The document discusses CopperDroid, a project that aims to reconstruct the behaviors of Android apps through dynamic analysis. It provides background on the speaker, Lorenzo Cavallaro, and his affiliations. It also discusses the MobSec project, which uses techniques like CopperDroid to analyze mobile threats and develop mitigations.
Report
Share
Report
Share
1 of 76
Download to read offline
More Related Content
CopperDroid - On the Reconstruction of Android Apps Behaviors
1. COPPERDROID
On the Reconstruction of Android Apps Behaviors
March 21, 2014
FACE Kick-Off Meeting
Lorenzo Cavallaro
Information Security Group
Royal Holloway University of London
2. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
WHO AM I?
Post-doc researcher, VU Amsterdam, working with:
(Jan 2010—Dec 2011)
→ Prof. Andy Tanenbaum
(OS dependability)
→ Prof. Herbert Bos
(memory errors, malware analysis, and taint analysis)
Post-doc researcher, UC at Santa Barbara, working with:
(Apr 2008—Jan 2010)
→ Prof. Giovanni Vigna and Prof. Christopher Kruegel
(malware analysis and detection)
Visiting PhD student, Stony Brook University, working with:
(Sep 2006—Feb 2008)
→ Prof. R. Sekar
(memory errors protections, taint analysis, malware analysis)
2
3. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
WHO AM I?
Post-doc researcher, VU Amsterdam, working with:
(Jan 2010—Dec 2011)
→ Prof. Andy Tanenbaum
(OS dependability)
→ Prof. Herbert Bos
(memory errors, malware analysis, and taint analysis)
Post-doc researcher, UC at Santa Barbara, working with:
(Apr 2008—Jan 2010)
→ Prof. Giovanni Vigna and Prof. Christopher Kruegel
(malware analysis and detection)
Visiting PhD student, Stony Brook University, working with:
(Sep 2006—Feb 2008)
→ Prof. R. Sekar
(memory errors protections, taint analysis, malware analysis)
..
Jan 2012 Lecturer (∼Assistant Professor) in the ISG
Jan 2014 Senior Lecturer (∼Associate Professor) in the ISG
Information Security Group, Royal Holloway University of London
<lorenzo.cavallaro@rhul.ac.uk> — http://www.isg.rhul.ac.uk/sullivan
2
8. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
ROYAL HOLLOWAY UNIVERSITY OF LONDON
Founded in 1879 by Thomas Holloway
→ Entrepreneur and Philanthropist
→ Holloway's pills and ointments
Located in Egham, Surrey, close to LHR and London
7
9. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
ROYAL HOLLOWAY UNIVERSITY OF LONDON (CONT.)
Royal status in 1886 by Queen Victoria
Three faculties, 18 academic departments, 9,000+
undergraduate and postgraduate students from over 100
different countries
Academic Centre of Excellence in Cyber Security Research
Centre for Doctoral Training in Cyber Security
8
11. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
RESEARCH
Goal
To enhance the Information Security Group's research activities
at Royal Holloway, establishing a Systems Security Lab (S2Lab)
10
12. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECTS
Goal
To enhance the Information Security Group's research activities
at Royal Holloway, establishing a Systems Security Lab (S2Lab)
1. CySeCa: Cyber Security Cartography (co-I)
→ Oct 2012—Apr 2016
2. Botnet: Mining the Network Behaviors of Bots (PI)
→ Jun 2013—2016
3. MobSec: Mobile and Malware in the Mobile Age (PI)
→ Jun 2014—2018
Soon available at http://s2lab.isg.rhul.ac.uk (WIP)
10
13. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC
Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1)
Goals
MobSec aims at exploring mobile-related threats,
developing comprehensive mitigation techniques
1. Mobile application analyses to understand the threat, e.g.:
→ Comprehensive reconstruction of Android apps behaviors
→ Identification of malware-triggered actions
→ Stimulation of complex UI interactions
2. Evasion-resistant information leakage solutions
11
14. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC
Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1)
Goals
MobSec aims at exploring mobile-related threats,
developing comprehensive mitigation techniques
3. Detection of malicious mobile applications and automatic
enforcement of fine-grained security policies
4. Hardware-supported virtualization to provide efficient
in-device protection against mobile threats
11
15. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC > PEOPLE
Dr Lorenzo Cavallaro
→ Principal Investigator
→ Information Security Group at Royal Holloway
University of London
Dr Johannes Kinder
→ Co-Investigator
→ Department of Computer Science at Royal Holloway
University of London
Dr Igor Muttik
→ Project Partner
→ Senior Principal Architect at Intel Security (McAfee Labs UK)
12
16. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC > PEOPLE
Dr Lorenzo Cavallaro
→ Principal Investigator
→ Information Security Group at Royal Holloway
University of London
Dr Johannes Kinder
→ Co-Investigator
→ Department of Computer Science at Royal Holloway
University of London
Dr Igor Muttik
→ Project Partner
→ Senior Principal Architect at Intel Security (McAfee Labs UK)
..
In addition…
Kimberly Tam, PhD student in the ISG at Royal
Holloway
Salahuddin J. Khan, PhD student in the ISG at Royal
Holloway
Collaboration with:
→ Università degli Studi di Milano, Italy
→ Politecnico di Milano, Italy
I am hiring: 2 PostDoc Research Assistants!
12
20. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
MCAFEE Q2 2013
..
1. Banking malware
2. (Fake) adult entertainment and dating apps
3. Weaponized legitimate apps that steal user data
4. Fake app installers that actually install spyware
Can current techniques deal with this (new) threat?
15
21. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
THE (NOT SO SHORT) INTRODUCTION TO ANDROID
Modified Linux kernel
Android apps written (mostly) in Java and run in a Java-like
(Dalvik) VM as userspace processes
Native code may be executed through JNI or native (NDK)
Apps logically divided in components
→ Activity, e.g., GUI components
→ Services, similar to UNIX daemons
→ Broadcast Receivers, to act upon the receipt of specific
events, e.g., phone call, SMS
→ Content Providers, storage-agnostic ACL-controlled
abstractions to access data
16
22. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
ANDROID SECURITY MODEL
No application, by default, has permission to perform any
operations that would adversely impact other applications, the
operating system, or the user
17
23. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
ANDROID SECURITY MODEL
No application, by default, has permission to perform any
operations that would adversely impact other applications, the
operating system, or the user
Sandboxing
Every App has its own UID/GID to enforce system-wide DAC
Permissions
To be granted a permission, App must explicitly request it
(e.g., send an SMS, place a call)
17
24. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
ANDROID SECURITY MODEL
No application, by default, has permission to perform any
operations that would adversely impact other applications, the
operating system, or the user
Sandboxing
Every App has its own UID/GID to enforce system-wide DAC
Permissions
To be granted a permission, App must explicitly request it
(e.g., send an SMS, place a call)
All types of applications—Java, native, and hybrid—are sandboxed
in the same way and have the same degree of security from each
other
17
25. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
INTENTS
An abstract representation of an operation to be performed
Intent Meaning per Recipient
Activity: an action that must be performed
(e.g., to send an e-mail, an App will broadcast the
corresponding intent; the email activity will therefore be
executed)
Service: similar to activity
Receiver: a container for received data.
18
29. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
THE BINDER PROTOCOL
IPC/RPC
The Binder protocol enables fast inter-process communication
between Apps or between Apps and the system. It also allows
Apps to invoke other components' functions (e.g., to place a call
or to send a SMS)
AIDL
The Android Interface Definition Language is used to define which
methods of a service can be invoked remotely, among with their
parameters. AIDL specifications for Android's core services are
available online
20
30. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
THE BINDER PROTOCOL
Binder Driver
The Binder protocl core is implemented as a device driver. User-
space processes (Apps) can interact with the driver through the
/dev/binder virtual device
ioctl
ioctls are used to by Apps to interact with Binder. Each ioctl
takes as argument a command and a data buffer
BINDER_WRITE_READ
Allows data to be sent/received among Apps
21
32. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
(ANDROID) MALWARE ANALYSIS: STATIC
..
Static
.
Instrum.
.
VMM
..
ADAM
..
DroidRanger
..
RiskRanker
..
DroidMOSS
.
Pros
• Many information in the Manifest
• Java is relatively easy to decompile
• Potentially ``sees'' the whole behavior
.
Cons
• Obfuscation & Optimization
• Reflection
• Dynamic code, Native code
22
33. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
(ANDROID) MALWARE ANALYSIS: DYNAMIC
..
Static
.
Instrum.
.
VMM
..
DroidScope
..
VetDroid
..
Bouncer
..
ParanoidAndroid
..
ActEVE
..
Aurasium
..
TaintDroid
..
Andrubis
..
DroidBox
.
Pros
• Resilient to obfuscation
• Potentially transparent (VMM)
• Less comples than static
.
Cons
• Code coverage
• VMI can be cumbersome (VMM)
• Instrumentation can be detected
22
34. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
SYSTEM-CALL CENTRIC ANALYSIS OF ANDROID MALWARE?
Traditional Roots
A well-established technique to characterize process behaviours
Can it be applied to Android?
Android architecture is different than traditional devices
Are all the interesting behaviours achieved through system
calls?
→ Dalvic VM
(Android-specific behaviours, e.g., SMS, phone calls)
→ OS interactions
(e.g., creating a file, network communication)
23
35. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
COPPERDROID
Analysis Goal
Automatically reconstructs the behaviors of Android (malicious)
apps
Unified system call-centric analysis
→ Obs: behaviors are eventually achieved via system
interactions
Avoids 2-level (complex) VMIs
Avoids invasive modification of the Android system (in fact,
none)
Android version-independent
Dynamically stimulates Apps to disclose additional behaviors
Extensive evaluation on 2,900+ Android malware
24
36. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
COPPERDROID
Analysis Goal
Automatically reconstructs the behaviors of Android (malicious)
apps
Unified system call-centric analysis
→ Obs: behaviors are eventually achieved via system
interactions
Avoids 2-level (complex) VMIs
Avoids invasive modification of the Android system (in fact,
none)
Android version-independent
Dynamically stimulates Apps to disclose additional behaviors
Extensive evaluation on 2,900+ Android malware
..
Check it out at http://copperdroid.isg.rhul.ac.uk
24
38. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
SYSTEM CALLS ON LINUX ARM
Invoking Syscalls
Like on Intel, on ARM architecture invoking a system call induces
a user-to-kernel transiction.
(current CPL is stored in the cpsr register)
System calls on Linux ARM
On ARM invoked through the swi instruction
(SoftWare Interrupt)
r7 contains the number of the invoked system call
r0-r5 contain parameters
lr contains the return address
26
39. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
TRACKING SYSTEM CALLS
System Call Analysis
Intercept when a system call is invoked
We need to intercept return to user-space too!
There is no SYSEXIT/SYSRET to intercept
Not every system call actually returns to lr
(e.g., exit, execve)
CopperDroid's Approach
instruments QEMU's emulation of the swi instruction
instruments QEMU to intercept every cpsr_write
(Kernel → User)
27
40. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
TRACKING SYSTEM CALLS
System Call Analysis
Intercept when a system call is invoked
We need to intercept return to user-space too!
There is no SYSEXIT/SYSRET to intercept
Not every system call actually returns to lr
(e.g., exit, execve)
CopperDroid's Approach
instruments QEMU's emulation of the swi instruction
instruments QEMU to intercept every cpsr_write
(Kernel → User)
[c5b02000 - 35 - 35 - zygote] fork( ) = 0x125
[c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23
[c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0
[c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0
[c1c18000 - 293 - 293 - zygote] open(/acct/uid/0/tasks, ...
[c1c18000 - 293 - 293 - zygote] fstat64( 0x13, 0xbef7f910 ) =
0x0
[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000,
0x3 ) = 0x0
[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000,
0x1 ) = 0x0
[c1c18000 - 293 - 293 - zygote] write( 0x13 - /acct/uid/0/tasks,
0xa24c0 "'0'", 0x1 ) = 0x1
27
41. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
When dealing with out-of-the-box analyses it is essential to
retrieve information about the analyzed system
CopperDroid VMI
CopperDroid inspects the Android kernel to retrieve the follow-
ing:
Process names
PIDs & TIDs
Process resources
…
28
42. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stack
points to the current executing thread.
.
29
43. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stack
points to the current executing thread.
..
arch/arm/include/asm/thread_info.h
.
#define THREAD_SIZE 8192
static inline struct thread_info *current_thread_info(void)
{
register unsigned long sp asm ("sp");
return (struct thread_info *)(sp & ~(THREAD_SIZE − 1));
}
29
44. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stack
points to the current executing thread.
..
struct thread_info
.
struct thread_info {
unsigned long flags;
int preempt_count;
mm_segment_t addr_limit;
struct task_struct *task; /* main task structure */
...
}
29
45. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stack
points to the current executing thread.
..
struct task_struct
.
struct task_struct {
volatile long state;
void *stack;
...
pid_t pid;
pid_t tgid;
...
char comm[TASK_COMM_LEN];
...
}
29
46. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
BINDER
The Binder protocol is the core of Android IPC/RPC
Intents are carried through binder
Interactions with the system go through binder
Binder driver enforces (some) permission policies
For example, applications cannot send SMSs on their own, but
must invoke (RPC) the proper system service to do that.
.
30
58. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
AUTOMATIC ANDROID OBJECTS UNMARSHALLING
Primitive types (e.g., String) are easy to unmarshall
→ Limited number of manually-written procedures
A manual-driven approach for complex Android objects is
cumbersome
→ 300+ Android objects (increasing from version to version)
→ Manual-driven approach is error-prone and not scientifically
exciting
We ask to an unmarshalling Oracle!
34
61. Royal Holloway University of London
. . .
S2
Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .
CopperDroid Observed Behaviors Demo Conclusions
RESOURCE RECONSTRUCTOR
Useful to abstract a stream of low-level events into
high-level behaviors
We build a data dependence graph (DPD)
→ Nodes are system calls
→ Edges represent data dependency
We then identify def-use chains to cluster related system
calls together
37