Titulo Estágio
Digging deeper: In-hardware dynamic analysis of Android applications
Áreas de especialidade
Engenharia de Software
Local do Estágio
DEI-FCTUC
Enquadramento
Malware has been evolving to target smartphones and tablets as well. This evolution has occurred because mobile devices contain sensitive data and are becoming ubiquitous, which is a substantial threat for users. Dynamic program-analysis techniques are used to observe the actions (e.g., system or API calls) taken by a malicious application, to recognize signs of malicious sequences, for instance. Typically, dynamic tracing leverages a virtualized or emulated environment to observe the execution while being invisible to the malware. However, there are several techniques that malware can exploit to figure out that it is running under a virtual environment, and show no malicious behavior, such that to appear benign to the observer.
Objetivo
We propose to eradicate the aforementioned problem by creating an in-hardware dynamic program-analysis framework for tracing the execution of Android application processes. The rationale is that, being running on real hardware, the existing environment-fingerprinting techniques will basically fail. Our idea is to leverage the availability of low-cost development boards and smartphones, equipped with JTAG debugging interfaces, that run Android. Building upon the introspection data that can be extracted via the JTAG interfaces (e.g., CPU instructions, hardware state, power consumption), we will adapt existing techniques to reconstruct the interesting high-level OS events (e.g., system calls). One technical obstacle that we will need to overcome is the absence of the rollback procedures (e.g., filesystem or memory snapshots) that are typically available in emulated or virtualized environments.
Plano de Trabalhos - Semestre 1
The management is organized in Tasks (T), which will be checkpointed with weekly remote meetings. The completion month (M) is indicated.
T1 - (M1, Literature review): The student will read and become familiar with the literature on virtual-machine introspection for dynamic tracing [1, 2, 3, 4] and environment fingerprinting techniques [5, 6]. Possibly, the student will find new literature work and expand the proposed list. The outcome of this task is a short presentation given by the student.
T2 - (M2, Technical tools review and selection): The student will investigate the existing tools (e.g., OpenOCD), development boards (e.g., Wandboard), and smartphones (e.g., http://easy-jtag.com/?page_id=35) that can run unmodified versions of Android and are able to provide the relevant introspection data. The outcome of this task is a decision about the two most promising technical tools and hardware that will be used. The decision will be guided by the ease of extracting the most rich set of introspection data. At the end of this task, we expect to have procured the necessary tools and hardware.
T3 (M4, Environment setup and thesis outline draft): The student will set up a lab environment to run unmodified or slightly modified Android (AOSP) on the selected hardware. The environment should make it easy to collect the introspection data required for dynamic tracing. The input of the environment should be an Android application, and the output should be a parsable file. At the minimum, each line should contain the name of the system calls invoked by the process. Each run should be idempotent. The student will create, based on [5, 6], a proof-of-concept Android application that tries to fingerprint the environment, run it in a pilot experiment, and show that it will be unable to fingerprint the new, hardware-based environment. The student will also prepare a concrete outline of the thesis.
Plano de Trabalhos - Semestre 2
T4 (M6, Automation and comparison with existing techniques): The student will automate the tracing, ideally exposing a simple command line interface. The student will be provided with a large dataset of some thousands malware samples from a variety of families, which will be analyzed with DroidScope (setup required), CopperDroid (automation required), and the new created tool. During this analysis, the student will create a quick-n-dirty script (which will not be part of the tool), to find out if any of the samples in the dataset use any of the fingerprinting techniques described in [5, 6]. During this analysis, the student will debug, tweak and optimize the tool in order to match or overcome the runtime speed of existing techniques, and make sure that the same (or larger) amount of events is collected. The output of this task is a presentation that describes the details of the comparison.
T5 (M7, Thesis draft): The student will finalize the thesis outline and expand on the presentation delivered the previous month. The outcome will be a draft thesis with a complete literature review, technical description of the implemented system, and initial report of the experiment's results.
T6 (M9, Anti-evasion detection): The results in [5] show that it is already possible to fingerprint existing environments, but new tests on DroidScope or CopperDroid may be needed. Based on [5, 6], the student may be able to create a quick-n-dirty script to automatically insert fingerprinting checks in the MainActivity of existing malware samples, such that to refuse to run, or execute decoy benign functions, in case they detect a virtualized environment. This will allow to create an arbitrary amount of evasive samples, possibly in a randomized fashion, so as to obtain a good variety of evasive behaviors. The student will repeat the pilot experiment in T3 on the large number of samples so created. We expect that, as part of these tests, the proof-of-concept malware (and the samples found in the wild to be using fingerprinting to evade the environment, if any are found in T5) will not only execute the true malicious actions, but it will also execute the fingerprinting checks, which will be observable in a transparent way by the analyst, who will be able to conclude that something suspicious happened. In this phase, the same experiments will be run on benign samples, to show that certain system calls, in given sequences (e.g., n-grams) are never found in benign samples, so as to show that the collected traces are useful to train a classifier that can detect true malicious traces. If necessary, and if available, other hardware state information collected via the JTAG may be used as to further refine the classification in this task.
T7(M10, Thesis completion): by the first half of the month, the student will deliver a final draft of the thesis to the advisors for thorough proofreading. In one week, the advisors will send back a proofread version of the thesis to the student, who will incorporate the comments in the final version.
[1] Demme, John and Maycock, Matthew and Schmitz, Jared and Tang, Adrian and Waksman, Adam and Sethumadhavan, Simha and Stolfo, Salvatore, 2013. On the feasibility of online malware detection with performance counters. In: Proceedings of the 40th Annual International Symposium on Computer Architecture. pp. 559–570
[2] Vogl, Sebastian and Eckert, Claudia, 2012. Using hardware performance events for instruction-level monitoring on the x86 architecture. In: Proceedings of the 2012 European Workshop on System Security EuroSec.
[3] Yan, Lok-Kwong and Yin, Heng, 2012. DroidScope: Seamlessly Reconstructing OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In: Proc. of USENIX Security.
[4] Reina, Alessandro and Fattori, Aristide and Cavallaro, Lorenzo, 2013. A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC).
[5] Vidas, Timothy and Christin, Nicolas. Evading Android Runtime Analysis via Sandbox Detection.
[6] Petsas, Thanasis and Voyatzis, Giannis and Athanasopoulos, Elias and Polychronakis, Michalis and Ioannidis, Sotiris, 2014. Rage against the virtual machine: hindering dynamic analysis of Android malware. EuroSec Workshop.
Condições
The work will be performed in the Department of Informatic Engineering of the University of Coimbra (DEI-UC), with the collaboration and advisorship of Prof. Federico Maggi from the Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB) at Politecnico di Milano (POLIMI), Italy. If necessary, short visits will be organized at the respective organizations. DEIB will provide funding for hardware equipment.
Orientador
Federico Maggi
federico.maggi@polimi.it 📩