wip

2_background/3_analysis_techniques.typ

@@ -1,4 +1,4 @@
-#import "../lib.typ": todo, APK
+#import "../lib.typ": todo, APK, etal, ART, eg, jm-note
 #import "@preview/diagraph:0.3.3": raw-render
 
 == Android Reverse Engineering Techniques <sec:bg-techniques>
@@ -123,6 +123,8 @@ On the other hand, `UrlRequest.start()` send a request to an external server, ma
 If a data-flow is found linking `TelephonyManager.getImei()` to `UrlRequest.start()`, this means the application is potentially leaking a critical information to an external entity, a behavior that is probably not wanted by the user.
 Data-flow analysis is the subject of many contribution@weiAmandroidPreciseGeneral2014 @titzeAppareciumRevealingData2015 @bosuCollusiveDataLeak2017 @klieberAndroidTaintFlow2014 @DBLPconfndssGordonKPGNR15 @octeauCompositeConstantPropagation2015 @liIccTADetectingInterComponent2015, the most notable source being Flowdroid@Arzt2014a.
 
+#todo[Describe the different contributions in relations to the issues they tackle]
+
 Static analysis is powerfull as it allows to detects unwanted behavior in an application even is the behavior does not manifest itself when running the application.
 Hovewer, static analysis tools must overcom many challenges when analysing Android applications:
 / the Java object-oriented paradigm: A call to a method can in fact correspond to a call to any method overriding the original method in subclasses
@@ -135,18 +137,50 @@ Hovewer, static analysis tools must overcom many challenges when analysing Andro
 
 The tools can share the backend used to interact with the bytecode. 
 For example, Apktool is often called in a subprocess to extracte the bytecode, and the Soot framework is a commonly used both to analyse bytecode and modify it.
-The most notable user of Soot is Flowdroid.
+The most notable user of Soot is Flowdroid. #todo[formulation]
 
 === Dynamic Analysis <sec:bg-dynamic>
 
-#todo[y a du boulot]
+The alternative to static analysis is dynamic analysis.
+With dynamic analysis, the application is actually executed.
+The most simple strategies consist in just running the application and examining its behavior. 
+For instance, Shao #etal #todo[cit] capture the network communication of an application and analyse those traces, while Bhatia #etal #todo[cit] take #jm-note[periodic][meh] snapshots of the memory to deduce the beavior of the application #todo[check the papers].
+
+More advanced methods are more intrusive and require modifing either the #APK, the Android framework, runtime, or kernel.
+TaintDroid #todo[cit] for example modify the Dalvik Virtual Machine (the predecessor of the #ART) to track the data flow of an application at runtime, while AndroBlare #todo[cit] try to compute the taint flow by hooking system calls from a kernel module. #todo[check papers]
+#todo[RealDroid?]
+
+Modifying the Android framwork, runtime or kernel is possible thanks to the Android project beeing opensource, however this is delicate operation.
+Thus, a common issue faced by tools that took this approach is that they are stuck with a specific version of Android.
+DroidScope@droidscope180237 and CopperDroid@Tam2015 are two well known sandbox faced with this issue. #todo[check, and add android version]
+To limit this problem, other sandbox focus on hooking strategies, like DroidHook and Mirage #todo[cit, check paper], based on the Xposed framework, and CamoDroid #todo[cit and check], based on Frida.
+
+Another known challenge when analysing an application dynamically is the code coverage: if some part of the application is not executed, it cannot be annalysed.
+Considering that Android applications are meant to interact with a user, this can become problematic for automatic analysis.
+#todo[runner considered]
+GroddDroid use static analysis to use static analysis to find suspicious code section and then use this information to guide a runner that uses the #todo[whatisnameagain?] framework to triger those suspicious section of code.
+More challenging, some application will try to detect is they are in a sandbox environnement (#eg if they are in an emmulator, or if Frida is present in memory) and will refuse to run some sections of code if this is the case.
+#todo[name] #etal @ruggia_unmasking_2024 make a list of evation techniques.
+They show that most current analysis framework failled to hide themself correctly and introduce a new sandbox, DroidDungeon, that do avoid detection. #todo[limitation?]
+#todo[force execution?]
+
+// Shao et al. Yuru Shao, Jason Ott, Yunhan Jack Jia, Zhiyun Qian, and Z Morley Mao. ‘The Misuse of Android Unix Domain Sockets and Security Implications’. In: ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria: ACM, Oct. 2016, pp. 80–91.
+// Bhatia et al. Rohit Bhatia, Brendan Saltaformaggio, Seung Jei Yang, Aisha Ali-Gombe, Xiangyu Zhang, Dongyan Xu, and Golden G Richard III. ‘"Tipped Off by Your Memory Allocator": Device-Wide User Activity Sequencing from Android Memory Images’. In: (Feb. 2018).
 
 - #todo[evasion: droid DroidDungeon @ruggia_unmasking_2024]
-- #todo[DroidScope@droidscope180237 and CopperDroid@Tam2015]
 - #todo[Xposed: DroidHook / Mirage: Toward a stealthier and modular malware analysis sandbox for android]
 - #todo[Frida: CamoDroid]
-- #todo[modified android framework: RealDroid]
+- #todo[
+  modified android framework, framework or kernel: 
+  - RealDroid
+  - AndroBlare, taint analysis, linux module to hook syscalls, c'est maison 
+  Radoniaina Andriatsimandefitra and Valérie Viet Triem Tong. ‘Detection and identification of Android malware based on information flow monitoring’. In: 2nd International Conference on Cyber Security and
+Cloud Computing. New York, USA: IEEE, Jan. 2015, pp. 200–203.
+  Radoniaina Andriatsimandefitra, Stéphane Geller, and Valérie Viet Triem Tong. ‘Designing information flow policies for Android’s operating system’. In: IEEE International conference on communications.Ottawa, ON, Canada: IEEE, June 2012, pp. 976–981.
+  - TaintDroid (check if dynamic? strange, cf Reaves et al)  modifies the Dalvik Virtual Machine (DVM) interpreter to manage taint 
+]
 
 === Hybrid Analysis <sec:bg-hybrid>
+#todo[merge with other section?]
 
 - #todo[DyDroid, audit of Dynamic Code Loading@qu_dydroid_2017]