wip

2_background/3_analysis_techniques.typ

@@ -1,4 +1,5 @@
 #import "../lib.typ": todo, APK
+#import "@preview/diagraph:0.3.3": raw-render
 
 == Android Reverse Engineering Techniques <sec:bg-techniques>
 
@@ -14,13 +15,117 @@ For malware, dynamic analysis is also limited by evading techniques that may pre
 
 === Static Analysis <sec:bg-static>
 
-Static analysis tools are used to perform operations on an #APK file, like extracting its bytecode or information from the `AndroidManifest.xml` file.
+Static analysis program examine an #APK file without executing it to extract information from it.
+Basic static analysis can include extracting information from the `AndroidManifest.xml` file or decompiling bytecode to Java code.
 
-#todo[Explain controle flow graph, data flow graph, and link to tools?]
+More advance analysis consist in the computing the control-flow of an application and computing its data-flow@Li2017.
 
-A classic goal of a static analysis is to compute data flows to detect potential information leaks@weiAmandroidPreciseGeneral2014 @titzeAppareciumRevealingData2015 @bosuCollusiveDataLeak2017 @klieberAndroidTaintFlow2014 @DBLPconfndssGordonKPGNR15 @octeauCompositeConstantPropagation2015 @liIccTADetectingInterComponent2015 by analyzing the bytecode of an Android application.
+The most basic form of control-flow analysis is to build a call graph.
+A call graph is a graph where the nodes represent the methods in the application, and the edges reprensent calls from one method to another.
+@fig:bg-fizzbuzz-cg-cfg b) show the call graph of the code in @fig:bg-fizzbuzz-cg-cfg a).
+A more advance control-flow analysis consist in building the control-flow graph.
+This times instead of methods, the nodes represent instructions, and the edges indicate which instruction can follow which instruction.
+@fig:bg-fizzbuzz-cg-cfg c) represent the control-flow graph of @fig:bg-fizzbuzz-cg-cfg a), with code statement instead of bytecode instructions.
 
-Static analysis tools for Android application must overcom many difficulties:
+#figure({
+  set align(center)
+  stack(dir: ttb,[
+  #figure(
+    ```java
+    public static void fizzBuzz(int n) {
+      for (int i = 1; i <= n; i++) {
+        if (i % 3 == 0 && i % 5 == 0) {
+          Buzzer.fizzBuzz();
+        } else if (i % 3 == 0) {
+          Buzzer.fizz();
+        } else if (i % 5 == 0) {
+          Buzzer.buzz();
+        } else {
+          Log.e("fizzbuzz", String.valueOf(i));
+        }
+      }
+    }
+    ```,
+    supplement: none,
+    kind: "bg-fizzbuzz-cg-cfg subfig",
+    caption: [a) A Java program],
+  ) <fig:bg-fizzbuzz-java>], v(2em), stack(dir: ltr, [
+  #figure(
+    raw-render(```
+      digraph {
+        rankdir=LR
+        "fizzBuzz(int)" -> "Buzzer.fizzBuzz()"
+        "fizzBuzz(int)" -> "Buzzer.fizz()"
+        "fizzBuzz(int)" -> "Buzzer.buzz()"
+        "fizzBuzz(int)" -> "String.valueOf(int)"
+        "fizzBuzz(int)" -> "Log.e(String, String)"
+      }
+      ```,
+      width: 40%
+    ),
+    supplement: none,
+    kind: "bg-fizzbuzz-cg-cfg subfig",
+    caption: [b) Corresponding Call Graph]
+  ) <fig:bg-fizzbuzz-cg>],[
+  #figure(
+    raw-render(```
+      digraph {
+        l1
+        l2
+        l3
+        l4
+        l5
+        l6
+        l7
+        l9
+  
+        l1 -> l2
+        l2 -> l3
+        l3 -> l1
+        l2 -> l4
+        l4 -> l5
+        l5 -> l1
+        l4 -> l6
+        l6 -> l7
+        l7 -> l1
+        l6 -> l9
+        l9 -> l1
+      }
+      ```,
+      labels: (
+        "l1": `for (int i = 1; i <= n; i++) {`,
+        "l2": `if (i % 3 == 0 && i % 5 == 0) {`,
+        "l3": `Buzzer.fizzBuzz();`,
+        "l4": `} else if (i % 3 == 0) {`,
+        "l5": `Buzzer.fizz();`,
+        "l6": `} else if (i % 5 == 0) {`,
+        "l7": `Buzzer.buzz();`,
+        "l9": `Log.e("fizzbuzz", String.valueOf(i));`,
+      ),
+      width: 50%
+    ),
+    supplement: none,
+    kind: "bg-fizzbuzz-cg-cfg subfig",
+    caption: [c) Corresponding Control-Flow Graph]
+  ) <fig:bg-fizzbuzz-cfg>]))
+  h(1em)},
+  supplement: [Figure],
+  caption: [Source code for a simple Java method and its Call and Control Flow Graphs],
+)<fig:bg-fizzbuzz-cg-cfg>
+
+Once the control-flow graph is computed, it can be used to compute data-flows.
+Data-flow analysis, also called taint-tracking, allows to follow the flow of information in the application.
+Be defining a list of methods and fields that can generate critical information (taint sources) and a list of method that can consume information (taint sink), taint-tracking allows to detect potential data leak (if a data flow link a taint source and a taint sink).
+For example, `TelephonyManager.getImei()` is return an unique, persistent, device identifier.
+This can be used to identify the user can cannot be changed if compromised.
+This make `TelephonyManager.getImei()` a good candidate as a taint source.
+On the other hand, `UrlRequest.start()` send a request to an external server, making it a taint sink.
+If a data-flow is found linking `TelephonyManager.getImei()` to `UrlRequest.start()`, this means the application is potentially leaking a critical information to an external entity, a behavior that is probably not wanted by the user.
+Data-flow analysis is the subject of many contribution@weiAmandroidPreciseGeneral2014 @titzeAppareciumRevealingData2015 @bosuCollusiveDataLeak2017 @klieberAndroidTaintFlow2014 @DBLPconfndssGordonKPGNR15 @octeauCompositeConstantPropagation2015 @liIccTADetectingInterComponent2015, the most notable source being Flowdroid@Arzt2014a.
+
+Static analysis is powerfull as it allows to detects unwanted behavior in an application even is the behavior does not manifest itself when running the application.
+Hovewer, static analysis tools must overcom many challenges when analysing Android applications:
+/ the Java object-oriented paradigm: A call to a method can in fact correspond to a call to any method overriding the original method in subclasses
 / the multiplicity of entry points: Each component of an application can be an entry point for the application
 / the event driven architecture: Methods of in the applications can be called in many different order depending on external events
 / the interleaving of native code and bytecode: Native code can be called from bytecode and vice versa, but tools often only handle one of those format
@@ -29,13 +134,19 @@ Static analysis tools for Android application must overcom many difficulties:
 / the continual evolution of Android: each new version brings new features that an analysis tools must be aware of
 
 The tools can share the backend used to interact with the bytecode. 
-For example, Apktool is often called in a subprocess to extracte the bytecode. 
-Another example is Soot@Arzt2013, a Java framework that allows to manipulate the bytecode from an object representation of instructions. 
-The most known tool built on top of Soot is FlowDroid@Arzt2014a, which enables to compute information flows statically into the code. 
+For example, Apktool is often called in a subprocess to extracte the bytecode, and the Soot framework is a commonly used both to analyse bytecode and modify it.
+The most notable user of Soot is Flowdroid.
 
 === Dynamic Analysis <sec:bg-dynamic>
 
 #todo[y a du boulot]
 
+- #todo[evasion: droid DroidDungeon @ruggia_unmasking_2024]
+- #todo[DroidScope@droidscope180237 and CopperDroid@Tam2015]
+- #todo[Xposed: DroidHook / Mirage: Toward a stealthier and modular malware analysis sandbox for android]
+- #todo[Frida: CamoDroid]
+- #todo[modified android framework: RealDroid]
+
 === Hybrid Analysis <sec:bg-hybrid>
 
+- #todo[DyDroid, audit of Dynamic Code Loading@qu_dydroid_2017]