DroidForensics: Accurate Reconstruction of Android Attacks via Multi-layer Forensic Logging Xingzi Yuany Omid Setayeshfary Hongfei Yany Pranav Panagey Xuetao Weiz Kyu Hyung Leey yUniversity of Georgia, Athens, GA, USA zUniversity of Cincinnati, Cincinnati, OH, USA {x.yuan, omid.s, hfyan, pranav.panag, kyuhlee}@uga.edu, [email protected] ABSTRACT stand the damage have been conducted by the attack. For The goal of cyber attack investigation is to fully reconstruct instance, understanding what system objects are compro- the details of an attack, so we can trace back to its origin, mised or what data was exfiltrated is important to resolve and recover the system from the damage caused by the at- the damage. tack. However, it is often difficult and requires tremendous Forensic logging captures behaviors of the system execu- manual efforts because attack events occurred days or even tion and their relations. For instance, audit logging tech- weeks before the investigation and detailed information we niques [11] are widely used for cyber attack forensics. They need is not available anymore. Consequently, forensic log- records system properties such as users, processes, files or ging is significantly important for cyber attack investigation. network sockets and their relations such as a process re- In this paper, we present DroidForensics, a multi-layer ceives data from network socket, a user log-in to the system forensic logging technique for Android. Our goal is to pro- or a system file is replaced by a process. It can be used for vide the user with detailed information about attack behav- backward and forward tracking [43, 45] to locate the ori- iors that can enable accurate post-mortem investigation of gin of an attack and to identify the damage to the system. Android attacks. DroidForensics consists of three logging Recent work [45, 49, 29] show that forensic logging is an modules. API logger captures Android API calls that con- effective technique for cyber attack forensics in desktop or tain high-level semantics of an application. Binder logger server environments. records interactions between applications to identify causal However, unlike traditional desktop or server applications, relations between processes, and system call logger efficiently most Android applications run within the virtual machine monitors low-level system events. We also provide the user called Android Run-time (ART) to provide isolated execu- interface that the user can compose SQL-like queries to in- tion environment for each process. There are two major spect an attack. Our experiments show that DroidForensics hindrances to use traditional system call logging in Android. has low runtime overhead (2.9% on average) and low space First, system calls might be too low-level to capture the rich overhead (105 ∼ 169 MByte during 24 hours) on real An- semantics of application behaviors. Second, Android has droid devices. It is effective in the reconstruction of real- unique inter-process communication (IPC) protocol, called world Android attacks we have studied. binder and it is difficult to accurately capture IPC from the system calls. For example, if the Android application steals a contact list from the device and sends it to SMS mes- 1. INTRODUCTION sage, system calls cannot capture the critical behaviors such Android devices are becoming increasingly popular but as reading contact information and sending SMS message at the same time, also constantly attract cyber criminals. to the attacker's number. Because the Android application For example, a recent \stagefright" attack [28] exploits a cannot directly access contact or SMS, but it uses binder vulnerability in Android core component, which potentially call to interact with Android service providers such as Con- infects 950 million Android devices. tentProvider or SMSManager to access contact or SMS. Consequently, there is an increasing need of detecting and Recently, CopperDroid [63] and DroidScope [66] have pro- investigating Android attacks. Forensic logs are critical to posed techniques to analyze the behaviors of Android mal- the cyber attack investigation. For example, when a user de- ware. CopperDroid developed system-call based analysis tects a symptom of an attack, we can analyze forensic logs techniques for Android attack reconstruction. DroidScope [66] to reconstruct the attack path from the symptom to the is the Android malware analysis engine that provides unified \entry point" of the attack. It is also important to under- view of hardware, kernel and Dalvik virtual machine infor- mation. However both are built on top of emulated environ- ments (e.g., QEMU [22]) and it generally incurs nontrivial Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed runtime and space overhead for resource-constrained mobile for profit or commercial advantage and that copies bear this notice and the full cita- devices. tion on the first page. Copyrights for components of this work owned by others than In this paper, we develop a multi-layer forensic logging ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- publish, to post on servers or to redistribute to lists, requires prior specific permission technique for Android, called DroidForensics. DroidForensics and/or a fee. Request permissions from [email protected]. captures important Android events from three layers; An- ASIA CCS ’17, April 02-06, 2017, Abu Dhabi, United Arab Emirates droid API, Binder and system calls. Our API logger can c 2017 ACM. ISBN 978-1-4503-4944-4/17/04. $15.00 capture high-level semantics of application, Binder logger ac- DOI: http://dx.doi.org/10.1145/3052973.3052984 1 curately captures interactions between applications, and sys- Android Device tem call logger records low-level events such as system calls. User Android Application In addition, DroidForensics provides easy-to-use, SQL-like user interface that the user can compose queries to inspect an attack. DroidForensics generates a causal graph to an- Causal Graph System API Logger swer the query and the user can iteratively refine queries Services Android API / Java API based on the previous graph. We do not require an emu- Query lated environment and DroidForensics is designed for real System Binder Logger devices. In summary, this paper makes the following contri- Libraries libbinder.so butions: Forensic System call Logger • We design and implement a multi-layer forensic log- DB ging system for Android. Our system consists of three Kernel modules to capture different levels of information from high-level application semantics to low-level system Figure 1: High level overview of DroidForensics events. We also accurately capture inter process com- munication via Android's binder protocol. affect other processes (e.g., fork, kill) or other system ob- • We develop a light-weight system call logging tech- ject (e.g., read, write, recv, send). To record a global order nique for Android. Existing Android audit system [4] of these events from different layers, API and Binder log- causes up to 46% overhead in Nexus 6 that would be gers forward their events to system call logger and system too expensive to be active during normal execution. call logger stores them with global timestamps. The dot- Our runtime overhead on Nexus 6 is only less than ted line in Figure 1 shows the flow of collected forensic logs. 4.05%. We can also reduce the space consumption sub- DroidForensics periodically transfers those forensic data to stantially. an external server through wifi and three layers of logs are • We develop an easy-to-use user interface to aid the encoded uniformly into a relational database. Finally the attack investigation. The attack reconstruction is car- user can compose SQL-like queries to investigate an attack. ried out by writing SQL-like queries. Our pre-process DroidForensics converts the user query to SQL-queries and automatically converts the user query to SQL-queries, also generates a causal graph using the output from foren- and the post-processor generates causal graphs. sicDB. The user can observe malicious behaviors from dif- • We evaluate the efficiency, effectiveness and compat- ferent layers in a unified causal graph, and refine queries for ibility of DroidForensics. The results conducted on the further investigation. widely used Android benchmarks show that our run- time overhead is only about 2.9% on average and 6.16% Attack Description: Suppose John carries an Android in the worst case. We present that 31 android mal- smart phone, and falls victim to a social engineering malware wares are effectively resolved by querying various levels download attack by clicking on a link in an advertisement of information. The compatibility results produced by page. The malware, AVPass [14], silently installed in John's Android Compatibility Suite (CTS) show that Droid- device. The malware deletes an icon and a widget preview to Forensics maintains the same compatibility-level com- hide from the user, then steals sensitive information such as paring with original Android. contacts, SMS messages from the victim device. Finally, the malware stores sensitive data into the local SQLite database The rest of this paper is organized as follows. Section 2 for exfiltration. introduces the overview of DroidForensics and motivating example using Android malware called AVPass. Section 3 Forensic Analysis: John accidentally detects that a sus- discusses our design and implementation details. In Sec- picious process, com.lge.clock with pid 3052, is running in tion 4, we evaluate DroidForensics for efficiency, effectiveness the background. He wants to identify what this process has and compatibility. We discuss limitations of DroidForensics done in his device. However, the malware's activities hap- and our future plans in Section 5. Section 6 presents related pened a while ago, and the inspection of the malware process works and we conclude the paper in Section 7.