter R5: Stack Frame Pointer R6: InterpState Structure R7: Instruction Counter R8: mterp Base Address

  17. Reconstructing Java-level View (Cont.) • Java Objects • Obtaining data inside Java objects such as string data

  18. Symbol Information • Native library symbols • Use objdump to retrieve symbol information • Some malwares often stripped of all symbol information • Dalvik or Java symbols • Use dexdump to retrieve symbol information • Data structures of DVM also contains some symbol information • InterpState Structure(Register R6) has a method field points to the Method structure for the currently executing method • Method structure has a name field points to method name

  19. Interface & Plugins

  20. Interface & Plugins • APIs for analysis customization • The instrumentation logic in DroidScope is complex and dynamic • An event based interface to facilitate custom analysis tool developement

  21. Sample Plugin • Setup which program to be analyzed and print all Dalvikopcode information

  22. API Implementation • API tracer • Instrument the invoke* and execute* Dalvikbytecodes to identify and log method invocations • Native instruction tracer • Gather each instruction including the raw instruction, its operands, and their values • Dalvik instruction tracer • Decode instructions into dexdump format, including values and all available symbol information • Taint Tracker • Monitor sensitive information and keep track data propagation

  23. Evaluation

  24. Evaluation • Benchmark checking efficiency and capability • 7 benchmark apps • AnTuTu Benchmark • AnTuTuCaffeineMark • CaffeineMark • CF-Bench • Mobile Processor Benchmark • Benchmark by Softweg • Linpack

  25. Evaluation • Performance • Capability • Analysis of DroidKongFu • Analysis of DroidDream

  26. Discussion& Conclusion

  27. Discussion • Limited Code Coverage • One drawback of dynamic analysis • By manipulating the return value of function call, we may increase the code coverage • Other Dalvik Analysis Tools • Dalvik/Java Static Analysis: Woodpecker, DroidMoss • Native Static Analysis: IDA, binutils, BAP • Android Dynamic Analysis: TaintDroid, DroidRanger • Linux Kernel Dynamic Analysis: logcat, adb

  28. Conclusion • We presented DroidScope, a fine grained dynamic binary instrumentation tool for Android that rebuilds two levels of semantic information

More Related