ARTist: The Android Runtime Instrumentation and Security Toolkit Michael Backes∗†, Sven Bugiel∗, Oliver Schranz∗, Philipp von Styp-Rekowsky∗, Sebastian Weisgerber∗ ∗CISPA, Saarland University †Max Planck Institute for Software Systems Saarland Informatics Campus Saarland Informatics Campus Email: fbackes, bugiel, schranz, styp-rekowsky, [email protected] Abstract—With the introduction of Android 5 Lollipop, the of the previously mentioned security solutions that rely on Android Runtime (ART) superseded the Dalvik Virtual Ma- instrumentation of the DVM and restricts them to Android chine (DVM) by introducing ahead-of-time compilation and versions prior to Lollipop. In fact, it has left the security native execution of applications, effectively deprecating sem- research community with two choices for carrying on work inal works such as TaintDroid that hitherto depend on the that relies on instrumented runtimes: resorting to binary or DVM. In this paper, we discuss alternatives to overcome bytecode rewriting techniques [5], [6] or adapting to the those restrictions and highlight advantages for the security novel but uncharted on-device compiler infrastructure. community that can be derived from ART’s novel on-device Our contributions. In this paper, we present a compiler- compiler dex2oat and its accompanying runtime components. based solution that can be used to study the feasibility of To this end, we introduce ARTist, a compiler-based application re-instantiating previous solutions such as dynamic, intra- instrumentation solution for Android that does not depend application taint tracking and dynamic permission enforce- on operating system modifications and solely operates on the ment and that provides a more robust, reliable, and inte- application layer. Since dex2oat is yet uncharted, our approach grated application-layer instrumentation approach than pre- required first and foremost a thorough study of the compiler viously possible. Concretely, we make the following contri- suite’s internals and in particular of the new default compiler butions in this paper. backend called Optimizing. We document the results of this Uncovering the uncharted ART compiler suite. Since study in this paper to facilitate independent research on this the novel ART compiler suite, dex2oat, is still uncharted, topic and exemplify the viability of ARTist by realizing two we uncover its applicability for compiler-based security use cases. In particular, we conduct a case study on whether solutions to form expert knowledge that facilitates inde- taint tracking can be re-instantiated using a compiler-based pendent research on the topic. In particular, we deep-dive app instrumentation framework. Overall, our results provide into its most recent backend called Optimizing that became compelling arguments for the community to choose compiler- the default with Android 6 Marshmallow, and expose its based approaches over alternative bytecode or binary rewriting relevance for ARTist as well as future work in this area. approaches for security solutions on Android. Compiler-based app instrumentation. We design and implement a novel approach, called ARTist (ART Instrumen- 1. Introduction tation and Security Toolkit), for application instrumentation based on an extended version of ART’s on-device compiler dex2oat. Our system leverages the compiler’s rich optimiza- Google’s Android OS has become a popular subject of tion framework to safely optimize the newly instrumented the security research community over the last few years. application code. The instrumentation process is guided Among the different directions of research on improving by static analysis that utilizes the compiler’s intermediate Android’s security, a dedicated line of work has success- representation of the app’s code as well as its static program fully investigated how instrumentation of the interpreter information in order to efficiently determine instrumentation (i.e., Dalvik virtual machine) can be leveraged for security targets. A particular benefit of our solution, in contrast to al- purposes. This line of work comprises influencing works ternative application layer solutions (i.e., bytecode or binary such as TaintDroid [1] for analyzing privacy-relevant data rewriting), is that the application signature is unchanged flows within applications, AppFence [2] for protecting the and therefore Android’s signature-based same origin model end-users’ privacy, Moses [3] for domain isolation, or Span- and its central update utility remain intact. We thoroughly dex [4] for password tracking, just to name a few. discuss further benefits and drawbacks of security-extended However, with the release of Android 5 Lollipop, Google compilers on Android in comparison to bytecode and binary made a large technological leap by replacing the interpreter- rewriting. Our results provide compelling arguments for based runtime with an on-device, ahead-of-time compilation preferring compiler-based instrumentation over alternative of apps to platform-specific native code that is executed in bytecode or binary rewriting approaches. the new Android runtime (short ART). While this leap did not affect the app developers, it broke legacy compliance ©2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. Feasibility study for compiler-based taint tracking. To process, called Zygote, which has all the necessary libraries demonstrate the benefits of a solution such as our ARTist, and a skeleton runtime for the app code preloaded. we conduct a case study on whether compiler-assisted in- strumentation can be utilized to realize a dynamic intra- Runtime prior to Android 5. On Android devices prior application taint tracking solution. Our resulting prototype to version 5, the runtime consisted of the DEX byte- is evaluated using microbenchmarks and its operational ca- code interpreter (or Dalvik virtual machine), which was pability is shown using an open source test suite with known specifically designed for devices with constrained resources ground truth. (e.g., register-based execution model instead of stack- Infrastructure for large-scale on-device evaluations. In based). It executes Dalvik executable bytecode (short dex), order to prove the robustness of our approach, we created an which is created from the Java bytecode of applications evaluation infrastructure that allows to scale our on-device at application-build time. Thus, every application package dynamic app testing to thousands of apps from the Google ships the dex bytecode compiled from the application Java play store. It is easily extendable and can be used to not only sources. Additionally, since Android version 2.2, Dalvik evaluate ARTist-based approaches but in general dynamic uses just-in-time compilation of hotspot code segments in on-device security solutions. order to improve the runtime performance of applications. Publication of results. To allow researchers to utilize and Runtime since Android 5. With Android 5, Google moved extend the results of this paper, we open-sourced the code of over from an interpreter-based app execution to an on- ARTist and our evaluation framework called monkey-troop at device, ahead-of-time compilation of apps’ dex bytecode to https://artist.cispa.saarland. native code that is executed in a newly introduced managed Outline. The remainder of this paper is structured as fol- runtime called ART. This shift in the runtime model was lows. In Section 2, we present the results of our study of the intended to address the app performance needs of Android’s dex2oat compiler and its Optimizing backend. We analyze user and developer base. The new compiler suite was de- the requirements for an application-layer instrumentation signed from scratch to allow for compile time optimizations solution in Section 3 and compare bytecode and binary that improve application performance, startup time, battery rewriting with compiler-based approaches. We present our lifespan, and also to solve some well-known limitations of the previous interpreter-based runtime, such as the 65k ARTist design in Section 4. Section 5 illustrates use cases for 1 ARTist, followed by a more detailed case study on compiler- method limit . In particular, Google made the Optimizing assisted taint tracking. We discuss limitations and future compiler backend, which was introduced as an opt-in feature work of our solution in Section 6 and conclude this paper in Android 5, the default backend in Android 6. In the in Section 7. following Sections 2.2 and 2.3, we will elaborate in more technical detail on this new compiler suite and in particular on the Optimizing backend. 2. Background Prior documentation of ART. Even though the Android We provide general background information on An- source code is publicly available as part of the Android droid’s managed runtime to set the context of our compiler Open Source Project (AOSP), little attention has yet been extensions (Section 2.1), and subsequently present techni- given to ART from a security researcher’s perspective. Paul cal background information on the compiler suite dex2oat Sabanal had an early look [7] at the Android Runtime (Section 2.2) and in particular on its Optimizing backend right after