wip
This commit is contained in:
parent
b9d157cb3f
commit
243b9df134
GPG key ID:
B66AEEDA9B645AD2
1 changed files with 39 additions and 5 deletions
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": todo, APK
|
||||
#import "../lib.typ": todo, APK, etal, ART, eg, jm-note
|
||||
#import "@preview/diagraph:0.3.3": raw-render
|
||||
|
||||
== Android Reverse Engineering Techniques <sec:bg-techniques>
|
||||
|
|
@ -123,6 +123,8 @@ On the other hand, `UrlRequest.start()` send a request to an external server, ma
|
|||
If a data-flow is found linking `TelephonyManager.getImei()` to `UrlRequest.start()`, this means the application is potentially leaking a critical information to an external entity, a behavior that is probably not wanted by the user.
|
||||
Data-flow analysis is the subject of many contribution@weiAmandroidPreciseGeneral2014 @titzeAppareciumRevealingData2015 @bosuCollusiveDataLeak2017 @klieberAndroidTaintFlow2014 @DBLPconfndssGordonKPGNR15 @octeauCompositeConstantPropagation2015 @liIccTADetectingInterComponent2015, the most notable source being Flowdroid@Arzt2014a.
|
||||
|
||||
#todo[Describe the different contributions in relations to the issues they tackle]
|
||||
|
||||
Static analysis is powerfull as it allows to detects unwanted behavior in an application even is the behavior does not manifest itself when running the application.
|
||||
Hovewer, static analysis tools must overcom many challenges when analysing Android applications:
|
||||
/ the Java object-oriented paradigm: A call to a method can in fact correspond to a call to any method overriding the original method in subclasses
|
||||
|
|
@ -135,18 +137,50 @@ Hovewer, static analysis tools must overcom many challenges when analysing Andro
|
|||
|
||||
The tools can share the backend used to interact with the bytecode.
|
||||
For example, Apktool is often called in a subprocess to extracte the bytecode, and the Soot framework is a commonly used both to analyse bytecode and modify it.
|
||||
The most notable user of Soot is Flowdroid.
|
||||
The most notable user of Soot is Flowdroid. #todo[formulation]
|
||||
|
||||
=== Dynamic Analysis <sec:bg-dynamic>
|
||||
|
||||
#todo[y a du boulot]
|
||||
The alternative to static analysis is dynamic analysis.
|
||||
With dynamic analysis, the application is actually executed.
|
||||
The most simple strategies consist in just running the application and examining its behavior.
|
||||
For instance, Shao #etal #todo[cit] capture the network communication of an application and analyse those traces, while Bhatia #etal #todo[cit] take #jm-note[periodic][meh] snapshots of the memory to deduce the beavior of the application #todo[check the papers].
|
||||
|
||||
More advanced methods are more intrusive and require modifing either the #APK, the Android framework, runtime, or kernel.
|
||||
TaintDroid #todo[cit] for example modify the Dalvik Virtual Machine (the predecessor of the #ART) to track the data flow of an application at runtime, while AndroBlare #todo[cit] try to compute the taint flow by hooking system calls from a kernel module. #todo[check papers]
|
||||
#todo[RealDroid?]
|
||||
|
||||
Modifying the Android framwork, runtime or kernel is possible thanks to the Android project beeing opensource, however this is delicate operation.
|
||||
Thus, a common issue faced by tools that took this approach is that they are stuck with a specific version of Android.
|
||||
DroidScope@droidscope180237 and CopperDroid@Tam2015 are two well known sandbox faced with this issue. #todo[check, and add android version]
|
||||
To limit this problem, other sandbox focus on hooking strategies, like DroidHook and Mirage #todo[cit, check paper], based on the Xposed framework, and CamoDroid #todo[cit and check], based on Frida.
|
||||
|
||||
Another known challenge when analysing an application dynamically is the code coverage: if some part of the application is not executed, it cannot be annalysed.
|
||||
Considering that Android applications are meant to interact with a user, this can become problematic for automatic analysis.
|
||||
#todo[runner considered]
|
||||
GroddDroid use static analysis to use static analysis to find suspicious code section and then use this information to guide a runner that uses the #todo[whatisnameagain?] framework to triger those suspicious section of code.
|
||||
More challenging, some application will try to detect is they are in a sandbox environnement (#eg if they are in an emmulator, or if Frida is present in memory) and will refuse to run some sections of code if this is the case.
|
||||
#todo[name] #etal @ruggia_unmasking_2024 make a list of evation techniques.
|
||||
They show that most current analysis framework failled to hide themself correctly and introduce a new sandbox, DroidDungeon, that do avoid detection. #todo[limitation?]
|
||||
#todo[force execution?]
|
||||
|
||||
// Shao et al. Yuru Shao, Jason Ott, Yunhan Jack Jia, Zhiyun Qian, and Z Morley Mao. ‘The Misuse of Android Unix Domain Sockets and Security Implications’. In: ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria: ACM, Oct. 2016, pp. 80–91.
|
||||
// Bhatia et al. Rohit Bhatia, Brendan Saltaformaggio, Seung Jei Yang, Aisha Ali-Gombe, Xiangyu Zhang, Dongyan Xu, and Golden G Richard III. ‘"Tipped Off by Your Memory Allocator": Device-Wide User Activity Sequencing from Android Memory Images’. In: (Feb. 2018).
|
||||
|
||||
- #todo[evasion: droid DroidDungeon @ruggia_unmasking_2024]
|
||||
- #todo[DroidScope@droidscope180237 and CopperDroid@Tam2015]
|
||||
- #todo[Xposed: DroidHook / Mirage: Toward a stealthier and modular malware analysis sandbox for android]
|
||||
- #todo[Frida: CamoDroid]
|
||||
- #todo[modified android framework: RealDroid]
|
||||
- #todo[
|
||||
modified android framework, framework or kernel:
|
||||
- RealDroid
|
||||
- AndroBlare, taint analysis, linux module to hook syscalls, c'est maison
|
||||
Radoniaina Andriatsimandefitra and Valérie Viet Triem Tong. ‘Detection and identification of Android malware based on information flow monitoring’. In: 2nd International Conference on Cyber Security and
|
||||
Cloud Computing. New York, USA: IEEE, Jan. 2015, pp. 200–203.
|
||||
Radoniaina Andriatsimandefitra, Stéphane Geller, and Valérie Viet Triem Tong. ‘Designing information flow policies for Android’s operating system’. In: IEEE International conference on communications.Ottawa, ON, Canada: IEEE, June 2012, pp. 976–981.
|
||||
- TaintDroid (check if dynamic? strange, cf Reaves et al) modifies the Dalvik Virtual Machine (DVM) interpreter to manage taint
|
||||
]
|
||||
|
||||
=== Hybrid Analysis <sec:bg-hybrid>
|
||||
#todo[merge with other section?]
|
||||
|
||||
- #todo[DyDroid, audit of Dynamic Code Loading@qu_dydroid_2017]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue