发布时间 : 星期一 文章Andorid - Monitor - framwork更新完毕开始阅读72796504a4e9856a561252d380eb6294dd882238
10th IEEE International Conference on Software Testing, Verification and Validation
ADRENALIN-RV:AndroidRuntimeVeri?cation
usingLoad-timeWeaving
HaiyangSun,AndreaRos`a,OmarJaved,andWalterBinder
FacultyofInformatics,Universit`adellaSvizzeraitaliana(USI),Lugano,Switzerland
Email:?rst.last@usi.ch
Abstract—Androidhasbecomeoneofthemostpopularoperat-ingsystemsformobiledevices.AsthenumberofapplicationsfortheAndroidecosystemgrows,soistheircomplexity,increasingtheneedforruntimeveri?cationontheAndroidplatform.Unfortunately,despitethepresenceofseveralruntimeveri?cationframeworksforJavabytecode,DEXbytecodeusedinAndroiddoesnotbene?tfromsuchawidesupport.Whileafewruntimeveri?cationtoolssupportapplicationsdevelopedforAndroid,suchtoolsofferonlylimitedbytecodecoverageandmaynotbeabletodetectpropertyviolationsincertainclasses.Inthispaper,weshowthatADRENALIN-RV,ournewruntimeveri?cationtoolforAndroid,overcomesthislimitation.Incontrasttootherframeworks,ADRENALIN-RVweavesmonitoringcodeatloadtimeandisabletoinstrumentallloadedclasses.Inadditiontothedefaultclassesinsidetheapplicationpackage(APK),ADRENALIN-RVcoversboththeAndroidclasslibraryandlibrariesdynamicallyloadedfromthestorage,network,orgenerateddynamically,whichrelatedtoolscannotverify.EvaluationresultsdemonstratetheincreasedcodecoverageofADRENALIN-RVwithrespecttootherruntimevalidationtoolsforAndroid.ThankstoADRENALIN-RV,wewereabletodetectviolationsthatcannotbedetectedbyothertools.
I.INTRODUCTION
Androidhasbecomethedominantoperatingsystemformobiledevices.TheincreaseinpopularityhasledtoarapidgrowthofthenumberofapplicationsforAndroid,aswellastheircomplexity.Asapplicationsbecomemorecomplex,advancedtestingtechniquesandruntimeveri?cationarefun-damentaltomitigatebuggyandmaliciousapplications.Whiletestingisusedduringdevelopment,runtimeveri?cationistypicallyusedtomonitoraprogramafterdeployment,makingthemcomplementary.
Ourworkfocusesonruntimeveri?cationontheAndroidplatform.Whilethereisalargebodyofruntimeveri?cationframeworkssuitableforJavabytecode[1]–[4],suchtoolscannotbereadilyappliedtoDEXbytecodeusedbyAndroidapplications,astheJavaandDEXbytecodeformatsaredifferent.Asaresult,therearefewruntimeveri?cationtoolsforAndroid.Moreover,thebytecodecoverageofexistingtoolsisratherlimited.Forexample,RV-Droid[5]andRV-Android[6]canbeusedtomonitorseveralpropertiesofAndroidapplications,butarenotabletoinstrumentclassesofthecoreAndroidlibrary.Inaddition,theyrelyonstaticweaving,whichpreventstheinstrumentationofclassesloadeddynamically,includingthird-partylibrariesdownloadedfromaremoteserverorclassesgenerateddynamically.Violationsofpropertiesinsuchclasseswillremainundetected.
978-1-5090-6031-3/17 $31.00 ? 2017 IEEEDOI 10.1109/ICST.2017.61
532
InthispaperwetacklethelimitedcodecoverageofexistingtoolsbyintroducingADRENALIN-RV(AnDRoid-ENabledAspect-orientedLoad-timeINstrumnetationforRuntimeVer-i?cation),ournewruntimeveri?cationtoolfortheAndroidplatform.Differentlyfromrelatedtoolsbasedonstaticweav-ing,ADRENALIN-RVisbasedonload-timeweavingandisabletoinstrumenteveryclassloadedbytheruntimeenviron-ment.Inadditiontothedefaultclassesinsidetheapplicationpackage,ADRENALIN-RVcoversbothclassesoftheAndroidlibraryanddynamicallyloadedclasses,includinglibrariesdownloadedfromthenetworkanddynamicallygenerated.OurevaluationresultsshowthatADRENALIN-RVoffersaconsiderablyincreasedcodecoveragewithrespecttorelatedtools,andthatitisabletodetectviolationsthatcannotbedetectedwithstaticweaving.
Thisworkmakesthefollowingcontributions.WepresentADRENALIN-RV,ournewruntimeveri?cationtoolfortheAndroidplatform.WeshowthatADRENALIN-RVachievesmorecodecoveragethanRV-DroidandRD-AndroidonselectedAndroidapplications.Moreover,weshowthatADRENALIN-RVcan?ndviolationsthatcannotbefoundbyrelatedtools.
Thispaperisorganizedasfollows.SectionIIprovidesanoverviewoftheAndroidplatform.SectionIIIdescribesADRENALIN-RVanddetailsitsarchitecture.SectionIVoutlinesthemainchallengesindevelopingADRENALIN-RV.InSectionVwepresentourevaluationresults.SectionVIsummarizeslessonslearnedinimplementingandevaluatingADRENALIN-RV.Finally,wepresentrelatedworkinSec-tionVIIandgiveourconcludingremarksinSectionVIII.
II.BACKGROUND:THEANDROIDPLATFORM
AndroidisaLinux-basedoperatingsystem.ApplicationsrunningonAndroidexecuteinadedicatedsandbox:eachapplicationexecutesinaseparateprocessandhasaccesstoonlyitsown?les.AndroidapplicationsarewritteninJavaandarebuiltfrominterconnectedcomponents.Eachcomponenthasadifferentroleandcanserveasanentrypointfortheapplication.
WhilewritteninJava,AndroidapplicationsdonotexecuteontheJavaVirtualMachine(JVM).DependingontheversionofAndroid,theyexecuteeitherontheAndroidRuntime(ART,sinceAndroid5),orontheDalvikVirtualMachine(DVM,
AndroidFile SystemDynamicallyGeneratedScopeSpecsRVsSpecsDynamic Class LoadingUSB Cable Instr. ServerBytecode proxyServiceNetwork Target Appfork.apkInstr. CacheSpecs Processor ZygoteLibrariesWeaverFig.1.ADRENALIN-RVarchitecture.The?gureshowsonlyoneofthemonitoredapplicationsontheAndroidplatform.Otherrunningapplicationsareomittedforclarity.
beforeAndroid5).1Duetothelimitedresourcesonmobiledevices,AndroidusesDEXbytecodeinsteadofJavabytecode.ApplicationclassesmustbeconvertedfromJavabytecodetoDEXbytecodebeforedeployment.
ComponentsofthesameapplicationexecuteinasingleVMinstancebydefault.However,anycomponentcanbecon?guredtoexecuteinaseparateprocess,andthusinasep-arateVM.CreatinganewVMinstanceinvolvesconsiderableoverheadduetoVMbootstrapandinitializationofthecorelibraries.Asprocessstartandterminationoccurfrequently,theoverheadofVMinitializationwouldcauseaseriousperformancedegradation.Tomitigatesuchissues,AndroidstartsaspecialprocesscalledZygoteearlyduringsystemboot,whichonlybootstrapstheVMandinitializesthecoreclasses.Hence,ZygotebecomesalivesnapshotofanewlyinitializedVM.Thatsnapshotcanbeef?cientlyduplicatedwhenneededthankstothecopy-on-writeimplementationofthefork()systemcall:whenanewVMinstanceisneeded,Zygoteissimplyforked,yieldingachildVMwhichcanreadilyexecuteapplicationcode.
Forthepurposeofthispaper,applicationclassescanbeclassi?edintothreegroups,accordingtowhentheyareloadedintheVMduringapplicationexecution.The?rstgroupiscomposedofclassescontainedinAndroidApplicationPackage(APK)?les.EachapplicationisshippedinanAPK?le,acompressedpackagecontainingthemainclassesoftheapplication(inDEXformat)andotherresources.Classesinthepackageareloadedwhentheapplicationislaunched.Thesecondgroupconsistsoflibraryclasses.SuchclassesareloadedbyZygoteduringbootstrapandaresharedamongallapplicationprocesses.ThethirdgroupiscomposedofclassesloadeddynamicallybyapplicationsthroughtheDexClass-LoaderAPI.2ThisAPIisfrequentlyusedtoloadclassesnot
thepurposeofthepaper,thespeci?cruntimeenvironmentusedby
Androiddoesnotmatter.WeusethetermVMtorefertoeitherARTorDVMindiscriminately.
2https://developer.android.com/reference/dalvik/system/DexClassLoader.html
1For
includedintheAPK?leoftheapplication,suchasthird-partylibrariesstoredinthe?lesystemoronaremoteserver.Itisalsousedbysomemaliciousapplicationstohidetheirbehavior[7].
III.ADRENALIN-RV
InthissectionwedescribethearchitectureofADRENALIN-RV.First,wedetailtheprocessofinstrumentingAndroidclasseswithmonitoringcode.Then,wedescribehowourtoolcaninterceptandweaveallclassesloadedonAndroid.Figure1depictsthehigh-levelarchitectureofADRENALIN-RV.A.Instrumentation
ADRENALIN-RVreliesonDiSL[8],adynamicpro-gramanalysisframeworkbasedonJavabytecodeinstru-mentation.DiSLinstrumentsclassesonaseparateserver,herecalledinstrumentationserver,accordingtospeci-?edruntime-veri?cationspeci?cations(henceforthcalledRVspecs).ADRENALIN-RVhasseveralbuilt-inRVspecsthatcanbereadilyveri?edonAndroidapplications—SectionVshowcasessomeofthem.
TheinstrumentationserverrunsoutsidetheAndroidplat-form.Theclassestobeinstrumentedaresenttotheinstru-mentationserveroverthenetworkorviaaUSBcable,andinstrumentedclassesaresentbackoverthesamemedium.USBsupportisnecessarytoinstrumentclasseswhenthenet-workisnotavailableonthedevice(e.g.,duringthebootphasebeforethenetworkmodulehasbeenloaded).Inthisway,ADRENALIN-RVcaninstrumentthesystemclasslibrariessincethebeginningofthebootphase.
Often,userswishtomonitordifferentsetsofpropertiesfordifferentapplications.Toeasetheprocessofsettingthepropertiesofinterestforagivenapplication,theusercanmappropertiestoapplicationsintheRVspecs.Inparticular,userscande?nepropertiesofinterestforagivenbytecode?le.RVspecswillbeprocessedbyacustomcomponentoftheinstrumentationserver,thespecsprocessor,beforestarting
533
theinstrumentationprocess.Theprocessorensuresthatonlythemonitoringcodecorrespondingtothedesiredpropertiesforaclassiswoven.
Anotherfrequentneedwhenmonitoringapplicationsistorepeattheanalysismultipletimes,withoutchangingthespeci?cations.Inthisscenario,theinstrumentedbytecodedoesnotchangebetweendifferentruns.Toavoidunnecessaryinstrumentation,weintroduceaninstrumentationcacheintheserver,whichstoresthelastversionoftheinstrumentedbytecodeandvalidateswhethertheinstrumentationforagivenbytecoderemainsthesame.Inthiscase,theinstrumentationprocessisavoided,andthebytecodestoredinthecachewillbeusedatruntime.B.Load-TimeWeaving
ToguaranteefullbytecodecoverageontheAndroidplat-form,itisfundamentaltointerceptandinstrumenteveryclassloadedbyanapplication.Thisimpliesthatallthreegroupsofapplicationclasses(seeSectionII)mustbeinterceptedatload-timeandinstrumentedwithmonitoringcode.Incontrasttorelatedtoolsrelyingonstaticweaving,ADRENALIN-RVenablesload-timeweavingforAndroid.ThismakesitpossibletoinstrumentanyclassloadedbytheVM,incontrasttostaticweavingwhichenablesonetoinstrumentonlyclassesintheapplicationAPK?le.
Toenableload-timeinstrumentation,wemodifytheVMtohookclassloading.ThisallowsADRENALIN-RVtomonitorallclasses,includingsharedlibrariesloadedbyZygoteandanydynamicallyloadedclass,suchasclassesdownloadedfromaremoteserver,loadedfromathird-partylibraryonthe?lesystem,ordynamicallygeneratedbytheapplication.Inaddition,weaddaninternalAPItoAndroidforsendingandreceivingclassesto/fromtheinstrumentationserver.Tocommunicatewiththeoutsideserver,weaddproxyserviceinAndroid,listeningtoallobservedVMinstances.
Inprinciple,eachclassloadedbytheVMcanbepassedtotheinstrumentationserver.However,usersmaybeinterestedinverifyingpropertiesofinterestonlyinselectedclasses.Userscanspecifyclassesofinterestthroughspeci?cations(scopespecs).Thesespecswillbeparsedbyabytecodeservice,acustomcomponentimplementedinC++whichusesBinder—theinter-process-calllibraryinAndroid—tocom-municatewiththebytecodeloadingprocesses.Thebytecodeserviceensuresthatonlyclassesofinterestaresenttotheinstrumentationserver.Theadditionofthiscomponentavoidsunnecessaryslow-downswhichcandegradetheperformanceoftheplatform.
IV.TECHNICALCHALLENGES
IncreasingthebytecodecoverageforAndroidapplicationsrequiresagreatdesigneffortinsolvinglimitationsoftheun-derlyingplatform,whichdoesnotallowtoreadilyinstrumentallloadedclasses.Here,weoutlinethemainchallengesininstrumentingclassesonAndroid,andpresenthowwesolvethoseissuesinADRENALIN-RV.
dex2jarDEX bytecodeJava bytecodeInstr. ServerdxDEX bytecodeJava bytecodeFig.2.Bytecodeconversionforinstrumentingapplicationclasses.
A.InterceptingClassLoading
Thedif?cultiesofinstrumentingAndroidclassesuponload-ingstemfromthelackofinterfacesallowingexternaltoolstobenoti?edaboutspeci?cevents.Forexample,classloadingcaneasilybeinterceptedontheJVMthankstotheJVMToolInterface(JVMTI),whichisintegratedintheJVMandallowsanexternalagenttoreplaceaclasswiththeinstrumentedversionbeforetheclassisloadedandlinked.Unfortunately,theAndroidVMdoesnotofferinterfacesakintotheJVMTI.Asaresult,itisnotpossibletoinstrumentclassesupontheirloadingwithoutmodifyingtheVM.
ToenablefullbytecodecoverageinADRENALIN-RV,wemodifytheVMclass-loadingprocesstoinstrumentclassesbeforetheyaremappedtomemory.BeforeloadingaDEX?leintomemory,themodi?edVMsendsthe?lethroughaproxytotheinstrumentationserver,whichinstrumentstheencodedclassandsendsbackanotherDEX?lewhichisthenloadedintomemory.Thisensuresthatbothapplicationclassesandtheassociatedlibrariesareinstrumented.B.CoreLibraries
WhentheAndroidsystemstarts,Zygoteloadsandinitial-izesthecoreclasses.AssubsequentVMinstancesareobtainedbyforkingZygote,theyallsharethecodeofthecorelibraries.Iftheuserisinterestedinmonitoringcoreclassesinoneapplication,suchclasseswillbeinstrumented,resultinginasingleinstrumentedversionofthecorelibrariessharedamongallapplications,includingthosenotbeingtargetedbytheuser.Itistechnicallyimpossibletoinstrumentonlythecorelibrariesfortheapplicationsthatarebeingmonitored.
Toensurethatcodeinthecodelibrariesismonitoredonlywhenusedbythetargetapplication,theinstrumentationusedbyADRENALIN-RVreliesonabypassfunctionality[9].Theinstrumentationisonlyenabledinthemonitoredapplicationandbypassedwithminimumoverheadinotherapplications.C.BytecodeConversion
AndroidclassesneedtobetranslatedfromJavabytecodetoDEXbytecodeforexecution.ManipulatingDEXbytecodeis
534
anaddedburdenondevelopingruntimeveri?cationtoolswith-outanytechnicalmerit,asDEXbytecodehasbeendevelopedprimarilytoavoidlicensingissuesandisof?ciallyproducedonlybyconversionfromJavabytecode.GiventheextensivesupportofframeworksformanipulatingJavabytecode,thereislittleinterestinmanipulatingDEXbytecodedirectly.
ADRENALIN-RVusesexistingbytecodeconversiontoolstotranslatebetweenthetworepresentationsasnecessary,andreliesonDiSLtoinstrumentJavabytecode.Inparticular,ADRENALIN-RVextractstheclassestobeinstrumentedfromthecorrespondingDEX?le,andusesdex2jar3toconvertthemfromDEXbytecodetoJavabytecode.Then,ourtoolpassestheconvertedJavabytecodetotheinstrumentationserver,whichweavesmonitoringcodeintotheconvertedclass.ADRENALIN-RVconvertstheinstrumentedJavabytecodebacktoDEXbytecodethroughdx.4Finally,thetoolre-packagestheclassintoaDEX?le,whichissentbacktotheAndroidplatform.ThebytecodeconversionprocessisshowninFigure2.
V.EVALUATION
InthissectionweevaluatetheincreasedbytecodecoverageofADRENALIN-RVfortwousecases.WestartbycomparingthebytecodecoverageofADRENALIN-RVwithrelatedtoolsonAndroidapplications.Then,weshowhowADRENALIN-RVcandetectpropertyviolationsthatrelatedtoolscannotdetect,thankstoload-timeweaving.Indetailingourevaluationresults,wealsoshowthepropertiesthatADRENALIN-RVcanmonitor,andhowtheusercanwritenewmonitoringcodeinADRENALIN-RV.5A.CodeCoverage
ADRENALIN-RVreliesonload-timeweavingtoinsertmonitoringcodeinAndroidapplications,differentlyfromrelatedtools.Forexample,RV-DroidandRV-Androidbothusestaticweaving.Here,weshowthatload-timeweavingyieldsasigni?cantlyextendedbytecodecoveragewrt.staticweaving.Asaresult,ADRENALIN-RVcanmonitormorecodethanRV-DroidandRV-Android.
WeconductourevaluationontwoAndroidapplicationsofdifferentnature.The?rstapplicationisGoogleMobileServices(GMS)6,whichincludesseveralservicesfromGoogleaswellaspopularAPIs.Thesecondapplicationisamalware7whichusesdynamicallyloadedcodetoobfuscateitsbehavior.TocompareADRENALIN-RVwithRV-DroidandRV-Android,weevaluateasetofpropertiesthatcanbemonitoredbyallthreetools.Inparticular,wechoosemultiplewell-known
3https://github.com/pxb1988/dex2jar
TABLEI
JAVAMOPPROPERTIESEVALUATED.
PropertyHasNextSafeEnum
DescriptionProgramshouldalwayscallhasNext()beforenext()onaniterator.
Collection(withanassociatedenumeration)shouldnotbemodi?edwhiletheenumerationisinuse.
Synchronizedcollectionshouldalwaysbeaccessedbyasynchronizediterator,andtheiteratorshouldalwaysbeaccessedinasynchronizedmanner.Whentheiteratorassociatedwithacollectionisaccessed,thecollectionshouldnotbeupdated.
SafeSyncMap
UnsafeIterator
UnsafeMapIteratorLikeUnsafeIterator,withdifferencesrelatedtothe
creationofiterators.
isoneofthetoolcontainedintheAndroidSoftwareDevelopmentKit(SDK).
5AllevaluationresultspresentedinthissectionhavebeenobtainedonAndroid4.4r1runningonaNexus5with2GBRAM.WeuseDiSL2.0.TheinstrumentationserverisdeployedonquadcoreIntelCorei7(2.5GHz,16GBRAM)andrunsunderJava8.6https://www.android.com/gms/
7https://github.com/ashishb/android-malware/tree/master/Android.Malware.atplapk.a4dx
JavaMOPpropertiesshowninTableI.Foreachproperty,wecollectthenumberofjoinpoint8shadows,i.e.,locationsinthesourcecodethatatrun-timeproduceajoinpoint,andthenumberofjoinpointexecutions.Finally,wedifferentiatetheresultaccordingtotheclasscategorizationintroducedinSectionII,i.e.,in1)APKclasses,2)sharedlibraries,and3)dynamicallyloadedclasses.WhilestaticweavingcanonlyinstrumentAPKclasses,load-timeweavingcaninstrumentallloadedclasses.Asaresult,RV-DroidandRV-Androidcaninterceptjoinpointsinthe?rstgroup,whereasADRENALIN-RVcaninterceptjoinpointsinallgroups.
Figure3depictsourresultsforGMS.ForallJavaMOPpropertiesconsidered,severaljoinpointshadowsrefertosharedlibrariesordynamicallyloadedclasses,asshownbyFigure3(a).Onaverage,~7%ofjoinpointshadowsarecontainedinsharedlibraries,while~13%ofthemarelocatedindynamicallyloadedcode.SafeEnumfollowsadifferentbe-havior,with~50%ofjoinpointshadowsthancanbedetectedonlybyload-timeweaving.However,thetotalnumberofjoinpointshadowsforthispropertyisquitelimited(only121inGMS),whereasthemeannumberofjoinpointshadowsforotherpropertiesisaround30000.Onaverage,~22%ofjoinpointshadowscannotbedetectedwithstaticweaving.
Figure3(b)showthenumberofjointpointexecutionsinGMS.Here,resultsvaryconsiderablyamongdifferentproper-ties.WhileinSafeEnumandSafeSyncMapahighpercentageofjoinpointexecutionsoccursinAPKclasses,thisholdsforonly52%ofthejoinpointexecutionsinUnsafeIter,and~40%ofjoinpointexecutionsinHasNextandUnsafeMap.Inthesepropertiesstaticweavingcancoverlessthanhalfofthejoinpointexecutions.Therefore,employingload-timeweavingisfundamentaltoguaranteeafullbytecodecoverageinsuchproperties.
Theimportanceofusingload-timeweavingisevenmoreremarkedbyFigure4,whichshowsourresultsonthemalware.Forthisapplication,staticweavingcancoveronlyasingle
Aspect-OrientedProgramming(AOP),thetermjoinpointreferstoanyidenti?ableexecutionpointinasystem.AsallthreetoolsrelyonAOP,weusethisterminologyinthepaper.
8In
535