Formalisation and Analysis of Dalvik Bytecode

Size: px

Start display at page:

Download "Formalisation and Analysis of Dalvik Bytecode"

Reynold Barnett
6 years ago
Views:

1 Formalisation and Analysis of Dalvik Bytecode Erik Ramsgaard Wognsen Department of Computer Science Aalborg University DANSAS 12, 24 August 2012 Joint work with Henrik Karlsen, Mads Chr. Olesen, and René Rydhof Hansen Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

Android Widespread Linux based operating system for mobile devices Apps written in Java and compiled to Dalvik bytecode Apps from Android Market/Google Play Everyone can become

2 Android Widespread Linux based operating system for mobile devices Apps written in Java and compiled to Dalvik bytecode Apps from Android Market/Google Play Everyone can become a developer No manual application approval Lightweight certification 3rd party markets and unknown sources Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

3 Android Permissions Capabilities and sensitive information protected by permissions, e.g. WRITE EXTERNAL STORAGE WAKE LOCK ACCESS FINE LOCATION INTERNET Accept or deny app, not individual permissions What are they used for? Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

4 The Problem Malware Damage or disable phone (or hold it hostage) Steal information Abuse of services that cost money Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

5 A Solution Certification of apps Program analysis Verification of properties, e.g. Are foreign numbers dialed? Are text messages sent to premium numbers? Only these files on external storage are accessed:... Trustworthy? Based on published, formal semantics and analyses Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

6 Study of Android Apps What should be formalised and how? Quantitative study of usage of: Dalvik bytecode instructions Java features Android APIs We downloaded the 50 most popular apps of each category (1,700 apps) in November 2011 App sizes (*.apk files) range from 16 KB to 50 MB Bytecode (classes.dex files) ranges from 1.3 KB to 7.4 MB Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

7 Study - Dalvik Instructions Registers instead of operand stack (JVM) add-int d s1 s2 instead of iload s1, iload s2, iadd, istore d Dalvik supports 218 instructions Many are semantically similar We simplified them into 39 generalised instructions, e.g. Opcode Original instruction Generalised instruction 00 nop nop 01 move move 02 move/from16 03 move/16 04 move-wide 05 move-wide/from16 06 move-wide/16 07 move-object 08 move-object/from16 09 move-object/16 Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

8 Study - Instruction Usage Gen. instruction Used by Occurrences Of total occ. invoke-direct % 4,533, % return-void % 2,683, % invoke-virtual % 12,718, % const % 8,157, % move-result % 12,391, % invoke-super % 215, % const-string % 5,200, % fill-array-data % 97, % instance-of % 144, % sparse-switch % 21, % filled-new-array % 1, % Total 94,413, % Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

9 Study - Obfuscation ProGuard (recommended by Google) renames classes and variables to short meaningless names Some apps are partially obfuscated ( reflection) Look for class a as approximation September 2010: 36% of 1,100 apps (study by Enck et al.) November 2011: % of 1,700 apps Jeff Foster et al. Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

Study - Native Code Apps may include native ARM code Intended for performance or (re)use of C/C++ libraries Popular apps with native code September 2010: 6.45% of 1,100 apps (study by Enck et al.

10 Study - Native Code Apps may include native ARM code Intended for performance or (re)use of C/C++ libraries Popular apps with native code September 2010: 6.45% of 1,100 apps (study by Enck et al.) November 2011: 20.35% of 1,700 apps Sandbox Unix user id (not VM based) Handling depends on the purpose of the concrete analysis Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

11 Study - Runtime.exec() Execution of programs in a native process Referenced in 19.53% of apps 80.44% of occurrences in library code Access to logcat read system logs pm install install apps su become superuser (for rooted devices)... Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

12 Study - Class Loading Load DEX and JAR files loadclass() Define classes from e.g. Javascript defineclass() java.lang.classloader dalvik.system.dexclassloader Used in 13.1% of apps Cannot be analysed statically before installation Necessary for Android apps? Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

13 Study - Javascript Interfaces Expose methods on Java object to Javascript running in embedded brower element Used in 39% of apps Some apps are enhanced webpages Send your shopping list to your friends Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

14 Study - Reflection Resolve classes, methods, and fields from strings java.lang.reflect referenced in 73% of apps Backwards compatibility Access hidden APIs Create objects from XML/JSON Statically known strings enable analysis Preliminary numbers (no collection API handling): 80% of Class.forName() and clazz.getmethod() calls 18.9% of apps that use Method.invoke() Identify and analyse patterns Formalisation Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

15 Reflection - An Example Class<?> clazz = Class.forName("my.pkg.Foo"); Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

16 Reflection - An Example Class<?> clazz = Class.forName("my.pkg.Foo"); Method method = clazz.getmethod("bar", float.class); Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

17 Reflection - An Example Class<?> clazz = Class.forName("my.pkg.Foo"); Method method = clazz.getmethod("bar", float.class); Integer result = (Integer) method.invoke(clazz.newinstance(), 3.2f); Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

18 Reflection - An Example try { Class<?> clazz = Class.forName("my.pkg.Foo"); Method method = clazz.getmethod("bar", float.class); Integer result = (Integer) method.invoke(clazz.newinstance(), 3.2f); } catch (Exception e) { } Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

19 From Study to Formalisation Formalisation should include All (generalised) instructions Dynamic dispatch Exceptions Reflection API Formalisation based on Dalvik documentation Inspection of the Dalvik VM source Systematic testing Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

20 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

21 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

22 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

23 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

24 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

25 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

26 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

27 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

28 Dalvik Semantics and Analysis Operational semantics m.instructionat(pc ) = move v dest v src A S, H, m, pc, R :: SF = S, H, m, pc + 1, R[v dest R(v src )] :: SF CFA specified as flow logic constraints Over-approximation of program behaviour Textual object graph representation of references v src (Ŝ, Ĥ, ˆR, Ê) = (m, pc ): move v dest iff ˆR(m, pc )(v src ) ˆR(m, pc + 1)(v dest ) ˆR(m, pc ) {vdest } ˆR(m, pc + 1) The full instruction set (except concurrency) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

29 Reflection Assumptions/requirements All classes in app known (no dynamic class loading) Strings can be determined statically Reflection not used to manipulate string contents Formalisation and analysis of Class.forName() Class.getMethod() Class.newInstance() Method.invoke() Emulation of API calls as single Dalvik instructions Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

30 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

31 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

32 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

33 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

34 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

35 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

36 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

37 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

38 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

39 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

40 Reflection - Semantics Example somemethod.invoke(receiverobj, args...); m.instructionat(pc) = invoke-virtual v 1 v 2 v 3 meth meth.name = java/lang/reflect/method->invoke loc 1 = R(v 1) null o 1 = H(loc 1) o 1.class Method meth = methodsignature(h, o 1) loc 2 = R(v 2) null o 2 = H(loc 2) a = H(R(v 3)) Array m = resolvemethod(meth, o 2.class) R = [0,..., m.numlocals 1, m.numlocals a.value(0),..., m.numlocals + a.length 1 a.value(a.length 1)] A S, H, m, pc, R :: SF = S, H, m, 0, R :: m, pc, R :: SF Boxing/unboxing omitted here Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

41 (Ŝ, Ĥ, ˆR, Ê) = (m, pc): invoke-virtual v1 v2 v3 meth iff meth = java/lang/reflect/method->invoke (ObjRef (java/lang/reflect/method, m m, pc m)) ˆR(m, pc)(v 1): meth methodsignatures(ĥ, ObjRef (java/lang/reflect/method, mm, pcm)): (ObjRef (cl r, m r, pc r )) ˆR(m, pc)(v 2): m = resolvemethod(meth, cl r ) {ObjRef (cl r, m r, pc r )} ˆR(m, 0)(m.numLocals) 1 i arity(meth ): (ArrRef (a, m a, pc a)) ˆR(m, pc)(v 3): Ĥ(ArrRef (a, m a, pc a)) ˆR(m, 0)(m.numLocals + i) (ObjRef (cl o, m o, pc o)) Ĥ(ArrRef (a, ma, pca)): isboxclass(cl o) = Ĥ(ObjRef (cl o, m o, pc o))(value) ˆR(m, 0)(m.numLocals + i) m.returntype = void = β(null) ˆR(m, pc + 1)(retval) m.returntype RefType = ˆR(m, END) ˆR(m, pc + 1)(retval) m.returntype PrimType = cl b = primtoboxclass(m.returntype) ˆR(m, END) Ĥ(ObjRef (cl b, m, pc))(value) {ObjRef (cl b, m, pc)} ˆR(m, pc + 1)(retval) (ExcRef (cl e, m e, pc e)) Ê(m ): HANDLE (ˆR,Ê) ((ExcRef (cl e, me, pce)), (m, pc)) ˆR(m, pc) ˆR(m, {retval} pc + 1) Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

42 Lmy /pkg /AnalysisTestActivity;-> oncreate(landroid /os /Bundle;)V Lmy Lmy Lmy Lmy Lmy Lmy /pkg /pkg /pkg /pkg /pkg /pkg /ClassB;-> /ClassB;-> /ClassC;-> /AnalysisTestActivity;-> /ISomeInterface;-> /ClassC;-> factorial(i)i print()v increase(i)i <init>()v <clinit>()v <init>(i)v UNRESOLVED method call Lmy /pkg /ClassB;-> <init>(i)v Lmy /pkg /AnalysisTestActivity;-> reflectiontest()v Lmy /pkg /ClassA;-> <init>(i)v Lmy /pkg /R;-> <init>()v API Lmy /pkg /ClassB;-> increase(i)i Ljava /lang /Integer;-> valueof(i)ljava /lang /Integer; Ljava /lang /Class;-> newinstance()ljava /lang /Object; Ljava /lang /Class;-> getmethod(ljava /lang /String;)Ljava /lang /reflect /Method; Ljava /lang /Class;-> forname(ljava /lang /String;)Ljava /lang /Class; Ljava /lang /Object;-> <init>()v Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

43 Prototype - Overview APK file apktool/unzip Android Manifest DEX file Resources apktool/baksmali smali source smali parser Data structures Constraint generator Callgraph query Prolog source Query Callgraph generation XSB Prolog engine Interactive querying Callgraph output Output Preprocessing DOT source Graphviz dot Image file Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

44 Flow Logic and Prolog Example (Ŝ, Ĥ, ˆR, Ê) = (m, pc): move v1 v2 iff ˆR(m, pc)(v 2) ˆR(m, pc + 1)(v 1) ˆR(m, pc) ˆR(m, {v1 } pc + 1) % PC 48: move v1, v2 hatr(m1, 49, 1, Y) :- hatr(m1, 48, 2, Y). hatr(m1, 49, V, Y) :- hatr(m1, 48, V, Y), V \= 1. Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

45 Modelling Java and Android API Methods All must be handled Reflection java/util/arraylist Java features Entry point methods need objects onsomeevent() Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

46 Analysing Real Apps Example: Sending text messages android/telephony/smsmanager->sendtextmessage() Malware pattern: Hardcoded destination Benign pattern: Destinations from contact list Tainting contact list Handling java/util/arraylist methods Changes to contact list? Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

47 Conclusion Formalisation of the generalised Dalvik instruction set Formalisation of the central parts of reflection Prototype implementation of the control flow analysis Sound call graph Some data flow capabilities sendtextmessage(), hardcoded numbers, taint A foundation for verifying security properties, e.g. Only these files on external storage are accessed:... Text messages are only sent to contacts from your contact list Your contact list does not leave the device Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

48 Future Work Java and Android APIs Manual analysis XML resources Performance Specialization Constraint simplifications Other solvers bddbddb A dedicated solver String analysis Java String Analyzer, Hampi, Kaluza Native code Analysis on device - class loading Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

49 Demo?- invoke( Landroid/telephony/SmsManager;->sendTextMessage( Ljava/lang/String;Ljava/lang/String;Ljava/lang/String; Landroid/app/PendingIntent;Landroid/app/PendingIntent;) V, 1, (top_ref, _, _)). no Erik Ramsgaard Wognsen DANSAS 12, 24 August / 26

50 Demo?- setof(y, (invoke( Landroid/telephony/SmsManager;-> sendtextmessage(ljava/lang/string;ljava/lang/string; Ljava/lang/String;Landroid/app/PendingIntent;Landroid/ app/pendingintent;)v, 1, O), hath(o, value, Y)), Set ). Y = _h159 O = (Ljava/lang/String;, Lorg/me/androidapplication1/ MoviePlayer;->onCreate(Landroid/os/Bundle;)V, 1) Set = [7132] Y = _h159 O = (Ljava/lang/String;, Lorg/media/player/MoviePlayer ;->oncreate(landroid/os/bundle;)v, 17) Set = [4161] no Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

51 Study - Library and Developer Code Developer code net.company.app/ net.company.app/net/ net.company.app/net/company/ net.company.app/net/company/app/ net.company.app/net/company/app/** Library code All other packages, e.g. net.company.app/com/mobclix/android Differences in features used? Erik Ramsgaard Wognsen (erw@cs.aau.dk) DANSAS 12, 24 August / 26

Study, Formalisation, and Analysis of Dalvik Bytecode

Study, Formalisation, and Analysis of Dalvik Bytecode Henrik Søndberg Karlsen, Erik Ramsgaard Wognsen, Mads Chr. Olesen, and René Rydhof Hansen Department of Computer Science, Aalborg University {hkarls07,ewogns08}@student.aau.dk