CISC_2013_Real-Time Record and Replay on Android for Malware Analysis
19
Real-Time Record and Replay on Android for Malware Analysis Zong Shen Shen, Chia Wei Hsu, Lin Chun Huang, Shan Shin Li, Shiuh Pyng Shieh
-
Upload
zong-shen-shen -
Category
Software
-
view
77 -
download
1
Transcript of CISC_2013_Real-Time Record and Replay on Android for Malware Analysis
Real-Time Record and Replay on Android for Malware Analysis
Zong Shen Shen,Chia Wei Hsu,
Lin Chun Huang,Shan Shin Li,
Shiuh Pyng Shieh
Outline
• Introduction– Challenge & contribution
• Assessment factors for R&R– Two possible architectures– Three key factors– Prototype implementation
• Discussion– Experiment– Limitation
Why Record & Replay?• To apply well-developed tools for precise
analysis• To migrate the heavy-weight procedures from
end device to host machine– Mobile environment replication on dedicated servers– Execution trace recording on the mobile– Trace replaying for mobile image on the server– Versatile engine deployment on the server to trace
behavior revealed by the image
1/17
Challenge
• Since conventional R&R schemes emphasize on fine-grained state consistency, the high resource consumption is still impractical for real device
• The trade-off between accuracy and computation overhead
2/17
Observation & Objective• Prolific human-machine interaction on Android– Most of the program entry points are components
listening for user commands which can determine the execution flow
– Controlling the UI events can control the program behavior in most cases
• Application-level record and replay– UI events as execution trace– Concrete program behavior as consistency metric
3/17
Contribution• This research proposes a new architecture for
end-point protection and guides the proper approaches for real-world deployment – It applies the advantages of well-developed analysis
engines without incurring significant overhead for end device
4/17
Assessment Factors for R&R
• Two possible architectures– Mobile to server side emulator– Mobile to server side mobile
• Three key factors– The scalability to serve multiple users– The configuration effort to build system– The preciseness of replayed behavior
5/17
Mobile to Server Side Emulator
• High scalability– Multiple images to multiple users mapping
• Low configuration effort– The convenience of off-the-shelf SDK tools
• Low replay preciseness– Unfaithful emulated environment 6/17
Mobile to Server Side Mobile
• Low scalability– One device to one user mapping
• High configuration effort– Requiring customization of replay device
• High replay preciseness– Full support of telecom services and hardware gadgets 7/17
Chosen Architecture
• Mobile-to-emulator– With Android SDK, analyst can configure experiment
platform more efficiently– Improvement of emulated environment can bridge
the gap between emulator and real device• R&R agent survey• Prototype implementation
8/17
How to build R&R Tools?
• Application layer– Injecting analytics modules into the interested UI
event receivers of analyzed subject– Aspect-oriented programming
• System layer– Monitoring the system-wide events fired from
hardware gadgets– Linux Getevent/Sendevent service
9/17
Aspect-Oriented Programming
• Aspect– Relevant information recording for UI events
• Joint point– The entry point of each event receiver
• Incompatible code problem– The instantiation of aspect is JVM format but the
joint point of target app is DVM format– Code transformation is possible solution but have
the risk of semantics loss
10/17
Linux Getevent/Sendevent• Getevent – Providing a live dump of hardware events
• Sendevent – Injecting events into target hardware gadget to
trigger its action• Built-in tool of Android emulator and real device
11/17
Prototype Implementation
12/17
Recorder Replyer
Event Dumper
Event Filter App Monitor
Packet Encapsulator
Event Sender
App Launcher Event Converter
Packet Decapsulator
Prototype Demo
• https://www.youtube.com/watch?v=YfgrfNddp9g
13/17
Experiment (1/2)
14/17
1. After install
2. After reboot
Experiment (2/2)
15/17
2. Installing new package
3. Fake Google search
1. After reboot
Limitation• Complicated event driven model of Android apps– This research focuses on UI events but do not address
the issue of background broadcast events• Unfaithful emulated environment– The subject on the server may crash if it invokes
unsupported services and gadgets
16/17
Conclusion• Two R&R architectures are proposed– Mobile-to-emulator is the better choice due to high
scalability and low configuration effort• Two R&R agents are discussed– AOP has great potential, but Linux Get&Sendevent
can ease the effort for test bench construction • Accuracy issue– Background event should be covered to improve the
replay consistency
17/17
