DOCSLIB.ORG

Artdroid: a Virtual-Method Hooking Framework on Android ART Runtime

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Artdroid: a Virtual-Method Hooking Framework on Android ART Runtime ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime Valerio Costamagna Cong Zheng Universit`adegli studi di Torino Palo Alto Networks [email protected] Georgia Institute of Technology [email protected] techniques can dynamically launch specific behaviors, which can be only monitored in dynamic analysis en- Abstract vironment instead of static analysis. Besides, in obfus- cated apps, static analysis can only check the API-level Various static and dynamic analysis tech- behaviors of apps rather than the fine-grained behav- niques are developed to detect and analyze iors, such as the URL in network connections and the Android malware. Some advanced Android phone number of sending SMS behavior. malware can use Java reflection and JNI mech- Without above limitations of static analysis, the dy- anisms to conceal their malicious behaviors namic analysis approach is usually used for deeply an- for static analysis. Furthermore, for dynamic alyzing apps [SFE+13]. Currently, dynamic analysis analysis, emulator detection and integrity self- uses hooking techniques for monitoring behaviors of checking are used by Android malware to by- apps. The hooking techniques can be divided into two pass all recent Android sandboxes. In this main types: 1) hooking Android framework APIs by paper, we propose ARTDroid, a framework modifying Android system [ZAG+15][EGH+14], and for hooking virtual-methods calls supporting 2) hooking APIs used in the app process by static in- the latest Android runtime (ART). A virtual- strumentation [BGH+13][DC13]. Both of them have method is called by the ART runtime using a limitations to analyze trick samples. The first hook- dispatch table (vtable). ARTDroid can tam- ing technique has a drawback that it cannot be used per the vtable without any modifications to on other vendors’ devices except for Google Nexus both Android framework and app’s code. The devices or emulators. This gives a chance for mali- ARTDroid hooking framework can be used to cious apps, which uses the device fingerprint and anti- build an efficient sandbox on real devices and emulator technique to evade the dynamic detection. monitor sensitive methods called in both Java Even though the second hooking technique does not reflection and JNI ways. have this drawback, but it becomes useless when apps apply anti-repacking techniques. Apps can check the 1 Introduction integrity of themselves in runtime and enter the frozen The analysis of Android apps becomes more and more mode to prevent dynamic analysis if the integrity is difficult currently. Both benign and malicious de- broken. Moreover, if malicious apps implement ma- velopers use various protection techniques, such as licious behaviors in native codes, the second hooking Java reflection, dynamic code loading and code ob- technique still cannot detect them. fuscation [RCJ13], to prevent their apps from reverse- To build a better hooking framework for dynamic engineering. Java reflection and dynamic code loading analysis, we design ARTDroid, an framework for hooking virtual-method calls under the latest Android Copyright c by the paper’s authors. Copying permitted for runtime (ART). The idea of hooking on ART is tam- private and academic purposes. This volume is published and pering the virtual method table (vtable) for detour- copyrighted by its editors. ing virtual-methods calls. The vtable is to support In: D. Aspinall, L. Cavallaro, M. N. Seghir, M. Volkamer (eds.): the dynamic-dispatch mechanism. And, dynamic dis- Proceedings of the Workshop on Innovations in Mobile Privacy and Security IMPS at ESSoS’16, London, UK, 06-April-2016, patch, i.e., the runtime selection of a target procedure published at http://ceur-ws.org given a method reference and the receiver type, is a 20 1 central feature of object-oriented languages to pro- the dex2oat tool to the boot.oat file. To allow pre- vide polymorphism. Since almost all Android sensi- loading of Java classes used in runtime, an image file tive APIs are virtual methods, we can collect the apps called boot.art is created by dex2oat. The image file behavior by using ARTDroid to hook Android APIs contains pre-initialized classes and objects from the methods. Android framework JARs. Through linking to this To summarize, this paper makes the following con- image, OAT files can call methods in Android frame- tributions. work or access pre-initialized objects. We are going to briefly analyze the ART internals, using as codebase We propose ARTDroid, a framework for hooking the Android version 6.0.1 r10. • virtual-method calls without any modifications to 1 // C++ mirror of java.lang.Class both the Android system and the app’s code. 2 class MANAGED Class FINAL : public Object { 3 We discuss how ARTDroid is made fully compat- 4 [...] • 5 HeapReference<IfTable> iftable_; ible with any real devices running the ART run- 6 HeapReference<String> name_; time with root privilege. 7 HeapReference<Class> super_class_; 8 HeapReference<PointerArray> vtable_; 9 uint32_t access_flags_; We demostrate that the hooking technique used • 10 uint64_t direct_methods_; by ARTDroid allows to intercept virtual-methods 11 uint64_t virtual_methods_; 12 uint32_t num_virtual_methods_; called in both Java reflection and JNI ways. 13 [...] 14 } We discuss applications of ARTDroid on malware • analysis and policy enforcement in Android apps. Figure 1: ART Class type We released ARTDroid as an open-source project The ART runtime uses specific C++ classes to mir- • 1. ror Java classes and methods. Java classes are inter- 2 The rest of this paper is organized as follows. Sec- nally mirrored by using Class . In Figure 1, virtual- tion 2 introduces the background about Android and methods defined in Class are stored in an array of the new Android runtime ART. The ARTDrod frame- ArtMethod* elements, called virtual methods (line work is introduced in Sec. 3 and its implementation 11). The vtable field (line 8) is the virtual method is discussed in Sec. 4. Performance evaluation is pre- table. During the linking, the vtable from the super- sented in Sec. 5, and discussion and applications are class is copied, and the virtual methods from that class in Sec. 6. Section 7 discuss some related works, and either override or are appended inside it. Basically, the we conclude this paper in Sec. 8. vtable is an array of ArtMethod* type. Direct meth- ods are stored in the direct methods array (line 2 Background 10) and the iftable array (line 5) contains pointers to the interface methods. We leave interface-methods Android apps are usually written in Java and com- hooking for future work. The Figure 2 shows the defi- piled to Dalvik bytecode (DEX). To develop an An- nition of ArtMethod class3. The main functionality droid app, developers typically use a set of tools via of ArtMethod class is to represent a Java method. Android Software Development Kit (SDK). With An- 1 class ArtMethod FINAL { droid’s Native Development Kit (NDK), developers 2 [...] can write native code and embed them into apps. The 3 GcRoot<mirror::Class> declaring_class_; 4 uint32_t access_flags_; common way of invoking native code on Android is 5 uint32_t method_index_; through Java Native Interface (JNI). 6 [...] 7 struct PACKED(4) PtrSizedFields { 8 void* entry_point_from_interpreter_; 2.1 ART Runtime 9 void* entry_point_from_jni_; 10 void* entry_point_from_quick_compiled_code_; ART, silently introduced in October 2013 at the An- 11 } ptr_sized_fields_; droid KitKat release, applies Ahead-of-Time (AoT) 12 } compilation to convert Dalvik bytecode to native code. At the installation time, ART compiles apps using Figure 2: ART ArtMethod type the on-device dex2oat tool to keep the compatibil- By definition, a method is declared within a class, ity. The dex2oat is used to compile Dalvik bytecode pointed by the declaring class field (line 3). The and produce an OAT file, which replaces Dalvik’s odex method’s index value is stored in the method index file. Even Android framework JARs are compiled by 2art/runtime/mirror/class.h 1https://vaioco.github.io 3art/runtime/art method.h 21 2 field (line 5). This value is the method’s index piled in lines 11-18 in Figure 4. The TelephonyMan- in the concrete method dispatch table stored within ager instance (an Object4 type) is stored in the register method’s class. The access flags field (line 4) r2. Then, the instance’s class is retrived from address stores the method’s modifiers (i.e., public, private, in r2 and stored in the register r0 (line 13). The static, protected, etc. ) and the PtrSizedFields method getDeviceId (an ArtMethod type) is directly struct, (line 7), contains pointers to the ArtMethod’s retrived (line 16) from memory using a static offset entry points. Pointers stored within this struct are as- from address stored in r0. Finally, the getMethodId’s signed by the ART compiler driver at the compilation entrypoint is called using the ARM branch instruction time. blx (line 18). The entrypoint’s address is also retrived by using a static memory offset from the ArtMethod 2.2 Virtual-methods Invocation in ART reference (line 17). In this paragraph we describe how ART runtime In Java, it is allowed to invoke a method dy- invokes virtual-methods by choosing the virtual- namically specified using Java Reflection. Re- flection calls managed by ART runtime use the method android.telephony.TelephonyManager’s 5 getDeviceId as an example. Figure 3 shows that the function InvokeMethod . This function calls getDeviceId method is invoked on TelephonyManager FindVirtualMethodForVirtualOrInterface which object’s class (line 4). Figure 4 shows dumped returns a pointer to the searched method by looking compiled codes for arm architecture by oatdump tool. in the vtable array of receiver’s class. A Java method can also be invoked by na- 1 package org.sid.example; tive code using the Call<type>Method family 2 public class MyClass { 3 public String callGetDeviceId(TelephonyManager tm){ functions, exposed by JNI.
Load more

Recommended publications
  • The Architecture of Decentvm
    The Architecture of the DecentVM Towards a Decentralized Virtual Machine for Many-Core Computing Annette Bieniusa Johannes Eickhold Thomas Fuhrmann University of Freiburg, Germany Technische Universitat¨ Munchen,¨ Germany [email protected] fjeick,[email protected] Abstract We have accomplished these goals by combining an off-line Fully decentralized systems avoid bottlenecks and single points transcoder with a virtual machine that executes modified bytecode. of failure. Thus, they can provide excellent scalability and very The transcoder performs the verification and statically links the robust operation. The DecentVM is a fully decentralized, distributed required classes of an application or library. Thereby, the resulting virtual machine. Its simplified instruction set allows for a small binary – a so-called blob – is significantly smaller than the original VM code footprint. Its partitioned global address space (PGAS) class files, and its execution requires a significantly less complex memory model helps to easily create a single system image (SSI) virtual machine. Both these effects result in the low memory across many processors and processor cores. Originally, the VM was footprint of DecentVM. designed for networks of embedded 8-bit processors. Meanwhile, All libraries that are required by an application are identified via it also aims at clusters of many core processors. This paper gives a cryptographic hashes. Thus, an application’s code can be deployed brief overview of the DecentVM architecture. as if it was a statically linked executable. The software vendor can thus test the executable as it runs on the customer site without Categories and Subject Descriptors C.1.4 [Processor Architec- interference from different library versions.
    [Show full text]
  • Android (Operating System) 1 Android (Operating System)
    Android (operating system) 1 Android (operating system) Android Home screen displayed by Samsung Nexus S with Google running Android 2.3 "Gingerbread" Company / developer Google Inc., Open Handset Alliance [1] Programmed in C (core), C++ (some third-party libraries), Java (UI) Working state Current [2] Source model Free and open source software (3.0 is currently in closed development) Initial release 21 October 2008 Latest stable release Tablets: [3] 3.0.1 (Honeycomb) Phones: [3] 2.3.3 (Gingerbread) / 24 February 2011 [4] Supported platforms ARM, MIPS, Power, x86 Kernel type Monolithic, modified Linux kernel Default user interface Graphical [5] License Apache 2.0, Linux kernel patches are under GPL v2 Official website [www.android.com www.android.com] Android is a software stack for mobile devices that includes an operating system, middleware and key applications.[6] [7] Google Inc. purchased the initial developer of the software, Android Inc., in 2005.[8] Android's mobile operating system is based on a modified version of the Linux kernel. Google and other members of the Open Handset Alliance collaborated on Android's development and release.[9] [10] The Android Open Source Project (AOSP) is tasked with the maintenance and further development of Android.[11] The Android operating system is the world's best-selling Smartphone platform.[12] [13] Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. There are currently over 150,000 apps available for Android.[14] [15] Android Market is the online app store run by Google, though apps can also be downloaded from third-party sites.
    [Show full text]
  • Dynamically Loaded Classes As Shared Libraries: an Approach to Improving Virtual Machine Scalability
    Dynamically Loaded Classes as Shared Libraries: an Approach to Improving Virtual Machine Scalability Bernard Wong Grzegorz Czajkowski Laurent Daynès University of Waterloo Sun Microsystems Laboratories 200 University Avenue W. 2600 Casey Avenue Waterloo, Ontario N2L 3G1, Canada Mountain View, CA 94043, USA [email protected] {grzegorz.czajkowski, laurent.daynes}@sun.com Abstract machines sold today have sufficient amount of memory to hold a few instances of the Java virtual machine (JVMTM) Sharing selected data structures among virtual [2]. However, on servers hosting many applications, it is machines of a safe language can improve resource common to have many instances of the JVM running utilization of each participating run-time system. The simultaneously, often for lengthy periods of time. challenge is to determine what to share and how to share Aggregate memory requirement can therefore be large, it in order to decrease start-up time and lower memory and meeting it by adding more memory is not always an footprint without compromising the robustness of the option. In these settings, overall memory footprint must be system. Furthermore, the engineering effort required to kept to a minimum. For personal computer users, the main implement the system must not be prohibitive. This paper irritation is due to long start-up time, as they expect good demonstrates an approach that addresses these concerns TM responsiveness from interactive applications, which in in the context of the Java virtual machine. Our system contrast is of little importance in enterprise computing. transforms packages into shared libraries containing C/C++ programs typically do not suffer from excessive classes in a format matching the internal representation memory footprint or lengthy start-up time.
    [Show full text]
  • Proceedings of the Third Virtual Machine Research and Technology Symposium
    USENIX Association Proceedings of the Third Virtual Machine Research and Technology Symposium San Jose, CA, USA May 6–7, 2004 © 2004 by The USENIX Association All Rights Reserved For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. MCI-Java: A Modified Java Virtual Machine Approach to Multiple Code Inheritance Maria Cutumisu, Calvin Chan, Paul Lu and Duane Szafron Department of Computing Science, University of Alberta {meric, calvinc, paullu, duane}@cs.ualberta.ca Abstract Java has multiple inheritance of interfaces, but only single inheritance of code via classes. This situation results in duplicated code in Java library classes and application code. We describe a generalization to the Java language syntax and the Java Virtual Machine (JVM) to support multiple inheritance of code, called MCI-Java. Our approach places multiply-inherited code in a new language construct called an implementation, which lies between an interface and a class in the inheritance hierarchy. MCI-Java does not support multiply-inherited data, which can cause modeling and performance problems. The MCI-Java extension is implemented by making minimal changes to the Java syntax, small changes to a compiler (IBM Jikes), and modest localized changes to a JVM (SUN JDK 1.2.2). The JVM changes result in no measurable performance overhead in real applications.
    [Show full text]
  • Android Operating System
    Software Engineering ISSN: 2229-4007 & ISSN: 2229-4015, Volume 3, Issue 1, 2012, pp.-10-13. Available online at http://www.bioinfo.in/contents.php?id=76 ANDROID OPERATING SYSTEM NIMODIA C. AND DESHMUKH H.R. Babasaheb Naik College of Engineering, Pusad, MS, India. *Corresponding Author: Email- [email protected], [email protected] Received: February 21, 2012; Accepted: March 15, 2012 Abstract- Android is a software stack for mobile devices that includes an operating system, middleware and key applications. Android, an open source mobile device platform based on the Linux operating system. It has application Framework,enhanced graphics, integrated web browser, relational database, media support, LibWebCore web browser, wide variety of connectivity and much more applications. Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. Architecture of Android consist of Applications. Linux kernel, libraries, application framework, Android Runtime. All applications are written using the Java programming language. Android mobile phone platform is going to be more secure than Apple’s iPhone or any other device in the long run. Keywords- 3G, Dalvik Virtual Machine, EGPRS, LiMo, Open Handset Alliance, SQLite, WCDMA/HSUPA Citation: Nimodia C. and Deshmukh H.R. (2012) Android Operating System. Software Engineering, ISSN: 2229-4007 & ISSN: 2229-4015, Volume 3, Issue 1, pp.-10-13. Copyright: Copyright©2012 Nimodia C. and Deshmukh H.R. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
    [Show full text]
  • Design and Implementation of a Scala Compiler Backend Targeting the Low Level Virtual Machine Geoffrey Reedy
    University of New Mexico UNM Digital Repository Computer Science ETDs Engineering ETDs 5-1-2014 Design and Implementation of a Scala Compiler Backend Targeting the Low Level Virtual Machine Geoffrey Reedy Follow this and additional works at: https://digitalrepository.unm.edu/cs_etds Recommended Citation Reedy, Geoffrey. "Design and Implementation of a Scala Compiler Backend Targeting the Low Level Virtual Machine." (2014). https://digitalrepository.unm.edu/cs_etds/67 This Thesis is brought to you for free and open access by the Engineering ETDs at UNM Digital Repository. It has been accepted for inclusion in Computer Science ETDs by an authorized administrator of UNM Digital Repository. For more information, please contact [email protected]. Geoffrey Reedy Candidate Computer Science Department This thesis is approved, and it is acceptable in quality and form for publication: Approved by the Thesis Committee: Darko Stefanovic , Chairperson Jed Crandall Matthew Lakin Design and Implementation of a Scala Compiler Backend Targeting the Low Level Virtual Machine by Geoffrey Reedy B.S., Computer Science, University of Missouri — Rolla, 2004 THESIS Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science Computer Science The University of New Mexico Albuquerque, New Mexico May, 2014 ©2014, Geoffrey Reedy iii Design and Implementation of a Scala Compiler Backend Targeting the Low Level Virtual Machine by Geoffrey Reedy B.S., Computer Science, University of Missouri — Rolla, 2004 M.S., Computer Science, University of New Mexico, 2014 Abstract The Scala programming language successfully blends object-oriented and functional programming. The current implementation of Scala is tied to the Java Virtual Machine (JVM) which constrains the implementation and deployment targets.
    [Show full text]
  • Java and C CSE351, Summer 2018
    L23: Java and C CSE351, Summer 2018 Java and C CSE 351 Summer 2018 Instructor: Justin Hsia Teaching Assistants: Josie Lee Natalie Andreeva Teagan Horkan https://xkcd.com/801/ L23: Java and C CSE351, Summer 2018 Administrivia Lab 5 due Friday (8/17) at 11:59 pm . Hard deadline Course evaluations now open . See Piazza post @120 for links Final Exam: Friday in lecture . Review Session: Wed, 8/15, 5‐6:30 pm in EEB 045 . You get ONE double‐sided handwritten 8.5 11” cheat sheet 2 L23: Java and C CSE351, Summer 2018 Roadmap C: Java: Memory & data car *c = malloc(sizeof(car)); Car c = new Car(); Integers & floats c->miles = 100; c.setMiles(100); x86 assembly c->gals = 17; c.setGals(17); Procedures & stacks float mpg = get_mpg(c); float mpg = Executables free(c); c.getMPG(); Arrays & structs Memory & caches Assembly get_mpg: Processes language: pushq %rbp movq %rsp, %rbp Virtual memory ... Memory allocation popq %rbp Java vs. C ret OS: Machine 0111010000011000 100011010000010000000010 code: 1000100111000010 110000011111101000011111 Computer system: 3 L23: Java and C CSE351, Summer 2018 Java vs. C Reconnecting to Java (hello CSE143!) . But now you know a lot more about what really happens when we execute programs We’ve learned about the following items in C; now we’ll see what they look like for Java: . Representation of data . Pointers / references . Casting . Function / method calls including dynamic dispatch 4 L23: Java and C CSE351, Summer 2018 Worlds Colliding CSE351 has given you a “really different feeling” about what computers do and how programs execute We have occasionally contrasted to Java, but CSE143 may still feel like “a different world” .
    [Show full text]
  • G22.2110-003 Programming Languages - Fall 2012 Lecture 12
    G22.2110-003 Programming Languages - Fall 2012 Lecture 12 Thomas Wies New York University Review Last lecture I Modules Outline I Classes I Encapsulation and Inheritance I Initialization and Finalization I Dynamic Method Binding I Abstract Classes I Simulating First-Class Functions Sources: I PLP, ch. 9 I PLP, ch. 3.6.3 What is OOP? (part I) The object idea: I bundling of data (data members) and operations (methods) on that data I restricting access to the data An object contains: I data members: arranged as a set of named fields I methods: routines which take the object they are associated with as an argument (known as member functions in C++) A class is a construct which defines the data and methods associated with all of its instances (objects). What is OOP? (part II) The inheritance and dynamic binding ideas: I inheritance: classes can be extended: I by adding new fields I by adding new methods I by overriding existing methods (changing behavior) If class B extends class A, we say that B is a subclass (or a derived or child class) of A, and A is a superclass (or a base or a parent class) of B. I dynamic binding: wherever an instance of a class is required, we can also use an instance of any of its subclasses; when we call one of its methods, the overridden versions are used. Information Hiding in Classes Like modules, classes can restrict access to their data and methods. Unlike modules, classes must take inheritance into account in their access control.
    [Show full text]
  • History and Evolution of the Android OS
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Springer - Publisher Connector CHAPTER 1 History and Evolution of the Android OS I’m going to destroy Android, because it’s a stolen product. I’m willing to go thermonuclear war on this. —Steve Jobs, Apple Inc. Android, Inc. started with a clear mission by its creators. According to Andy Rubin, one of Android’s founders, Android Inc. was to develop “smarter mobile devices that are more aware of its owner’s location and preferences.” Rubin further stated, “If people are smart, that information starts getting aggregated into consumer products.” The year was 2003 and the location was Palo Alto, California. This was the year Android was born. While Android, Inc. started operations secretly, today the entire world knows about Android. It is no secret that Android is an operating system (OS) for modern day smartphones, tablets, and soon-to-be laptops, but what exactly does that mean? What did Android used to look like? How has it gotten where it is today? All of these questions and more will be answered in this brief chapter. Origins Android first appeared on the technology radar in 2005 when Google, the multibillion- dollar technology company, purchased Android, Inc. At the time, not much was known about Android and what Google intended on doing with it. Information was sparse until 2007, when Google announced the world’s first truly open platform for mobile devices. The First Distribution of Android On November 5, 2007, a press release from the Open Handset Alliance set the stage for the future of the Android platform.
    [Show full text]
  • Tutorial: Setup for Android Development
    Tutorial: Setup for Android Development Adam C. Champion, Ph.D. CSE 5236: Mobile Application Development Autumn 2019 Based on material from C. Horstmann [1], J. Bloch [2], C. Collins et al. [4], M.L. Sichitiu (NCSU), V. Janjic (Imperial College London), CSE 2221 (OSU), and other sources 1 Outline • Getting Started • Android Programming 2 Getting Started (1) • Need to install Java Development Kit (JDK) (not Java Runtime Environment (JRE)) to write Android programs • Download JDK for your OS: https://adoptopenjdk.net/ * • Alternatively, for OS X, Linux: – OS X: Install Homebrew (http://brew.sh) via Terminal, – Linux: • Debian/Ubuntu: sudo apt install openjdk-8-jdk • Fedora/CentOS: yum install java-1.8.0-openjdk-devel * Why OpenJDK 8? Oracle changed Java licensing (commercial use costs $$$); Android SDK tools require version 8. 3 Getting Started (2) • After installing JDK, download Android SDK from http://developer.android.com • Simplest: download and install Android Studio bundle (including Android SDK) for your OS • Alternative: brew cask install android- studio (Mac/Homebrew) • We’ll use Android Studio with SDK included (easiest) 4 Install! 5 Getting Started (3) • Install Android Studio directly (Windows, Mac); unzip to directory android-studio, then run ./android-studio/bin/studio64.sh (Linux) 6 Getting Started (4) • Strongly recommend testing Android Studio menu → Preferences… or with real Android device File → Settings… – Android emulator: slow – Faster emulator: Genymotion [14], [15] – Install USB drivers for your Android device! • Bring up Android SDK Manager – Install Android 5.x–8.x APIs, Google support repository, Google Play services – Don’t worry about non-x86 Now you’re ready for Android development! system images 7 Outline • Getting Started • Android Programming 8 Introduction to Android • Popular mobile device Mobile OS Market Share OS: 73% of worldwide Worldwide (Jul.
    [Show full text]
  • Strict Protection for Virtual Function Calls in COTS C++ Binaries
    vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries Aravind Prakash Xunchao Hu Heng Yin Department of EECS Department of EECS Department of EECS Syracuse University Syracuse University Syracuse University [email protected] [email protected] [email protected] Abstract—Control-Flow Integrity (CFI) is an important se- these binary-only solutions are unfortunately coarse-grained curity property that needs to be enforced to prevent control- and permissive. flow hijacking attacks. Recent attacks have demonstrated that existing CFI protections for COTS binaries are too permissive, While coarse-grained CFI solutions have significantly re- and vulnerable to sophisticated code reusing attacks. Accounting duced the attack surface, recent efforts by Goktas¸¨ et al. [9] for control flow restrictions imposed at higher levels of semantics and Carlini [10] have demonstrated that coarse-grained CFI is key to increasing CFI precision. In this paper, we aim to provide solutions are too permissive, and can be bypassed by reusing more stringent protection for virtual function calls in COTS large gadgets whose starting addresses are allowed by these C++ binaries by recovering C++ level semantics. To achieve this solutions. The primary reason for such permissiveness is the goal, we recover C++ semantics, including VTables and virtual lack of higher level program semantics that introduce certain callsites. With the extracted C++ semantics, we construct a sound mandates on the control flow. For example, given a class CFI policy and further improve the policy precision by devising two filters, namely “Nested Call Filter” and “Calling Convention inheritance, target of a virtual function dispatch in C++ must Filter”.
    [Show full text]
  • Tackling Runtime-Based Obfuscation in Android with TIRO
    Tackling runtime-based obfuscation in Android with TIRO Michelle Y. Wong and David Lie University of Toronto Abstract analysis as well for efficiency and greater code cover- age [1,2, 12]. As a result, malware authors have increas- Obfuscation is used in malware to hide malicious activ- ingly turned to obfuscation to hide their actions and con- ity from manual or automatic program analysis. On the fuse both static and dynamic analysis tools. The presence Android platform, malware has had a history of using ob- of obfuscation does not indicate malicious intent in and fuscation techniques such as Java reflection, code pack- of itself, as many legitimate applications employ code ing and value encryption. However, more recent mal- obfuscation to protect intellectual property. However, be- ware has turned to employing obfuscation that subverts cause of its prevalence among malware, it is crucial that the integrity of the Android runtime (ART or Dalvik), a malware analyzers have the ability to deobfuscate An- technique we call runtime-based obfuscation. Once sub- droid applications in order to determine if an application verted, the runtime no longer follows the normally ex- is indeed malicious or not. pected rules of code execution and method invocation, There exist a variety of obfuscation techniques on the raising the difficulty of deobfuscating and analyzing mal- Android platform. Many common techniques, such as ware that use these techniques. Java reflection, value encryption, dynamically decrypt- In this work, we propose TIRO, a deobfuscation ing and loading code, and calling native methods have framework for Android using an approach of Target- been identified and discussed in the literature [11,22,26].
    [Show full text]