Pr Progr gram T am Trans ansforma,o rma,on f n for A r Aiding - - PowerPoint PPT Presentation

pr progr gram t am trans ansforma o rma on f n for a r
SMART_READER_LITE
LIVE PREVIEW

Pr Progr gram T am Trans ansforma,o rma,on f n for A r Aiding - - PowerPoint PPT Presentation

Jul 21, 2023 192 likes •448 views

Pr Progr gram T am Trans ansforma,o rma,on f n for A r Aiding iding St Sta,c a,c A Analy nalysis sis in A in Andr ndroid A id Applic pplica,o a,ons ns Presented by Zhenyu Ning 1 Outline 1. Background 2. Mo:va:on 3.

slide-1
SLIDE 1

Pr Progr gram T am Trans ansforma,o rma,on f n for A r Aiding iding St Sta,c a,c A Analy nalysis sis in A in Andr ndroid A id Applic pplica,o a,ons ns

Presented by Zhenyu Ning

1

slide-2
SLIDE 2

Outline

  • 1. Background
  • 2. Mo:va:on
  • 3. Related work
  • 4. Implementa:on
  • 5. Evalua:on
  • 6. Future work

2

slide-3
SLIDE 3

Outline

  • 1. Background
  • 2. Mo:va:on
  • 3. Related work
  • 4. Implementa:on
  • 5. Evalua:on
  • 6. Future work

3

slide-4
SLIDE 4

Android JVM

4

Figure from: hJps:// en.wikipedia.org/wiki/ Dalvik_(soOware)

slide-5
SLIDE 5

Applica,on Analysis

  • Sta:c Analysis

Decompile the applica:on, and analyze its byte codes.

tools: dex2jar, jd-gui, etc.

  • Dynamic Analysis

Execute the applica:on in an isolated execu:on environment,

and analyze the execu:on. tools: Android emulator, QEMU, etc.

5

slide-6
SLIDE 6

Background

  • Sta:c analysis

FlowDroid, DroidSafe, HornDroid

  • Dynamic analysis

DroidScope, TaintDroid, TaintART

  • Hybrid analysis

Harvester

6

slide-7
SLIDE 7

Outline

  • 1. Background
  • 2. Mo:va:on
  • 3. Related work
  • 4. Implementa:on
  • 5. Evalua:on
  • 6. Future work

7

slide-8
SLIDE 8

Mo,va,on

  • Sta:c analysis tools suffer from
  • Code obscura:on and packing
  • Self-modifying code
  • Dynamic analysis tools suffer from
  • Implicit taint flows
  • Performance vs. accuracy
  • Large-scale analysis

8

slide-9
SLIDE 9

Mo,va,on

  • Use dynamic analysis to solve packed and self-modifying

code.

  • Use sta:c analysis to detect implicit flows
  • Make the analysis applicable in large-scale analysis.

9

slide-10
SLIDE 10

Outline

  • 1. Background
  • 2. Mo:va:on
  • 3. Related work
  • 4. Implementa:on
  • 5. Evalua:on
  • 6. Future work

10

slide-11
SLIDE 11

Rela,ve Work

  • DexHunter
  • Dump Dex file from memory
  • AppSpear
  • Use run:me data structure to rebuild Dex file

11

Assume there exists a clear boundary between packer’s code and the applica8on’s code

slide-12
SLIDE 12

12

slide-13
SLIDE 13

Outline

  • 1. Background
  • 2. Mo:va:on
  • 3. Related work
  • 4. Implementa:on
  • 5. Evalua:on
  • 6. Future work

13

slide-14
SLIDE 14

Implementa,on

  • Just-In-Time instruc:on-level collec:on
  • Offline reassembling

14

slide-15
SLIDE 15

Implementa,on

  • Code scale
  • Loops
  • Self-modifying code

15

slide-16
SLIDE 16

Implementa,on

  • The bytecode of a method is organized in an 16-bit array
  • A variable dex_pc indicates the index of the execu:ng

instruc:on

  • Solu8on: Compare instruc:ons with same dex_pc

16

slide-17
SLIDE 17

Implementa,on

17

slide-18
SLIDE 18

Implementa,on

18

slide-19
SLIDE 19

Outline

  • 1. Background
  • 2. Mo:va:on
  • 3. Related work
  • 4. Implementa:on
  • 5. Evalua:on
  • 6. Future work

19

slide-20
SLIDE 20

Evalua,on on DroidBench

20

slide-21
SLIDE 21

Evalua,on on DroidBench

21

slide-22
SLIDE 22

Evalua,on on real-world apps

22

slide-23
SLIDE 23

Outline

  • 1. Background
  • 2. Mo:va:on
  • 3. Related work
  • 4. Implementa:on
  • 5. Evalua:on
  • 6. Future work

23

slide-24
SLIDE 24

Future work

  • Code coverage
  • Na:ve code
  • Regular JVM in x86

24

slide-25
SLIDE 25

Thank you!

25