DOCSLIB.ORG

Artist: the Android Runtime Instrumentation and Security Toolkit

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ARTist: The Android Runtime Instrumentation and Security Toolkit Michael Backes∗†, Sven Bugiel∗, Oliver Schranz∗, Philipp von Styp-Rekowsky∗, Sebastian Weisgerber∗ ∗CISPA, Saarland University †Max Planck Institute for Software Systems Saarland Informatics Campus Saarland Informatics Campus Email: fbackes, bugiel, schranz, styp-rekowsky, [email protected] Abstract—With the introduction of Android 5 Lollipop, the of the previously mentioned security solutions that rely on Android Runtime (ART) superseded the Dalvik Virtual Ma- instrumentation of the DVM and restricts them to Android chine (DVM) by introducing ahead-of-time compilation and versions prior to Lollipop. In fact, it has left the security native execution of applications, effectively deprecating sem- research community with two choices for carrying on work inal works such as TaintDroid that hitherto depend on the that relies on instrumented runtimes: resorting to binary or DVM. In this paper, we discuss alternatives to overcome bytecode rewriting techniques [5], [6] or adapting to the those restrictions and highlight advantages for the security novel but uncharted on-device compiler infrastructure. community that can be derived from ART’s novel on-device Our contributions. In this paper, we present a compiler- compiler dex2oat and its accompanying runtime components. based solution that can be used to study the feasibility of To this end, we introduce ARTist, a compiler-based application re-instantiating previous solutions such as dynamic, intra- instrumentation solution for Android that does not depend application taint tracking and dynamic permission enforce- on operating system modifications and solely operates on the ment and that provides a more robust, reliable, and inte- application layer. Since dex2oat is yet uncharted, our approach grated application-layer instrumentation approach than pre- required first and foremost a thorough study of the compiler viously possible. Concretely, we make the following contri- suite’s internals and in particular of the new default compiler butions in this paper. backend called Optimizing. We document the results of this Uncovering the uncharted ART compiler suite. Since study in this paper to facilitate independent research on this the novel ART compiler suite, dex2oat, is still uncharted, topic and exemplify the viability of ARTist by realizing two we uncover its applicability for compiler-based security use cases. In particular, we conduct a case study on whether solutions to form expert knowledge that facilitates inde- taint tracking can be re-instantiated using a compiler-based pendent research on the topic. In particular, we deep-dive app instrumentation framework. Overall, our results provide into its most recent backend called Optimizing that became compelling arguments for the community to choose compiler- the default with Android 6 Marshmallow, and expose its based approaches over alternative bytecode or binary rewriting relevance for ARTist as well as future work in this area. approaches for security solutions on Android. Compiler-based app instrumentation. We design and implement a novel approach, called ARTist (ART Instrumen- 1. Introduction tation and Security Toolkit), for application instrumentation based on an extended version of ART’s on-device compiler dex2oat. Our system leverages the compiler’s rich optimiza- Google’s Android OS has become a popular subject of tion framework to safely optimize the newly instrumented the security research community over the last few years. application code. The instrumentation process is guided Among the different directions of research on improving by static analysis that utilizes the compiler’s intermediate Android’s security, a dedicated line of work has success- representation of the app’s code as well as its static program fully investigated how instrumentation of the interpreter information in order to efficiently determine instrumentation (i.e., Dalvik virtual machine) can be leveraged for security targets. A particular benefit of our solution, in contrast to al- purposes. This line of work comprises influencing works ternative application layer solutions (i.e., bytecode or binary such as TaintDroid [1] for analyzing privacy-relevant data rewriting), is that the application signature is unchanged flows within applications, AppFence [2] for protecting the and therefore Android’s signature-based same origin model end-users’ privacy, Moses [3] for domain isolation, or Span- and its central update utility remain intact. We thoroughly dex [4] for password tracking, just to name a few. discuss further benefits and drawbacks of security-extended However, with the release of Android 5 Lollipop, Google compilers on Android in comparison to bytecode and binary made a large technological leap by replacing the interpreter- rewriting. Our results provide compelling arguments for based runtime with an on-device, ahead-of-time compilation preferring compiler-based instrumentation over alternative of apps to platform-specific native code that is executed in bytecode or binary rewriting approaches. the new Android runtime (short ART). While this leap did not affect the app developers, it broke legacy compliance ©2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. Feasibility study for compiler-based taint tracking. To process, called Zygote, which has all the necessary libraries demonstrate the benefits of a solution such as our ARTist, and a skeleton runtime for the app code preloaded. we conduct a case study on whether compiler-assisted in- strumentation can be utilized to realize a dynamic intra- Runtime prior to Android 5. On Android devices prior application taint tracking solution. Our resulting prototype to version 5, the runtime consisted of the DEX byte- is evaluated using microbenchmarks and its operational ca- code interpreter (or Dalvik virtual machine), which was pability is shown using an open source test suite with known specifically designed for devices with constrained resources ground truth. (e.g., register-based execution model instead of stack- Infrastructure for large-scale on-device evaluations. In based). It executes Dalvik executable bytecode (short dex), order to prove the robustness of our approach, we created an which is created from the Java bytecode of applications evaluation infrastructure that allows to scale our on-device at application-build time. Thus, every application package dynamic app testing to thousands of apps from the Google ships the dex bytecode compiled from the application Java play store. It is easily extendable and can be used to not only sources. Additionally, since Android version 2.2, Dalvik evaluate ARTist-based approaches but in general dynamic uses just-in-time compilation of hotspot code segments in on-device security solutions. order to improve the runtime performance of applications. Publication of results. To allow researchers to utilize and Runtime since Android 5. With Android 5, Google moved extend the results of this paper, we open-sourced the code of over from an interpreter-based app execution to an on- ARTist and our evaluation framework called monkey-troop at device, ahead-of-time compilation of apps’ dex bytecode to https://artist.cispa.saarland. native code that is executed in a newly introduced managed Outline. The remainder of this paper is structured as fol- runtime called ART. This shift in the runtime model was lows. In Section 2, we present the results of our study of the intended to address the app performance needs of Android’s dex2oat compiler and its Optimizing backend. We analyze user and developer base. The new compiler suite was de- the requirements for an application-layer instrumentation signed from scratch to allow for compile time optimizations solution in Section 3 and compare bytecode and binary that improve application performance, startup time, battery rewriting with compiler-based approaches. We present our lifespan, and also to solve some well-known limitations of the previous interpreter-based runtime, such as the 65k ARTist design in Section 4. Section 5 illustrates use cases for 1 ARTist, followed by a more detailed case study on compiler- method limit . In particular, Google made the Optimizing assisted taint tracking. We discuss limitations and future compiler backend, which was introduced as an opt-in feature work of our solution in Section 6 and conclude this paper in Android 5, the default backend in Android 6. In the in Section 7. following Sections 2.2 and 2.3, we will elaborate in more technical detail on this new compiler suite and in particular on the Optimizing backend. 2. Background Prior documentation of ART. Even though the Android We provide general background information on An- source code is publicly available as part of the Android droid’s managed runtime to set the context of our compiler Open Source Project (AOSP), little attention has yet been extensions (Section 2.1), and subsequently present techni- given to ART from a security researcher’s perspective. Paul cal background information on the compiler suite dex2oat Sabanal had an early look [7] at the Android Runtime (Section 2.2) and in particular on its Optimizing backend right after
Recommended publications
  • How Applications Are Run on Android ?

    How Applications Are Run on Android ?

    How applications are run on Android ? Jean-Loup Bogalho & Jérémy Lefaure [email protected] [email protected] Table of contents 1. Dalvik and ART 2. Executable files 3. Memory management 4. Compilation What is Dalvik ? ● Android’s Virtual Machine ● Designed to run on embedded systems ● Register-based (lower memory consumption) ● Run Dalvik Executable (.dex) files What is ART ? ● Android RunTime ● Dalvik’s successor ● ART Is Not a JVM ● Huge performance gain thanks to ahead-of-time (AOT) compilation ● Available in Android 4.4 What is ART ? Executable files Dalvik: .dex files ● Not the same bytecode as classical Java bytecode ● .class files are converted in .dex files at build time ● Optimized for minimal memory footprint Dalvik: .dex files Dalvik: application installation ● Verification: ○ bytecode check (illegal instructions, valid indices,...) ○ checksum on files ● Optimization: ○ method inlining ○ byte swapping and padding ○ static linking ART: OAT file ● Generated during installation (dex2oat) ● ELF format ● Classes metadata Memory management Zygote ● Daemon started at boot time ● Loads and initializes core libraries ● Forks to create new Dalvik instance ● Startup time of new VM is reduced ● Memory layouts are shared across processes Dalvik: memory management ● Memory is garbage collected ● Automatic management avoids programming errors ● Objects are not freed as soon as they become unused Dalvik: memory allocation ● Allocation profiling: ○ allocation count (succeeded or failed) ○ total allocated size (succeeded or failed) ● malloc
  • Android (Operating System) 1 Android (Operating System)

    Android (Operating System) 1 Android (Operating System)

    Android (operating system) 1 Android (operating system) Android Home screen displayed by Samsung Nexus S with Google running Android 2.3 "Gingerbread" Company / developer Google Inc., Open Handset Alliance [1] Programmed in C (core), C++ (some third-party libraries), Java (UI) Working state Current [2] Source model Free and open source software (3.0 is currently in closed development) Initial release 21 October 2008 Latest stable release Tablets: [3] 3.0.1 (Honeycomb) Phones: [3] 2.3.3 (Gingerbread) / 24 February 2011 [4] Supported platforms ARM, MIPS, Power, x86 Kernel type Monolithic, modified Linux kernel Default user interface Graphical [5] License Apache 2.0, Linux kernel patches are under GPL v2 Official website [www.android.com www.android.com] Android is a software stack for mobile devices that includes an operating system, middleware and key applications.[6] [7] Google Inc. purchased the initial developer of the software, Android Inc., in 2005.[8] Android's mobile operating system is based on a modified version of the Linux kernel. Google and other members of the Open Handset Alliance collaborated on Android's development and release.[9] [10] The Android Open Source Project (AOSP) is tasked with the maintenance and further development of Android.[11] The Android operating system is the world's best-selling Smartphone platform.[12] [13] Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. There are currently over 150,000 apps available for Android.[14] [15] Android Market is the online app store run by Google, though apps can also be downloaded from third-party sites.
  • K1 LEVEL QUESTIONS 17PMC640 ANDROID PROGRAMMING Unit:1

    K1 LEVEL QUESTIONS 17PMC640 ANDROID PROGRAMMING Unit:1

    K1 LEVEL QUESTIONS 17PMC640 ANDROID PROGRAMMING Unit:1 1) Dalvik Virtual Machine (DVM) actually uses core features of A. Windows B. Mac C. Linux D. Contiki 2) A type of service provided by android that allows sharing and publishing of data to other applications is A. View System B. Content Providers C. Activity Manager D. Notifications Manager 3) Android library that provides access to UI pre-built elements such as buttons, lists, views etc. is A. android.text B. android.os C. android.view D. android.webkit 4) A type of service provided by android that shows messages and alerts to user is A. Content Providers B. View System C. Notifications Manager D. Activity Manager 5) A type of service provided by android that controls application lifespan and activity pile is A. Activity Manager B. View System C. Notifications Manager D. Content Providers 6) One of application component, that manages application's background services is called A. Activities B. Broadcast Receivers C. Services D. Content Providers 7) In android studio, callback that is called when activity interaction with user is started is A. onStart B. onStop C. onResume D. onDestroy 8) Tab that can be used to do any task that can be done from DOS window is A. TODO B. messages C. terminal D. comments 9) Broadcast that includes information about battery state, level, etc. is A. android.intent.action.BATTERY_CHANGED B. android.intent.action.BATTERY_LOW C. android.intent.action.BATTERY_OKAY D. android.intent.action.CALL_BUTTON 10) OHA stands for a) Open Host Application b) Open Handset
  • Android Operating System

    Android Operating System

    Software Engineering ISSN: 2229-4007 & ISSN: 2229-4015, Volume 3, Issue 1, 2012, pp.-10-13. Available online at http://www.bioinfo.in/contents.php?id=76 ANDROID OPERATING SYSTEM NIMODIA C. AND DESHMUKH H.R. Babasaheb Naik College of Engineering, Pusad, MS, India. *Corresponding Author: Email- [email protected], [email protected] Received: February 21, 2012; Accepted: March 15, 2012 Abstract- Android is a software stack for mobile devices that includes an operating system, middleware and key applications. Android, an open source mobile device platform based on the Linux operating system. It has application Framework,enhanced graphics, integrated web browser, relational database, media support, LibWebCore web browser, wide variety of connectivity and much more applications. Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. Architecture of Android consist of Applications. Linux kernel, libraries, application framework, Android Runtime. All applications are written using the Java programming language. Android mobile phone platform is going to be more secure than Apple’s iPhone or any other device in the long run. Keywords- 3G, Dalvik Virtual Machine, EGPRS, LiMo, Open Handset Alliance, SQLite, WCDMA/HSUPA Citation: Nimodia C. and Deshmukh H.R. (2012) Android Operating System. Software Engineering, ISSN: 2229-4007 & ISSN: 2229-4015, Volume 3, Issue 1, pp.-10-13. Copyright: Copyright©2012 Nimodia C. and Deshmukh H.R. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
  • Dalvik - Virtual Machine

    Dalvik - Virtual Machine

    Review Indian Journal of Engineering, Volume 1, Number 1, November 2012 REVIEW Indian Journal of 7765 – ngineering 7757 EISSN 2319 E – ISSN 2319 Dalvik - Virtual Machine Ashish Yadav J1, Abhishek Vats J2, Aman Nagpal J3, Avinash Yadav J4 1.Department of Computer Science, Dronacharya college of Engineering, Gurgaon, India, E-mail: [email protected] 2.Department of Computer Science, Dronacharya college of Engineering, Gurgaon, India, E-mail: [email protected] 3.Department of Computer Science, Dronacharya college of Engineering, Gurgaon, India, E-mail: [email protected] 4.Department of Computer Science, Dronacharya college of Engineering, Gurgaon, India, E-mail: [email protected] Received 26 September; accepted 19 October; published online 01 November; printed 16 November 2012 ABSTRACT Android is a software stack for mobile devices that contains an operating system, middleware and key applications. Android is a software platform and operating system for mobile devices based on the Linux operating system and developed by Google and the Open Handset Alliance. It allows developers to Write handle code in a Java-like language that utilizes Google-developed Java libraries, but does not support programs developed in native code. The presentation of the Android platform on 5 November 2007 was announced with the founding of the Open Handset Alliance, a consortium of 34 hardware, software and telecom companies devoted to advancing open standards for mobile devices. When released in 2008, most of the Android platform will be made obtainable under the Apache free-software and open-source license. Open Android provide the permission to access core mobile device functionality through standard API calls.
  • Dexmedetomidine Mitigates LPS-Induced Acute Lung Injury in Rats Through HMGB1-Mediated Anti- Inflammatory and Antioxidant Mechanisms

    Dexmedetomidine Mitigates LPS-Induced Acute Lung Injury in Rats Through HMGB1-Mediated Anti- Inflammatory and Antioxidant Mechanisms

    Revista Argentina de Clínica Psicológica 2020, Vol. XXIX, N°4, 377-383 377 DOI: 10.24205/03276716.2020.837 Dexmedetomidine Mitigates LPS-Induced Acute Lung Injury in Rats Through HMGB1-Mediated Anti- Inflammatory and Antioxidant Mechanisms Ning Lva*,XiaoYun Lib ABSTRACT Purpose: To investigate the effect of dexmedetomidine on lipopolysaccharide (LPS)- induced acute lung injury in rats, and the underlying mechanism. Methods: Healthy male SD rats (n=54) were randomly divided into three groups: normal, model and dexmedetomidine groups, with 18 rats in each group. Rats in the model and dexmedetomidine groups were given LPS at a dose of 8 mg/kg, to establish a model of acute lung injury. Rats in the dexmedetomidine group were injected intraperitoneallywith dexmedetomidine at a dose of 50 μg/kg prior to establishment of the model, while rats in the normal group received intraperitoneal injection of normal saline in place of dexmedetomidine. Hematoxylin and eosin (H&E) staining was used to observe changes in lung tissue in each group.Changes in wet/dry weight ratio of lung tissue were compared among the groups. Enzyme-linked immunosorbent assay was used to determine the expressions of inflammation indices i.e. interleukin-6 (IL-6), tumor necrosis factor-α (TNF- α), and interleukin-1β (L-1β)] in lung tissue. Levels of MDA were measured with thiobarbituric acid method. Superoxide dismutase (SOD) activity was assayed through enzyme rate method, while nitric oxide was measured using nitrate reductase assay.The expression levels of high mobility group protein B1 (HMGB1), p-PI3K, p-Akt, p-IκB, p-NF- κB, and Toll-like receptor 4 (TLR4) in lung tissue were determined with Western blotting.
  • History and Evolution of the Android OS

    History and Evolution of the Android OS

    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Springer - Publisher Connector CHAPTER 1 History and Evolution of the Android OS I’m going to destroy Android, because it’s a stolen product. I’m willing to go thermonuclear war on this. —Steve Jobs, Apple Inc. Android, Inc. started with a clear mission by its creators. According to Andy Rubin, one of Android’s founders, Android Inc. was to develop “smarter mobile devices that are more aware of its owner’s location and preferences.” Rubin further stated, “If people are smart, that information starts getting aggregated into consumer products.” The year was 2003 and the location was Palo Alto, California. This was the year Android was born. While Android, Inc. started operations secretly, today the entire world knows about Android. It is no secret that Android is an operating system (OS) for modern day smartphones, tablets, and soon-to-be laptops, but what exactly does that mean? What did Android used to look like? How has it gotten where it is today? All of these questions and more will be answered in this brief chapter. Origins Android first appeared on the technology radar in 2005 when Google, the multibillion- dollar technology company, purchased Android, Inc. At the time, not much was known about Android and what Google intended on doing with it. Information was sparse until 2007, when Google announced the world’s first truly open platform for mobile devices. The First Distribution of Android On November 5, 2007, a press release from the Open Handset Alliance set the stage for the future of the Android platform.
  • Tutorial: Setup for Android Development

    Tutorial: Setup for Android Development

    Tutorial: Setup for Android Development Adam C. Champion, Ph.D. CSE 5236: Mobile Application Development Autumn 2019 Based on material from C. Horstmann [1], J. Bloch [2], C. Collins et al. [4], M.L. Sichitiu (NCSU), V. Janjic (Imperial College London), CSE 2221 (OSU), and other sources 1 Outline • Getting Started • Android Programming 2 Getting Started (1) • Need to install Java Development Kit (JDK) (not Java Runtime Environment (JRE)) to write Android programs • Download JDK for your OS: https://adoptopenjdk.net/ * • Alternatively, for OS X, Linux: – OS X: Install Homebrew (http://brew.sh) via Terminal, – Linux: • Debian/Ubuntu: sudo apt install openjdk-8-jdk • Fedora/CentOS: yum install java-1.8.0-openjdk-devel * Why OpenJDK 8? Oracle changed Java licensing (commercial use costs $$$); Android SDK tools require version 8. 3 Getting Started (2) • After installing JDK, download Android SDK from http://developer.android.com • Simplest: download and install Android Studio bundle (including Android SDK) for your OS • Alternative: brew cask install android- studio (Mac/Homebrew) • We’ll use Android Studio with SDK included (easiest) 4 Install! 5 Getting Started (3) • Install Android Studio directly (Windows, Mac); unzip to directory android-studio, then run ./android-studio/bin/studio64.sh (Linux) 6 Getting Started (4) • Strongly recommend testing Android Studio menu → Preferences… or with real Android device File → Settings… – Android emulator: slow – Faster emulator: Genymotion [14], [15] – Install USB drivers for your Android device! • Bring up Android SDK Manager – Install Android 5.x–8.x APIs, Google support repository, Google Play services – Don’t worry about non-x86 Now you’re ready for Android development! system images 7 Outline • Getting Started • Android Programming 8 Introduction to Android • Popular mobile device Mobile OS Market Share OS: 73% of worldwide Worldwide (Jul.
  • Mobile Code Anti-Reversing Scheme Based on Bytecode Trapping in ART

    Mobile Code Anti-Reversing Scheme Based on Bytecode Trapping in ART

    sensors Article Mobile Code Anti-Reversing Scheme Based on Bytecode Trapping in ART Geonbae Na 1, Jongsu Lim 1, Sunjun Lee 2 and Jeong Hyun Yi 2,* 1 School of Computer Science and Engineering, Soongsil University, Seoul 06978, Korea; [email protected] (G.N.); [email protected] (J.L.) 2 School of Software, Soongsil University, Seoul 06978, Korea; [email protected] * Correspondence: [email protected] Received: 31 March 2019; Accepted: 6 June 2019; Published: 10 June 2019 Abstract: As interest in Internet of Things environments rapidly increases throughout the IT convergence field, compatibility with mobile devices must be provided to enable personalized services. The security of mobile platforms and applications is critical because security vulnerabilities of mobile devices can be spread to all things in these environments. Android, the leading open mobile platform, has long used the Dalvik virtual machine as its runtime system. However, it has recently been completely replaced by a new runtime system, namely Android Runtime (ART). The change from Android’s Dalvik to ART means that the existing Dalvik bytecode-based application execution structure has been changed to a machine code-based application execution structure. Consequently, a detailed understanding of ART, such as new file formats and execution switching methods between codes, is required from the viewpoint of application security. In this paper, we demonstrate that an existing Dalvik-based application vulnerability can be exploited as-is in ART. This is because existing Dalvik executable files coexist in the ART executable file, and these Dalvik bytecodes and compiled machine codes have one-to-one mapping relationships.
  • Nacldroid: Native Code Isolation for Android Applications

    Nacldroid: Native Code Isolation for Android Applications

    NaClDroid: Native Code Isolation for Android Applications Elias Athanasopoulos1, Vasileios P. Kemerlis2, Georgios Portokalidis3, and Angelos D. Keromytis4 1 Vrije Universiteit Amsterdam, The Netherlands [email protected] 2 Brown University, Providence, RI, USA [email protected] 3 Stevens Institute of Technology, Hoboken, NJ, USA [email protected] 4 Columbia University, New York, NY, USA [email protected] Abstract. Android apps frequently incorporate third-party libraries that contain native code; this not only facilitates rapid application develop- ment and distribution, but also provides new ways to generate revenue. As a matter of fact, one in two apps in Google Play are linked with a library providing ad network services. However, linking applications with third-party code can have severe security implications: malicious libraries written in native code can exfiltrate sensitive information from a running app, or completely modify the execution runtime, since all native code is mapped inside the same address space with the execution environment, namely the Dalvik/ART VM. We propose NaClDroid, a framework that addresses these problems, while still allowing apps to include third-party code. NaClDroid prevents malicious native-code libraries from hijacking Android applications using Software Fault Isolation. More specifically, we place all native code in a Native Client sandbox that prevents uncon- strained reads, or writes, inside the process address space. NaClDroid has little overhead; for native code running inside the NaCl sandbox the slowdown is less than 10% on average. Keywords: SFI, NaCl, Android 1 Introduction Android is undoubtedly the most rapidly growing platform for mobile devices, with estimates predicting one billion Android-based smartphones shipping in 2017 [12].
  • Tackling Runtime-Based Obfuscation in Android with TIRO

    Tackling Runtime-Based Obfuscation in Android with TIRO

    Tackling runtime-based obfuscation in Android with TIRO Michelle Y. Wong and David Lie University of Toronto Abstract analysis as well for efficiency and greater code cover- age [1,2, 12]. As a result, malware authors have increas- Obfuscation is used in malware to hide malicious activ- ingly turned to obfuscation to hide their actions and con- ity from manual or automatic program analysis. On the fuse both static and dynamic analysis tools. The presence Android platform, malware has had a history of using ob- of obfuscation does not indicate malicious intent in and fuscation techniques such as Java reflection, code pack- of itself, as many legitimate applications employ code ing and value encryption. However, more recent mal- obfuscation to protect intellectual property. However, be- ware has turned to employing obfuscation that subverts cause of its prevalence among malware, it is crucial that the integrity of the Android runtime (ART or Dalvik), a malware analyzers have the ability to deobfuscate An- technique we call runtime-based obfuscation. Once sub- droid applications in order to determine if an application verted, the runtime no longer follows the normally ex- is indeed malicious or not. pected rules of code execution and method invocation, There exist a variety of obfuscation techniques on the raising the difficulty of deobfuscating and analyzing mal- Android platform. Many common techniques, such as ware that use these techniques. Java reflection, value encryption, dynamically decrypt- In this work, we propose TIRO, a deobfuscation ing and loading code, and calling native methods have framework for Android using an approach of Target- been identified and discussed in the literature [11,22,26].
  • The Future Going Back in Time to Abuse Android's

    The Future Going Back in Time to Abuse Android's

    Back To The Future Going Back In Time To Abuse Android’s JIT !1 $ whoami • Benjamin Watson • Director of Security Research @VerSprite Security • Android • @rotlogix !2 Agenda • Inspiration and Overview • Android 4.4.4 JIT Internals & Abuse • Android 7.1.1 JIT Internals & Abuse • Android Oreo • Tools • Future Challenges • Conclusion !3 Back To The Future Going Back In Time To Abuse Android’s JIT !4 Making Android Malware Great The First Time !5 On The Shoulders Of Giants !6 On the Shoulders of Giants @mattifestation @rwincey !7 Shellcode Execution in .NET using MSIL- Based JIT Overwrite • @mattifestation discovered the CPBLK opcode, which is effectively the MSIL equivalent to memcpy • He used to this opcode to overwrite a JIT’ed .NET method with shellcode • https://www.exploit-monday.com/2013/04/ MSILbasedShellcodeExec.html !8 Java Shellcode Execution • @rwincey uses the Unsafe API to overwrite a JIT’ed Java method with shellcode • https://www.slideshare.net/RyanWincey/java- shellcodeoffice !9 On the Shoulders of Giants • After absorbing Matt and Ryan’s research, I was left with one question … “ Is this also possible in Android? “ … !10 Motivation • These techniques discussed today are post-exploitation in nature • We already have installed a malicious application or gain code execution in Java through an arbitrary application • Our goal is to execute shellcode in memory entirely through Java without loading additional shared-libraries, or utilizing JNI !11 Motivation • This means that a simple “application” can have a self- contained solution