st statistical de de ob obfu fusc scation ion for or
play

St Statistical De De-ob obfu fusc scation ion for or Android - PowerPoint PPT Presentation

Jun 02, 2023 β€’105 likes β€’429 views

www.srl.inf.ethz.ch St Statistical De De-ob obfu fusc scation ion for or Android oid Pe Petar Tsankov, ETH Zurich DeGua De uard Team Te Benjamin Veselin Petar Martin Bichsel Raychev Tsankov Vechev Why De-obfuscate Android

  1. www.srl.inf.ethz.ch St Statistical De De-ob obfu fusc scation ion for or Android oid Pe Petar Tsankov, ETH Zurich DeGua De uard Team Te Benjamin Veselin Petar Martin Bichsel Raychev Tsankov Vechev

  2. Why De-obfuscate Android Applications? Android binaries (APKs) (no code available) Open-source (code available) Google Play F-Droid 2

  3. Why De-obfuscate Android Applications? 2.6 M APKs Which APKs are malicious ? Which ones use vulnerable libraries ? 5 K APKs Google Play F-Droid 2

  4. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { db = getWritableDatabase(); b = getWritableDatabase(); } } API names Cursor execSQL (String str) { Cursor c (String str) { remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names 3

  5. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c Security Challenges class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Code inspection Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { db = getWritableDatabase(); b = getWritableDatabase(); } } Third-party library detection API names Cursor execSQL (String str) { Cursor c (String str) { … many others remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names 3

  6. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Can we reverse Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { layout obfuscation db = getWritableDatabase(); b = getWritableDatabase(); } } API names Cursor execSQL (String str) { Cursor c (String str) { remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names 3

  7. Layout Obfuscation in Android Non-descriptive names Names of API classes/methods package com.example.dbhelper package a.b.c class DBHelper extends SQLiteHelper { class a extends SQLiteHelper { SQLiteDatabase db ; SQLiteDatabase b ; Obfuscate public DBHelper (Context ctx) { public a (Context ctx) { www.apk-deguard.com db = getWritableDatabase(); b = getWritableDatabase(); } } API names Cursor execSQL (String str) { Cursor c (String str) { remain return db .rawQuery(str); return b .rawQuery(str); } } } } Descriptive application- specific names Yes, with roughly 80% accuracy! 3

  8. Demo

  9. www.apk-deguard.com Released in October 2016, so far: > 100GB distinct APKs de-obfuscated Reddit posts/comments Tweets . . . 4 . . .

  10. How Does DeGuard Work?

  11. DeGuard: System Overview Learning phase Semantic representation Static Training analysis Probabilistic model 𝑄 ) Open-source, unobfuscated APKs Prediction phase class a extends SQLiteHelper { class DBHelper extends SQLiteHelper{ SQLiteDatabase b ; Static MAP SQLiteDatabase db ; public a (Context ctx) { Transform public DBHelper (Context ctx) { analysis inference b = getWritableDB(); db = getWritableDB(); } } } } De-obfuscated code Obfuscated code 5

  12. Probabilistic Graphical Models

  13. Probabilistic Graphical Models name1 name2 weight 𝑔 SQLiteHelper DBUtils 0.3 ) 𝑔 * SQLiteHelper DBHelper 0.2 class a extends SQLiteHelper { SQLiteHelper a name1 name2 weight SQLiteDatabase b ; extends 𝑔 - DBUtils instance 0.5 public a (Context ctx) { ` field-in 𝑔 . DBHelper db 0.4 b = getWritableDB(); gets getWritableDB b 𝑔 / … … … } } name1 name2 weight 𝑔 + getWritableDB db 0.7 Graph + features define a probabilistic graphical model 𝑔 , getWritableDB instance 0.4 𝑄 𝑏, 𝑐 π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , π‘•π‘“π‘’π‘‹π‘ π‘—π‘’π‘π‘π‘šπ‘“πΈπΆ ) Known variables = 1 SQLiteHelper, getWritableDB π‘Ž exp (0.3 J 𝑔 ) π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 Unknown variables a, b + 0.2 J 𝑔 * π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 + β‹― ) 𝑔 ) , 𝑔 * , . . , 𝑔 Feature functions / 6 For details see report on www.apk-deguard.com

  14. Probabilistic Graphical Models name1 name2 weight 𝑔 SQLiteHelper DBUtils 0.3 ) 𝑔 * SQLiteHelper DBHelper 0.2 class a extends SQLiteHelper { SQLiteHelper a name1 name2 weight SQLiteDatabase b ; extends 𝑔 - DBUtils instance 0.5 public a (Context ctx) { ` field-in 𝑔 . DBHelper db 0.4 Next b = getWritableDB(); gets getWritableDB b 𝑔 / … … … } } How are the features and name1 name2 weight their weights learned? 𝑔 + getWritableDB db 0.7 Graph + features define a probabilistic graphical model 𝑔 , getWritableDB instance 0.4 𝑄 𝑏, 𝑐 π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , π‘•π‘“π‘’π‘‹π‘ π‘—π‘’π‘π‘π‘šπ‘“πΈπΆ ) Known variables = 1 SQLiteHelper, getWritableDB π‘Ž exp (0.3 J 𝑔 ) π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 Unknown variables a, b + 0.2 J 𝑔 * π‘‡π‘…π‘€π‘—π‘’π‘“πΌπ‘“π‘šπ‘žπ‘“π‘ , 𝑏 + β‹― ) 𝑔 ) , 𝑔 * , . . , 𝑔 Feature functions / 6 For details see report on www.apk-deguard.com

  15. Learning

  16. Learning Actual graphs have > 1,000 nodes > 2,000 name1 name2 weight Dependency graphs 𝑔 ) SQLiteHelper DBUtils 0.3 Unobfuscated 𝑔 * SQLiteHelper DBHelper 0.2 name1 name2 𝑔 + getWritableDB db 0.7 APKs Static Train 𝑔 ) SQLiteHelper DBUtils 𝑔 , getWritableDB instance 0.4 analysis model 𝑔 * SQLiteHelper DBHelper 𝑔 - DBUtils instance 0.5 𝑔 + getWritableDB db 𝑔 . DBHelper db 0.4 𝑔 , getWritableDB instance 𝑔 / … … … Feature 𝑔 - DBUtils instance 𝑔 . DBHelper db templates 𝑔 / … … Compute weights that > 100,000 Features (with maximize 𝑄 𝑃 = 𝑝 O 𝐿 = 𝑙 O for 28 templates candidate names) all training samples (𝑝 O , 𝑙 O ) 7

  17. DeGuard: System Overview Learning phase Static Training analysis Probabilistic model 𝑄 ) Open-source, unobfuscated APKs Prediction phase class a extends SQLiteHelper { class DBHelper extends SQLiteHelper{ SQLiteDatabase b ; Static MAP SQLiteDatabase db ; public a (Context ctx) { Transform public DBHelper (Context ctx) { analysis inference b = getWritableDB(); db = getWritableDB(); } } } } De-obfuscated code Obfuscated code

  18. Prediction Phase name1 name2 weight SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static public a (Context ctx) { SQLiteHelper a analysis b = getWritableDB(); extends } field-in Obfuscated Code } gets getWritableDB b name1 name2 weight name1 name2 weight DBUtils instance 0.5 getWritableDB db 0.7 DBHelper db 0.4 getWritableDB instance 0.4 DBUtils db 0.2 DBHelper instance 0.2 8

  19. Prediction Phase name1 name2 weight MAP Inference SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static Static 𝑝 βƒ— = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑄 𝑃 = 𝑝 βƒ—β€² 𝐿 = 𝑙 public a (Context ctx) { SQLiteHelper a analysis analysis b = getWritableDB(); 𝑝 βƒ—β€² ∈ Ξ© extends } field-in Obfuscated Code } gets Candidate assignment 𝒑 getWritableDB b 𝑸 𝒑 𝒍) * a = DBUtils b = instance 1.2 a = DBHelper b = db 1.3 name1 name2 weight name1 name2 weight DBUtils instance 0.5 a = DBUtils b = db 0.8 getWritableDB db 0.7 DBHelper db 0.4 a = DBHelper b = instance 1.2 getWritableDB instance 0.4 DBUtils db 0.2 DBHelper instance 0.2 *Non-normalized 8

  20. Prediction Phase name1 name2 weight MAP Inference SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static 𝑝 βƒ— = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑄 𝑃 = 𝑝 βƒ—β€² 𝐿 = 𝑙 public a (Context ctx) { SQLiteHelper a analysis b = getWritableDB(); 𝑝 βƒ—β€² ∈ Ξ© extends } field-in Obfuscated Code } gets Candidate assignment 𝒑 getWritableDB b 𝑸 𝒑 𝒍) * a = DBUtils b = instance 1.2 a = DBHelper b = db 1.3 name1 name2 weight name1 name2 weight DBUtils instance 0.5 a = DBUtils b = db 0.8 getWritableDB db 0.7 DBHelper db 0.4 a = DBHelper b = instance 1.2 getWritableDB instance 0.4 DBUtils db 0.2 DBHelper instance 0.2 *Non-normalized 8

  21. Prediction Phase name1 name2 weight SQLiteHelper DBUtils 0.3 class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2 SQLiteDatabase b ; Static public a (Context ctx) { SQLiteHelper DBHelper analysis b = getWritableDB(); extends } field-in Obfuscated Code } Semantically gets getWritableDB db the same? class DBHelper extends SQLiteHelper { SQLiteDatabase db ; name1 name2 weight public DBHelper (Context ctx) { name1 name2 weight DBUtils instance 0.5 Transform db = getWritableDB(); getWritableDB db 0.7 DBHelper db 0.4 } getWritableDB instance 0.4 DBUtils db 0.2 Deobfuscated Code } DBHelper instance 0.2 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Se Sequence Obfu fuscation ion to o Thwar art Pa Pattern Matching Attacks Bo Guan , Nazanin

Se Sequence Obfu fuscation ion to o Thwar art Pa Pattern Matching Attacks Bo Guan , Nazanin

Se Sequence Obfu fuscation ion to o Thwar art Pa Pattern Matching Attacks Bo Guan , Nazanin Takbiri, Dennis L. Goeckel, Amir Houmansadr, Hossein Pishro-Nik University of Massachusetts Amherst IEEE International Symposium on Information

422 views β€’ 28 slides
Statistical presentation Statistical presentation Statistical tabulations by age, sex and 3 digit

Statistical presentation Statistical presentation Statistical tabulations by age, sex and 3 digit

Statistical presentation Statistical presentation Statistical tabulations by age, sex and 3 digit codes Condensed and selected lists (national lists) Standards and reporting requirements for fetal, perinatal, neonatal and infant mortality Live

295 views β€’ 5 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views β€’ 59 slides
Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models

Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models

Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models http://www.cims.nyu.edu/~cfgranda/pages/DSGA1002_fall16 Carlos Fernandez-Granda Descriptive statistics Statistical estimation Histogram Technique to visualize

1.16k views β€’ 99 slides
STA 214: Probability & Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability & Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability & Statistical Models STA 214: Analysis of Statistical Models Probability/Statistical Models: Theory prob/math stats Simulation samples of y ( | ) p y Statistical analysis: Computation: Likelihood

250 views β€’ 11 slides
Introduction to Statistical Process Control Statistical Process Control (SPC) uses seven major

Introduction to Statistical Process Control Statistical Process Control (SPC) uses seven major

ST 435/535 Statistical Methods for Quality and Productivity Improvement / Statistical Process Control Introduction to Statistical Process Control Statistical Process Control (SPC) uses seven major tools: Histogram or stem-and-leaf plot; 1

465 views β€’ 14 slides
III.4 Statistical Language Models III.4 Statistical LM (MRS book, Chapter 12*) 4.1 What is

III.4 Statistical Language Models III.4 Statistical LM (MRS book, Chapter 12*) 4.1 What is

III.4 Statistical Language Models III.4 Statistical LM (MRS book, Chapter 12*) 4.1 What is a statistical language model? 4.2 Smoothing Methods 4.3 Extended LMs *With extensions from: C. Zhai, J. Lafferty: A Study of Smoothing

504 views β€’ 29 slides
Nov 2010 Statistical Literacy: Harper's Magazine Fall 2010 1 Fall 2010 2 Statistical

Nov 2010 Statistical Literacy: Harper's Magazine Fall 2010 1 Fall 2010 2 Statistical

Nov 2010 Statistical Literacy: Harper's Magazine Fall 2010 1 Fall 2010 2 Statistical Literacy: Statistical Literacy Harpers Index Statistical literacy is the ability to read and MILO SCHIELD, interpret summary statistics in everyday

388 views β€’ 14 slides
Embeddings of statistical manifolds H ong V an L e Institute of Mathematics, CAS

Embeddings of statistical manifolds H ong V an L e Institute of Mathematics, CAS

Embeddings of statistical manifolds H ong V an L e Institute of Mathematics, CAS Conference in honor of Shun-ichi Amari Liblice, June 2016 1. Statistical manifold and embedding of statistical manifolds. 2. Obstructions to the

394 views β€’ 27 slides
Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical

Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical

Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical Programming for Statistical Science Science Shawn Santo Shawn Santo 1 / 59 1 / 59 Supplementary materials Full video lecture available in

613 views β€’ 59 slides
13 Jan, 2011 Statistical Literacy: Confounding UTSA Confounding 2011 1 2011 2 Statistical

13 Jan, 2011 Statistical Literacy: Confounding UTSA Confounding 2011 1 2011 2 Statistical

13 Jan, 2011 Statistical Literacy: Confounding UTSA Confounding 2011 1 2011 2 Statistical Literacy: Statistical Literacy Confounding Statistical literacy is the ability to read and MILO SCHIELD, interpret summary statistics in everyday

564 views β€’ 28 slides
Nonequilibrium and statistical ensembles Statistical properties of an Equilibrium state are

Nonequilibrium and statistical ensembles Statistical properties of an Equilibrium state are

Nonequilibrium and statistical ensembles Statistical properties of an Equilibrium state are obtained by several different probability distributions, e.g. canonical or microcanonical: which attribute the same average to physically interesting

507 views β€’ 38 slides
The presentations schedule Conceptual model of functioning of official statistics

The presentations schedule Conceptual model of functioning of official statistics

The concept of the new organization of statistical surveys Janusz Dygaszew icz Director Programming and Coordination of Statistical Surveys Department CSO Poland Meeting on the Management of Statistical Information Systems Paris, France 23 -

511 views β€’ 15 slides
Developing Statistical Thinking Theory My Thesis Statistical Thinking is di ff erent from

Developing Statistical Thinking Theory My Thesis Statistical Thinking is di ff erent from

Developing Statistical Thinking Theory My Thesis Statistical Thinking is di ff erent from popular conceptions of mathematical thinking Your Goal Identify some issues demarcating statistical and mathematical thinking Reflect on ways

290 views β€’ 28 slides
E UROPEAN STATISTICAL WEEK S TUDY VISIT TO EUROSTAT What is Eurostat? Eurostat is the statistical

E UROPEAN STATISTICAL WEEK S TUDY VISIT TO EUROSTAT What is Eurostat? Eurostat is the statistical

E UROPEAN STATISTICAL WEEK S TUDY VISIT TO EUROSTAT What is Eurostat? Eurostat is the statistical arm of the European Commission, producing data for the European Union and promoting the harmonisation of statistical methods across the Member

269 views β€’ 16 slides
Statistical methods in bioinformatics Brief introduction, statistical models, dimension

Statistical methods in bioinformatics Brief introduction, statistical models, dimension

u n i v e r s i t y o f c o p e n h a g e n m a r c h 3 1 s t , 2 0 2 0 Faculty of Health Sciences Statistical methods in bioinformatics Brief introduction, statistical models, dimension reductions. Claus Thorn Ekstrm Biostatistics,

660 views β€’ 65 slides
Lesson 13 Persistence: SQL Databases Victor Matos Cleveland State University Portions of this

Lesson 13 Persistence: SQL Databases Victor Matos Cleveland State University Portions of this

Lesson 13 Lesson 13 Persistence: SQL Databases Victor Matos Cleveland State University Portions of this page are reproduced from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution

509 views β€’ 37 slides
Why Is This Important? So far, accessed DBMS directly through client tools Great for

Why Is This Important? So far, accessed DBMS directly through client tools Great for

Why Is This Important? So far, accessed DBMS directly through client tools Great for interactive use Database Application Development How can we access the DBMS from a program? Need an interface between programming language

288 views β€’ 6 slides
Functional Logic Semantic Bidirectionalization for Free! Hugo Pacheco HASLab INESC TEC &

Functional Logic Semantic Bidirectionalization for Free! Hugo Pacheco HASLab INESC TEC &

Functional Logic Semantic Bidirectionalization for Free! Hugo Pacheco HASLab INESC TEC & Universidade do Minho, Braga, Portugal FATBIT/SSaaPP Workshop Braga - September 18th 2012 Towards Functional Logic Semantic Bidirectionalization for

220 views β€’ 20 slides
overview introductory remarks equational programming lambda terms 2020 10 26 lecture 1

overview introductory remarks equational programming lambda terms 2020 10 26 lecture 1

overview introductory remarks equational programming lambda terms 2020 10 26 lecture 1 towards beta reduction overview functional programming a functional program is an expression, and is executed by evaluating the expression introductory

385 views β€’ 9 slides
EE 109 Unit 6 LCD Interfacing LCD BOARD 6.3 6.4 How Do We Use It? The EE 109 LCD Shield

EE 109 Unit 6 LCD Interfacing LCD BOARD 6.3 6.4 How Do We Use It? The EE 109 LCD Shield

6.1 6.2 EE 109 Unit 6 LCD Interfacing LCD BOARD 6.3 6.4 How Do We Use It? The EE 109 LCD Shield The LCD shield is a ____________________ By sending it ________ (i.e. ______________ LCD that mounts on top of the Arduino Uno. one at

614 views β€’ 9 slides
Real SQL Programming 1 SQL in Real Programs We have seen only how SQL is used at the generic

Real SQL Programming 1 SQL in Real Programs We have seen only how SQL is used at the generic

Real SQL Programming 1 SQL in Real Programs We have seen only how SQL is used at the generic query interface an environment where we sit at a terminal and ask queries of a database Reality is almost always different: conventional

816 views β€’ 65 slides
C: Array layout and indexing CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming

C: Array layout and indexing CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming

ex C: Array layout and indexing CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming Languages Foundations of Computer Systems Ben Wood Ben Wood int val[5]; +0 +4 +8 +12 +16 Representing Write x86 code to load val[i] into

213 views β€’ 4 slides
Micro Processor & Controller Parallel Bus LCD Display LCD Display Parallel Bus LCD

Micro Processor & Controller Parallel Bus LCD Display LCD Display Parallel Bus LCD

Micro Processor & Controller Parallel Bus LCD Display LCD Display Parallel Bus LCD Display Pin Assignment LCD Display Pin Assignment LCD Display Architecture LCD Display Architecture LCD Display Hardware LCD Display Hardware

137 views β€’ 13 slides

More recommend