wip
This commit is contained in:
parent
243b9df134
commit
c060e88996
GPG key ID:
B66AEEDA9B645AD2
17 changed files with 264 additions and 96 deletions
|
|
@ -6,7 +6,7 @@
|
|||
#todo[swap with tool section ?]
|
||||
|
||||
In the past fifteen years, the research community released many tools to detect or analyze malicious behaviors in applications.
|
||||
Two main approaches can be distinguished: static and dynamic analysis@Li2017.
|
||||
Two main approaches can be distinguished: static and dynamic analysis~@Li2017.
|
||||
Dynamic analysis requires to run the application in a controlled environment to observe runtime values and/or interactions with the operating system.
|
||||
For example, an Android emulator with a patched kernel can capture these interactions but the modifications to apply are not a trivial task.
|
||||
Such approach is limited by the required time to execute a limited part of the application with no guarantee on the obtained code coverage.
|
||||
|
|
@ -18,7 +18,7 @@ For malware, dynamic analysis is also limited by evading techniques that may pre
|
|||
Static analysis program examine an #APK file without executing it to extract information from it.
|
||||
Basic static analysis can include extracting information from the `AndroidManifest.xml` file or decompiling bytecode to Java code.
|
||||
|
||||
More advance analysis consist in the computing the control-flow of an application and computing its data-flow@Li2017.
|
||||
More advance analysis consist in the computing the control-flow of an application and computing its data-flow~@Li2017.
|
||||
|
||||
The most basic form of control-flow analysis is to build a call graph.
|
||||
A call graph is a graph where the nodes represent the methods in the application, and the edges reprensent calls from one method to another.
|
||||
|
|
@ -121,7 +121,7 @@ This can be used to identify the user can cannot be changed if compromised.
|
|||
This make `TelephonyManager.getImei()` a good candidate as a taint source.
|
||||
On the other hand, `UrlRequest.start()` send a request to an external server, making it a taint sink.
|
||||
If a data-flow is found linking `TelephonyManager.getImei()` to `UrlRequest.start()`, this means the application is potentially leaking a critical information to an external entity, a behavior that is probably not wanted by the user.
|
||||
Data-flow analysis is the subject of many contribution@weiAmandroidPreciseGeneral2014 @titzeAppareciumRevealingData2015 @bosuCollusiveDataLeak2017 @klieberAndroidTaintFlow2014 @DBLPconfndssGordonKPGNR15 @octeauCompositeConstantPropagation2015 @liIccTADetectingInterComponent2015, the most notable source being Flowdroid@Arzt2014a.
|
||||
Data-flow analysis is the subject of many contribution~@weiAmandroidPreciseGeneral2014 @titzeAppareciumRevealingData2015 @bosuCollusiveDataLeak2017 @klieberAndroidTaintFlow2014 @DBLPconfndssGordonKPGNR15 @octeauCompositeConstantPropagation2015 @liIccTADetectingInterComponent2015, the most notable source being Flowdroid~@Arzt2014a.
|
||||
|
||||
#todo[Describe the different contributions in relations to the issues they tackle]
|
||||
|
||||
|
|
@ -143,44 +143,31 @@ The most notable user of Soot is Flowdroid. #todo[formulation]
|
|||
|
||||
The alternative to static analysis is dynamic analysis.
|
||||
With dynamic analysis, the application is actually executed.
|
||||
The most simple strategies consist in just running the application and examining its behavior.
|
||||
For instance, Shao #etal #todo[cit] capture the network communication of an application and analyse those traces, while Bhatia #etal #todo[cit] take #jm-note[periodic][meh] snapshots of the memory to deduce the beavior of the application #todo[check the papers].
|
||||
The most simple strategies consist in just running the application and examining its behavior.
|
||||
For instance, Bernardi #etal~@bernardi_dynamic_2019 use the log generated by `strace` to list the system calls generated in responce to an event to determine if an application is malicious.
|
||||
|
||||
More advanced methods are more intrusive and require modifing either the #APK, the Android framework, runtime, or kernel.
|
||||
TaintDroid #todo[cit] for example modify the Dalvik Virtual Machine (the predecessor of the #ART) to track the data flow of an application at runtime, while AndroBlare #todo[cit] try to compute the taint flow by hooking system calls from a kernel module. #todo[check papers]
|
||||
#todo[RealDroid?]
|
||||
|
||||
TaintDroid~@Enck2010 for example modify the Dalvik Virtual Machine (the predecessor of the #ART) to track the data flow of an application at runtime, while AndroBlare~@Andriatsimandefitra2012 @andriatsimandefitra_detection_2015 try to compute the taint flow by hooking system calls using a Linux Security Module.
|
||||
DexHunter~@zhang2015dexhunter and AppSpear~@yang_appspear_2015 also patch the Dalvik Virtual Machine/#ART, this time to collect bytecode loaded dynamically.
|
||||
Modifying the Android framwork, runtime or kernel is possible thanks to the Android project beeing opensource, however this is delicate operation.
|
||||
Thus, a common issue faced by tools that took this approach is that they are stuck with a specific version of Android.
|
||||
DroidScope@droidscope180237 and CopperDroid@Tam2015 are two well known sandbox faced with this issue. #todo[check, and add android version]
|
||||
To limit this problem, other sandbox focus on hooking strategies, like DroidHook and Mirage #todo[cit, check paper], based on the Xposed framework, and CamoDroid #todo[cit and check], based on Frida.
|
||||
Some sandboxes limit this issue by using dynamic binary instrumentation, like DroidHook~@cui_droidhook_2023, based the Xposed framework, or CamoDroid~@faghihi_camodroid_2022, based on Frida.
|
||||
|
||||
Another known challenge when analysing an application dynamically is the code coverage: if some part of the application is not executed, it cannot be annalysed.
|
||||
Considering that Android applications are meant to interact with a user, this can become problematic for automatic analysis.
|
||||
#todo[runner considered]
|
||||
GroddDroid use static analysis to use static analysis to find suspicious code section and then use this information to guide a runner that uses the #todo[whatisnameagain?] framework to triger those suspicious section of code.
|
||||
More challenging, some application will try to detect is they are in a sandbox environnement (#eg if they are in an emmulator, or if Frida is present in memory) and will refuse to run some sections of code if this is the case.
|
||||
#todo[name] #etal @ruggia_unmasking_2024 make a list of evation techniques.
|
||||
They show that most current analysis framework failled to hide themself correctly and introduce a new sandbox, DroidDungeon, that do avoid detection. #todo[limitation?]
|
||||
The Monkey tool developed by Google is one of the most used solution~@sutter_dynamic_2024.
|
||||
It sends a random streams of events the phone without tracking the state of the application.
|
||||
More advance tools statically analyse the application to model in order to improve the exploration.
|
||||
Sapienz~@mao_sapienz_2016 and Stoat~@su_guided_2017 uses this technique to improve application testing.
|
||||
GroddDroid~@abraham_grodddroid_2015 has the same approach but detect statically suspicious sections of code to target, and will interact with the application to target those code section.
|
||||
|
||||
Unfortuntely, exploring the application entirely is not always possible, as some applications will try to detect is they are in a sandbox environnement (#eg if they are in an emmulator, or if Frida is present in memory) and will refuse to run some sections of code if this is the case.
|
||||
Ruggia #etal~@ruggia_unmasking_2024 make a list of evasion techniques.
|
||||
They propose a new sandbox, DroidDungeon, that contrary to other sandboxes like DroidScope@droidscope180237 or CopperDroid@Tam2015, strongly emphasizes on resiliance against evasion mechanism.
|
||||
#todo[RealDroid sandbox bases on modified ART?]
|
||||
#todo[force execution?]
|
||||
|
||||
// Shao et al. Yuru Shao, Jason Ott, Yunhan Jack Jia, Zhiyun Qian, and Z Morley Mao. ‘The Misuse of Android Unix Domain Sockets and Security Implications’. In: ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria: ACM, Oct. 2016, pp. 80–91.
|
||||
// Bhatia et al. Rohit Bhatia, Brendan Saltaformaggio, Seung Jei Yang, Aisha Ali-Gombe, Xiangyu Zhang, Dongyan Xu, and Golden G Richard III. ‘"Tipped Off by Your Memory Allocator": Device-Wide User Activity Sequencing from Android Memory Images’. In: (Feb. 2018).
|
||||
|
||||
- #todo[evasion: droid DroidDungeon @ruggia_unmasking_2024]
|
||||
- #todo[Xposed: DroidHook / Mirage: Toward a stealthier and modular malware analysis sandbox for android]
|
||||
- #todo[Frida: CamoDroid]
|
||||
- #todo[
|
||||
modified android framework, framework or kernel:
|
||||
- RealDroid
|
||||
- AndroBlare, taint analysis, linux module to hook syscalls, c'est maison
|
||||
Radoniaina Andriatsimandefitra and Valérie Viet Triem Tong. ‘Detection and identification of Android malware based on information flow monitoring’. In: 2nd International Conference on Cyber Security and
|
||||
Cloud Computing. New York, USA: IEEE, Jan. 2015, pp. 200–203.
|
||||
Radoniaina Andriatsimandefitra, Stéphane Geller, and Valérie Viet Triem Tong. ‘Designing information flow policies for Android’s operating system’. In: IEEE International conference on communications.Ottawa, ON, Canada: IEEE, June 2012, pp. 976–981.
|
||||
- TaintDroid (check if dynamic? strange, cf Reaves et al) modifies the Dalvik Virtual Machine (DVM) interpreter to manage taint
|
||||
]
|
||||
|
||||
=== Hybrid Analysis <sec:bg-hybrid>
|
||||
#todo[merge with other section?]
|
||||
|
||||
- #todo[DyDroid, audit of Dynamic Code Loading@qu_dydroid_2017]
|
||||
- #todo[DyDroid, audit of Dynamic Code Loading~@qu_dydroid_2017]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue