发布时间 : 星期三 文章Andorid - Monitor - framwork更新完毕开始阅读72796504a4e9856a561252d380eb6294dd882238
APK 100
SharedDynamic 100
APKSharedDynamic 80 80
60 60
% 40
% 40
20
20
0
HasNext
SafeEnum
SafeSyncMap
UnsafeIteratorUnsafeMapIterator
0
HasNext
SafeEnum
SafeSyncMap
UnsafeIteratorUnsafeMapIterator
PropertyProperty
(a)Joinpointshadows.(b)Joinpointexecutions.
Fig.3.PercentageofjoinpointsforGMS,brokendownbybytecodegroup,forthe?veconsideredpropertiesofJavaMOP.Inthelegend,APK,SharedandDynamicrefertojoinpointsinAPKclasses,systemlibrariesanddynamicallyloadedclasses,respectively.
APK 100SharedDynamic 100APKSharedDynamic 80 80 60 60% 40% 40 20 20 0HasNextSafeEnumSafeSyncMapUnsafeIteratorUnsafeMapIterator 0HasNextSafeEnumSafeSyncMapUnsafeIteratorUnsafeMapIteratorPropertyProperty(a)Joinpointshadows.(b)Joinpointexecutions.
Fig.4.Percentageofjoinpointsforthemalware,brokendownbybytecodegroup,forthe?veconsideredpropertiesofJavaMOP.
TABLEII
JOINPOINTSHADOWSANDEXECUTIONS.
JoinPointShadows
Property(GMS)HasNextSafeEnumSafeSyncMapUnsafeIteratorUnsafeMapIterator(Malware)HasNextSafeEnumSafeSyncMapUnsafeIteratorUnsafeMapIterator
JoinPointExecutions
APKSharedDynamicAPKSharedDynamic
partofADRENALIN-RV—guaranteesthatallexecutedbyte-codeismonitored.TheextendedbytecodecoverageenablesADRENALIN-RVtoidentifypropertyviolationsthatcannotbedetectedbyRV-DroidandRV-Android,asshowninthenextsection.
B.ViolationDetection
Inthissection,weshowhowADRENALIN-RVcanunveilapropertyviolationthatcannotbedetectedbyrelatedtools.WetaketheAndroidmalwareintroducedaboveasmonitoredapplication.Asfortheviolation,wefocusoninformationleaks,i.e.,unauthorizedtransmissionsofprivatedata(suchasdeviceID,contacts,messages,etc.)toanuntrustedpart.InformationleaksrepresentoneofthemajorsecurityconcernsofAndroidapplications.
Wede?netheInformationLeakpropertyasfollows:noprivatedatafromapre-de?nedsetofAndroidAPIsmustbesenttoathirdparty.Tomonitorviolationsofsuchproperty,wede?netwoeventsofinterest:DataSource(i.e.,informationaboutprivatedataisobtained)andDataSink(i.e.,dataissentoveratransmissionchannel).Forthisusecase,wefocusinparticularonthetransmissionofthedeviceIDoverthenetwork.
Figure5showssnippetsofDiSLcode9de?ningthetwoevents,whichcanbeaddedasRVspecsinADRENALIN-RV.
DiSLusesanAOPnotationtoexpressinstrumentationcode.
AdescriptionoftheDiSLlanguageisnotinthescopeofthispaper.Wereferthereaderto[8]forrelatedinformation.
9Intuitively,
11632
61405032127719087
00100
105144377522211682105144377522211682
1910166772320041091127390293232
1133768402729616200000
3034329188347399401217311931141
135162113811893762168319675
joinpointshadowoftheSafeSyncMapproperty,whichisnotexecutedatruntime.
AsshownbyFigures4(a)and4(b),~90%ofjoinpointsarecontainedandexecutedinsharedlibraries,whiletheremainderreferstodynamicallyloadedcode.Insuchkindofapplica-tions,staticweavingisnotabletocoveranycode,beingunabletoidentifyanypropertyviolation.DetailednumericalresultsonjointpointshadowsandexecutionscanbefoundinTableII.
Overall,ourresultsshowthatemployingstaticweaving(asdoneinRV-DroidandRV-Android)resultsinlimitedcoverageofthemonitoringcode,whileload-timeweaving—acore
536
The?rstsnippet(lines2–7)detectsallcallstoTelephony-Manager.getDeviceId()(whichallowsretrievingtheIDofanAndroiddevice)insideapplicationcodebyinstrumentingallinvocationswithsuchmethodasparameter.10Hence,thissnippetmakesitpossibletomonitortheeventDataSourcereferringtothedeviceID.Whensuchaneventistriggered,theinstrumentationcodestoresthedeviceIDtocheckatalatertimewhethersuchinformationissentoverthenetwork.11Thankstoload-timeweaving,ADRENALIN-RVcandetecttheeventinanyclass,includingdynamicallyloadedclasses.Thisisparticularlyimportantforthistargetapplication,asitgeneratesmanylibrariesatruntime,loadingclassesfromsuchlibrariesdynamically.Inthepresenceofsuchabehavior,toolsrelyingonstaticweavingarelikelytodetectnoviolations,astheycannotmonitormostoftheclassesloadedbytheapplication.
Thesecondcodesnippet(lines10–15)referstoin-strumentationcodefortheeventDataSink.Inparticular,ADRENALIN-RVinstrumentsthemethodsendToofclasslibcore.io.IoBridge(usedforwritingdataover?les),andcheckswhether1)dataissentoverasocket,and2)theinformationsentisthedeviceIDstoredbythe?rstcodesnip-pet.12Asthenamesuggests,libcore.io.IoBridgeisalibraryclass,sharedbyallAndroidapplications.Assuch,itcannotbeinstrumentedbyrelatedtools.Withoutthepossibilitytoinstrumentsharedlibraries,theinstrumentationwouldhavetodetectallcallsitesoflibcore.io.IoBridgeandverifywhetherthecommunicationoccursthroughsockets.Still,suchcallsitesmaybeincludedindynamicallygeneratedclasses,requiringload-timeweavingtobedetected.
Intuitively,violationsoftheInformationLeakpropertyoccurifaDataSinkisobservedafteraDataSource.BymonitoringthemalwarewithADRENALIN-RV,wewereableto?ndaviolationoftheproperty.Figure6showsaportionofthemethodcalltracerelatedtotheeventsDataSinkandDataSource.13The?gureshowsthatthedeviceIDisretrievedincom.jfdlplapk.by.b()(eventDataSourcedetected),andissentoverasocketincom.jfdlplapk.au.a()(eventDataSinkdetected).Thepropertyviolationoccursindynamicallygen-erated(andloaded)classes.Asaresult,relatedtoolssuchasRV-DroidandRV-Androidarenotabletodetectsuchaviolation.
VI.LESSONSLEARNED
WhiledevelopingandevaluatingADRENALIN-RV,welearnedseverallessons.Wesummarizetheminthefollowingtext.
herenotshown,speci?esthatonlycallstoTelephony-Manager.getDeviceId()mustbedetected.
11Detailsoftheinstrumentationcodearenotofinterestinthispaper.WerepresentinstrumentationcodewiththeclassMonitoranditsmethods,andomitfurtherdetailsforclarity.
12NotethatADRENALIN-RVcanalsoinstrumentinvocationstolib-core.io.IoBridgedoneviare?ection.
13ThecalltracehasbeengeneratedbyADRENALIN-RVbyinsertingmonitoringcodeateverymethodenterandexittoidentifymethodsinwhichDataSinkandDataSourceoccurs.
10DeviceIdGuard,
//DataSourceevent
@Before(marker=BytecodeMarker.class,
guard=DeviceIdGuard.class,args=\)
publicstaticvoidgetDeviceId(){
Monitor.newDataSource(\);}
//DataSinkevent
@AfterReturning(marker=BodyMarker.class,
scope=\)publicstaticvoidsendto(...){
//Someimplementationdetailsomitted
Monitor.newDataSink(\,paraInfo);}
Fig.5.DiSLcodesnippetsfortheDataSourceandDataSinkproperties.com/jfdlplapk/g.run
com/jfdlplapk/f.b
com/jfdlplapk/by.e
com/jfdlplapk/by.b*DataSource*
com/jfdlplapk/by.ccom/jfdlplapk/bn.c
com/jfdlplapk/by.b
com/jfdlplapk/by.a
com/jfdlplapk/by.acom/jfdlplapk/by.acom/jfdlplapk/bo.b
com/jfdlplapk/bo.acom/jfdlplapk/bn.b
com/jfdlplapk/by.b
com/jfdlplapk/by.a
com/jfdlplapk/au.a
com/jfdlplapk/au.a*DataSink*
123456789101112131415
1234
<-----
56789101112131415161718
<-----
19
Fig.6.PortionofthemethodcalltracerelatedtoeventsDataSourceandDataSink.
A.Staticweavingislimited
Ourevaluationresultsshowthatstaticweavingcancoveronlyalimitedsetofjoinpointsforseveralevaluatedproper-ties.Therefore,toolsrelyingonstatic-weavingarenotabletofullymonitoranAndroidapplication.Thislimitationisremovedwithload-timeweaving,whichisabletomonitorsystemlibraries14anddynamicallyloadedclasses,inadditiontostandardAPKclasses.Whileitiseasiertousestaticweaving,runtimeveri?cationtoolsforAndroidshouldrelyonload-timeweavingtoincreasetheircodecoverage.B.Load-timeweavingischallenging
Whileofferinganextendedcodecoveragewrt.staticweav-ing,itisnotstraightforwardtodeveloptoolsbasedonload-timeweaving.Weencounteredseveralchallengesinimple-mentingload-timeweavingontheAndroidplatform,whichrequiredmodi?cationstotheAndroidruntimestohookclassloading.Moreover,obtainingfullcoverageinAndroidneces-sarilyrequirestheabilitytoinstrumentsystemlibrariesthatare
sharedlibrariescouldinprinciplebeinstrumentedwithstatic
weaving,thiswouldbeinconvenient,asitwouldrequiretorebuildthesystemateachinstrumentation.
14While
537
sharedamongallapplications.Still,theanalysisneedsawaytoexcludecodeofsharedlibrariesexecutedbyapplicationsnotbeingmonitored,suchasthebypassingmechanismusedbyADRENALIN-RV.Ingeneral,enablingload-timeweavingonAndroidrequirescarefuldesigndecisions.
C.MonitoringdynamicallyloadedclassesisimportantWhenevaluatingADRENALIN-RV,weencounteredsev-eralapplicationsthatloadbytecodedynamicallyfordifferentneeds.Insomeapplications,thebytecodeneededforexecutionisverylarge,andexceedsthemaximumallowedbytecodesinasinglemethodofaDEXclass(64Kbytecodes).Onesolutiontothisproblemistostoreextrabytecodesintheinstalla-tionpackageandloadthematruntime.Someapplicationsrelyonthird-partylibrariesthatdownloadbytecodesfromaremoteserver.Forexample,theAdMob15advertisementlibraryfromGooglefollowsthisbehavior,andisoftenusedbyAndroidapplications.Anothercasewhenclassesaredynami-callyloadedconsistsinapplicationupdates,whichrequiretheapplicationtoloadthenewbytecodedynamically.Inaddition,somemaliciousapplicationsmayloadclassesdynamicallytoavoidbeingdetectedbyanti-virustoolsusingstaticchecking.Overall,runtimeveri?cationtoolsshouldnotoverlookdynam-icallyloadedclasses,astheyarefrequentlypresentinseveralAndroidapplicationsandcancontainviolationsthatwouldremainundetectedotherwise.
VII.RELATEDWORK
Inthemobile-phonemarket,adominantshareiscomposedofAndroidapplications.Thisfacthasstimulatedthedevelop-mentofmaliciousapplications,particularlytargetingdeviceintegrityanduserprivacy.Tocombatthisthreat,researchershavedevelopedtoolsaimedatidentifyingmalicioussoftwareontheAndroidplatformusingruntimeveri?cation[10],[11].SuchtoolsrelyontheAspectJinstrumentationframework[12]toweavemonitoringcodeinapplicationclasses.However,ithasbeenshownthatAspectJoffersonlylimitedbytecodecoverage[13],particularlybeingunabletoinstrumentthecoreclasslibrary.Incontrast,ADRENALIN-RVdoesnotpresentthislimitation,asitreliesonDiSLforinstrumentationandonacustommodi?cationoftheAndroidVMsforinterceptingclassloading.
Theaspectbenchcompiler(abc)[14]isanextensibleAs-pectJcompilerthatmakesitpossibletoaddnewfeatures.ItusesthePolyglot[15]frameworkasitsfront-endandtheSootframework[16]asitsback-endforimprovingcodegeneration.ItcanbeappliedonAndroidapplicationstodetectsecurityandprivacyviolations[11].However,likeAspectJ,abcalsosuffersfromthelimitationsoutlinedabove.
RV-Droid[5]isaruntimeveri?cationtoolforAndroidbuiltuponanin-houseversionofAspectJsuitedforAndroidin-strumentation.ThetoolisbasedonJavaMOP[17]—aruntimeveri?cationtoolfortheJVM—toproducemonitoringlibraries.Apartfromsecurityproperties,itenablesonetomonitora
isaGooglemobileadvertisingplatformspeci?callydesignedfor
mobileapps.Moredetailscanbefoundathttps://www.google.com/admob/.
15AdMob
generalsetofpropertiessuitedforcorrectimplementation,debugging,statistics,etc.RV-Android[6]isanothertooltargetingsafetypropertiesinAndroidapplications.SimilarlytoRV-Droid,itusesAspectJforinstrumentation.Bothtoolsarebasedonstaticweaving,restrictedtoclassescontainedinapplicationAPK?les.Incontrast,ADRENALIN-RVemploysload-timeweaving,extendingthecoveragetocorelibrariesandtodynamicallyloadedcode.
Monitor-Me[18]identi?essoftwarethreatsthrougha?rst-orderlogicabstractionofmalwarebehavior.ItusesanAndroidinterceptiontooltocaptureanysystem-leveleventtriggeredbyanapplication.Forinterceptingthesystemcalls,Monitor-Meusesacustomkernelmoduletoprobethecalls.Incontrast,ourapproachisbasedonbytecodeinstrumentationanddoesnotrequireanymodi?cationtotheAndroidkernel(onlytheVMneedtobemodi?ed).
Raindroid[19]usesacombinationofstaticanalysisandruntimeveri?cationtoidentifycommunicationpatternssus-ceptibletomaliciousattacks.StaDynA[20]complementsstaticanddynamicanalysistechniquesbycomputinginter-proceduralcallgraphsthatcanbeusedbyexternaltoolstomonitormalware.WhileStaDynAfocusesonbuildingmethodcallgraphs,ADRENALIN-RVweavesmonitoratruntimetoverifysafetyproperties.
Inpriorwork,wepresentedabytecodeinstrumenta-tionframeworkforAndroid[9].Theframeworkprovidesahigh-levelprogrammingmodelandabstractionsfordevel-opingdynamicprogramanalysesfortheAndroidplatform.ADRENALIN-RVfocusesonruntimeveri?cation,providingasetofpropertiesthatcanbereadilyveri?edonAndroidap-plications.Whiletheframeworkanalyzestheapplicationonanexternalmachine,ADRENALIN-RVmonitorstheapplicationinsidethetargetVM,resultinginaloweroverheadthanourpreviousframework,atthecostofahighermemoryfootprint.Wealsodevelopedacompilerthattranslatesruntime-veri?cationaspectswritteninAspectJtoDiSL[13].Thecompilermakesitpossibletouseexisting,unmodi?edruntimeveri?cationtoolsontopoftheDiSLframeworktobypassthelimitationsofAspectJ.Unfortunately,thesupportofferedbythecompilerislimitedtoasubsetofAspectJconstructs(e.g.,aroundadviceandinter-typedeclarationsarenotsupported).Hence,existingAspectJ-basedtoolscannotbefullyadaptedfortheAndroidplatform.ADRENALIN-RVisnotbasedonourpreviouscompiler,itimplementsmonitoringcodeinDiSL.
VIII.CONCLUDINGREMARKS
Inthispaper,wehavepresentedADRENALIN-RV,anewruntimeveri?cationtoolforAndroid.Incontrasttorelatedtools,ADRENALIN-RVisbasedonload-timeweaving,whichenablestoinstrumentallloadedclasses,includingclassesinthecorelibrary,dynamicallygeneratedclasses,andclassesdownloadedfromremoteservers.EvaluationresultsshowthatADRENALIN-RVoffersanincreasedcodecoveragewithrespecttootherruntimevalidationtoolsforAndroid.ADRENALIN-RViscurrentlyinaresearchprototypestate.Aspartofourfuturework,weplantograduallyexpand
538
ADRENALIN-RVbyaddingmoreproperties.Thetoolandmoreinformationcanbefoundatourwebsite.16
ThecurrentversionofADRENALIN-RVpresentssomelimitations,thatwediscussinthefollowingtext.Whenmonitoringsomeapplications,thebytecoderetargetingtoolsusedbyADRENALIN-RV(i.e.,dex2jaranddx)canfailduringthebytecodetransformation.Duetothiserror,itisnotpossibletofullymonitorsomeapplications.WenotethatthisissuedoesnotarisefrombugsinADRENALIN-RV,butfromthird-partysoftware.Ourtoolrequiresmodi?cationtotheAndroidruntimestointerceptclassloading.Whilethismodi?cationenablesload-timeweavingonAndroid,itrequiresthepossibilitytoapplyapatchandrecompiletheoperatingsystem,whichmightbenotpossibleforsomeusers.Finally,whilethesupportfortheDVMissolid,thesupportfortheARTiscurrentlyexperimentally.WeplantomakeourprojectopensourceandimprovesupportforARTinthenearfuture.
ACKNOWLEDGMENT
TheworkpresentedinthispaperwassupportedbyOracle(EROproject1332),bytheSwissNationalScienceFoun-dation(project200021141002),bytheEuropeanCommis-sion(contractACP2-GA-2013-605442),andbytheFederalCommissionforScholarshipsforForeignStudents(SwissGovernmentExcellenceScholarship,ESKASNo.2015.0989).
REFERENCES
[1]C.Colombo,G.J.Pace,andG.Schneider,“LARVA—safermonitoring
ofreal-timeJavaprograms(toolpaper),”inSEFM,2009,pp.33–37.[2]G.Reger,H.C.Cruz,andD.Rydeheard,“MARQ:monitoringatruntime
withQEA,”inTACAS,pp.596–610.
[3]C.Xiang,Z.Qi,andW.Binder,“Flexibleandextensibleruntimeveri-?cationforjava(extendedversion),”InternationalJournalofSoftwareEngineeringandKnowledgeEngineering,vol.25,no.09n10,pp.1595–1609,2015.
[4]M.Kim,S.Kannan,I.Lee,O.Sokolsky,andM.Viswanathan,“Java-mac,”ElectronicNotesinTheoreticalComputerScience,pp.218–235,2001.
[5]Y.Falcone,S.Currea,andM.Jaber,“Runtimeveri?cationandenforce-mentforAndroidapplicationswithRV-Droid,”inRV,2013,pp.88–95.
?,S.Shiriashi,A.Iwai,[6]P.Daian,Y.Falcone,P.Meredith,T.F.S?erb?anut?a
andG.Rosu,“Rv-android:ef?cientparametricandroidruntimeveri?-cation,abrieftutorial,”inRV,2015,pp.342–357.
[7]F.DiCerbo,A.Girardello,F.Michahelles,andS.Voronkova,“Detection
ofmaliciousapplicationsonAndroidOS,”inIWCF,2010,pp.138–149.[8]L.Marek,A.Villaz′on,Y.Zheng,D.Ansaloni,W.Binder,andZ.Qi,
“DiSL:ADomain-speci?cLanguageforBytecodeInstrumentation,”inAOSD,2012,pp.239–250.
[9]H.Sun,Y.Zheng,L.Bulej,A.Villaz′on,Z.Qi,P.T?uma,andW.Binder,
“AprogrammingmodelandframeworkforcomprehensivedynamicanalysisonAndroid,”inMODULARITY,2015,pp.133–145.
[10]Y.FalconeandS.Currea,“WeaveDroid:Aspect-orientedprogramming
onandroiddevices:fullyembeddedorinthecloud,”inASE,2012,pp.350–353.
[11]S.Arzt,S.Rasthofer,andE.Bodden,“InstrumentingAndroidandJava
applicationsaseasyasabc,”inRV,2013,pp.364–381.
[12]G.Kiczales,E.Hilsdale,J.Hugunin,M.Kersten,J.Palm,andW.G.
Griswold,“AnoverviewofAspectJ,”inECOOP,2001,pp.327–353.[13]O.Javed,Y.Zheng,A.Ros`a,H.Sun,andW.Binder,“Extendedcode
coverageforAspectJ-basedruntimeveri?cationtools,”inRV,2016,pp.219–234.
16http://haiyang-sun.github.io/tool/intro.html
[14]P.Avgustinov,A.S.Christensen,L.Hendren,S.Kuzins,J.Lhot′ak,
O.Lhot′ak,O.deMoor,D.Sereni,G.Sittampalam,andJ.Tibble,“abc:AnextensibleAspectJcompiler,”inAOSD,2005,pp.87–98.
[15]N.Nystrom,M.R.Clarkson,andA.C.Myers,“Polyglot:Anextensible
compilerframeworkforJava,”inCC,2003,pp.138–152.[16]R.Vall′ee-Rai,E.Gagnon,L.Hendren,P.Lam,P.Pominville,and
V.Sundaresan,“OptimizingJavabytecodeusingthesootframework:isitfeasible?”inCC,2000,pp.18–34.
[17]D.Jin,P.O.N.Meredith,C.Lee,andG.Ros?u,“JavaMOP:Ef?cient
parametricruntimemonitoringframework,”inICSE,2012,pp.1427–1430.[18]J.-C.K¨usterandA.Bauer,“MonitoringrealAndroidmalware,”inRV,
2015,pp.136–152.
[19]B.Schmerl,J.Gennari,J.C′amara,andD.Garlan,“Raindroid:Asystem
forrun-timemitigationofAndroidintentvulnerabilities[poster],”inHotSos,2016,pp.115–117.
[20]Y.Zhauniarovich,M.Ahmad,O.Gadyatskaya,B.Crispo,andF.Mas-sacci,“StaDynA:AddressingtheproblemofdynamiccodeupdatesinthesecurityanalysisofAndroidapplications,”inCODASPY,2015,pp.37–48.
539