Tackling runtime-based obfuscation in Android with TIRO

Size: px

Start display at page:

Download "Tackling runtime-based obfuscation in Android with TIRO"

Caroline Waters
5 years ago
Views:

1 Tackling runtime-based obfuscation in Android with Michelle Wong and David Lie University of Toronto Usenix Security 2018

2 Android malware and analysis Mobile devices are a valuable target for malware developers Access to sensitive information and functionality Arms race between malware developers and security analyzers I do X Malware! Because X!!! 2

3 Java obfuscation Most Android applications written in Java Language-based obfuscation Obfuscation using Java features Reflection Dynamic code loading Application DEX Code Framework APIs JNI Application Native Code Native methods ART/DVM Runtime I do [?], where [?] might be X Linux Device Does it do X? Is it malware?!!! 3

4 Native obfuscation Can avoid runtime entirely by using native code Full-native code obfuscation No Java code or invocations to Java methods Application DEX Code Framework APIs JNI Application Native Code Seems very little malware do this ART/DVM Runtime Framework APIs mostly in Java Linux Requires access to undocumented Device low-level interfaces of system services!!! 4

5 Obfuscation via runtime tampering Language-based obfuscation ease of use, reliability difficulty of analysis Full-native code obfuscation Runtime-based? obfuscation I do Y and only Y (I mean X) Application DEX Code Framework APIs JNI Application Native Code Not malware! Doesn t do X ART/DVM Runtime Linux Device!!! 5

6 Unexpected code behavior Unexpected Unexpected Unexpected classes methods instructions I m loading I m invoking I m executing DEX D: class A from DEX D method B from class A instrs <abc> from method B class A: ART/DVM Runtime method B: <abc> Actually Actually Actually Loading Invoking Executing class E method I instrs <hac> <native> from DEX V from class L from method K Java 6

7 Android RunTime (ART) Investigated how code is loaded and executed within ART DEX D: class A: method B: ART <abc>!!! 7

8 ART code loading DEX D: ART class A: method B: <abc> java.lang. DexFile DEX file DEX file (mmap) (mmap) 1 2 DEX file hooking mcookie 1 art:: art:: DexFile DexFile begin_ 2 class A: class E: method B: method V: <abc> <bad>!!! 8

9 ART code loading DEX D: ART class A: method B: DEX file (mmap) mirror:: Class Unexpected classes <abc> 3 and methods class E: A: method V: B: <bad> <abc> art:: ArtMethod 1 2 DEX file hooking 3 Bytecode overwriting!!! 9

10 ART code execution Invoke B() in class A DEX D: ART (inherited from class O) class A: method B: DEX file mirror:: Class <abc> (mmap) class A: method B: vtable_ 4 art:: ArtMethod 4 ArtMethod hooking <abc> Unexpected methods!!! 10

11 ART code execution DEX D: ART class A: method B: DEX file mirror:: Class Unexpected instructions <abc> (mmap) art:: class A: ArtMethod method B: <bad> <abc> 6 code_item_offset_ 4 ArtMethod hooking 5 Method entry-point 5 entry_point_ hooking <trampoline> 6 Instruction hooking/ modification!!! 11

12 Runtime state tampering in ART DEX D: class A: method B: ART <abc> 1 2 DEX file hooking 4 ArtMethod hooking 3 Bytecode overwriting 5 Method entry-point? hooking 6 Instruction hooking/ modification!!! 12

13 Deobfuscation Unified framework to handle language-based and runtime-based obfuscation Pure static analysis: imprecise, no run-time information to deobfuscate Reflection targets, dynamically loaded code, etc. Pure dynamic analysis: lack of code coverage?!!! 13

14 Targeted execution static interesting behavior path constraints inject inputs dynamic 1 Wong, M.Y., and Lie,D. IntelliDroid: A targeted input generator for the dynamic analysis of Android malware. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS), 2016.!!! 14

15 Dealing with obfuscation static???? obfuscation interesting locations behavior path constraints ` inject inputs dynamic!!! 15

16 : A hybrid iterative deobfuscator static APK file Target Instrument run-time values, extracted code instrumented obfuscation locations deobfuscated application Observe Run security analysis dynamic!!! 16

17 Target Instrument Run Observe Reflection Target oncreate() { Identify obfuscation locations Extract call paths and constraints 7 Method method = klass.getmethod(decrypt( wzjg )); 8 method.invoke(receiver, args); } Target (Reflection) oncreate() Method::invoke()!!! 17

18 Target Instrument Run Observe Target Instrument oncreate() { Instrument obfuscation location Report dynamic values and code 7 Method method = klass.getmethod(decrypt( wzjg )); 8 method.invoke(receiver, args); } Target (Reflection) oncreate() Method::invoke() Instrument log(, method.getname())!!! 18

19 Target Instrument Run Observe Target Instrument Run oncreate() { Generate inputs from targeting Inject inputs to run obfuscation locations 7 Method method = klass.getmethod(decrypt( wzjg )); 8 method.invoke(receiver, args); } Target (Reflection) Run oncreate() Log: refl,oncreate,8, foo Method::invoke() Instrument log(, method.getname())!!! 19

20 Target Instrument Run Observe Target Instrument Run Observe oncreate() { Monitor deobfuscation log Extract dynamic values and code 7 Method method = klass.getmethod(decrypt( wzjg )); 8 method.invoke(receiver, args); Run Observe } Log: refl,oncreate,8, foo oncreate() foo()!!! 20

21 Handling runtime-based obfuscation hidden <java> <native> <java> modifies runtime state Record original ART state Check ART state!!! 21

22 TRuntime-based deobfuscation Example: Instruction hooking oncreate() { 7 nativefoo(); 8 bar(); }!!! 22

23 TRuntime-based deobfuscation Example: Instruction hooking oncreate() { Instrument (ART runtime) Target art:: bar() <native code> ArtMethod abc 7 nativefoo(); 8 bar(); code_item_offset_ entry_point_ xyz Run Log: oncreate,7,bar[code_item],xyz } Extracted DEX: <xyz> Observe oncreate() method_xyz()!!! 23

24 Iterative deobfuscation Target Instrument Example: 2 nd iteration oncreate() { method_xyz() { Observe Run 11 Method method = 7 nativefoo(); klass.getmethod(decode( vbs )); 8 bar(); 12 method.invoke(receiver, args); Target (Reflection) } }!!! 24

25 Implementation Static: Soot framework 2 for analysis and instrumentation Dynamic: Modified AOSP with instrumented ART runtime Android 4.4, 5.0, 6.0 Monitoring process to parse deobfuscation log and extract bytecode 2 Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L., Lam, P., and Sundaresan, V. Soot - a Java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research (1999), CASCON 99, IBM Press, p. 13.!!! 25

26 Evaluation Ability to detect and deobfuscate techniques in modern Android malware Investigate use of language-based and runtime-based obfuscation in malware Deobfuscation performance (in paper)!!! 26

27 : Detection and deobfuscation Labeled obfuscated samples, categorized by obfuscator/packer Reflection Language-based Runtime-based Sensitive APIs Dynamic loading Native methods DEX file hooking Class data overwriting ArtMethod hooking Instruction hooking Instruction overwriting aliprotect baiduprotect dexprotector ijiamipacker naga_pha qihoopacker secshell Iterations Before 100% 53% After!!! 27

28 Obfuscation usage in malware Obfuscated malware samples from VirusTotal Language-based Runtime-based Reflection 58.5% DEX file hooking 64.0% Dynamic loading 79.9% Class data overwriting 0.7% Direct invocation 52.2% ArtMethod hooking 0.5% Reflected invocation 0.1% Method entry-point hooking 0.3% 80% Native invocation 49.2% Instruction hooking 33.7% Native methods 96.8% Instruction overwriting 0.1%!!! 28

29 Conclusion New category of obfuscation techniques in Android: runtime-based obfuscation : A hybrid iterative deobfuscation framework Handles both language-based and runtime-based techniques Deobfuscates modern malware and uncovers sensitive behaviors 80% of samples from VirusTotal dataset use runtime-based obfuscation 29

Tackling runtime-based obfuscation in Android with TIRO

Tackling runtime-based obfuscation in Android with TIRO Michelle Y. Wong and David Lie University of Toronto Abstract Obfuscation is used in malware to hide malicious activity from manual or automatic