Timeliner“TippedOffbyYourMemoryAllocator”:

Device-WideUserActivitySequencingfromAndroidMemoryImages

RohitBhatia,BrendanSaltaformaggio,SeungJeiYang,AishaAli-Gombe,XiangyuZhang,DongyanXu,

GoldenG.RichardIII

ImportanceofaTimeline

CrimeSceneReconstruction

"involvesevaluatingthecontextofasceneandthephysicalevidencefoundthereinanefforttoidentifywhatoccurredandinwhatorderitoccurred.“

Call/Messagedatabase,Webbrowsing,Chatlogs

ImportanceofaTimeline

AppSpecificLogs

CoarseGrainedActions

NotaDevice-WideTimeline

Call/Messagedatabase,Webbrowsing,Chatlogs

Isthisacrime?NOWhatifappisterminated?Isthisacrime?POSSIBLY–DistractedDriving

ImportanceofaDevice-WideTimeline

Cybercrimestypicallyinvolveavarietyofmobileapps,withcomplexsequencingofuser-actions

NeedaDevice-Widesolutiontorecoverpastuser-actionsthatisnotinfluenceablebythedevice-owner

Netflix

Maps

Persistentstorageisnotenoughtore-sequenceadevice-widetimeline

MemoryForensics

Timelinercomplementsexistingmemoryforensictechniques

GUITAR[CCS2015]BestPaper

VCR[CCS2015] RETROSCOPE[UsenixSec.2016]

DSCRETE[UsenixSec.2014]BestStudentPaper

ActivitiesAsUser-Actions

ActivitiesareAndroidabstractionsfora“single,focusedthingausercando”

WhatsApp VoipActivity RecordAudio CameraActivity

Signal ConversationList Conversation ShareActivity

Dialer InCallActivity CallLogActivity CallDetailActivity

Chase AccountsActivity TransferActivity QuickDepositStart

Netflix HomeActivity SearchActivity MovieDetails

SomeApplicationsandaFewExampleActivities

Android

Apps

ActivitiesAsUser-Actions

ActivitiesareAndroidabstractionsfora“single,focusedthingausercando”

ActivityLifecyclehandledbyActivityManagerServicewhichprovidesdevice-widesupervision

ActivityManagerService

ActivityStackAsASolution?

NoorderingavailablebetweendifferentActivityStacks

ActivityStackscontainthecurrentstate,andnotthepaststate–whichiswhatwewant

DialContactsActivity HomeActivity

SearchActivity

MovieDetailsActivity

Dialer Netflix(Current)

Android

Apps

Timeliner

TimelinerrecoversActivitiesusingkeyself-identifyingdatastructures

Launcher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

Timeliner

TimelinerrecoversActivitiesusingkeyself-identifyingdatastructures

Inferorderingbasedonallocatedlocationsinmemory

Launcher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

Launcher

Timeliner

Android

Apps

ResidualDataStructures

ActivityManagerService

MovieDetailsActivity

Android

Apps

ResidualDataStructures

ActivityManagerService

MovieDetailsActivity

Android

Apps

ResidualDataStructures

ActivityManagerService

MovieDetailsActivity

Android

Apps

ResidualDataStructures

ActivityManagerService

Roots

Field/ValueMatches

MovieDetailsActivity

Android

Apps

ResidualDataStructures

ActivityManagerService

MovieDetailsActivitynetflix.ui.MovieDetailsActivity

“First-Available”Allocation

InCallActivity

DialContactsActivity

Launcher

SizeA SizeB SizeC

MemoryAllocator

TemporalOrderingFromSpatialOrdering

{ (r1,a1),(r2,a2),(r3,a3)}

{ (r1,b1),(r2,b2),(r3,b3)}

{ (r1,c1),(r2,c2),(r3,c3)}

InCallActivity

DialContactsActivity

Launcher

SizeA SizeB SizeC

MemoryAllocator

TemporalOrderingFromSpatialOrdering

TransitionGraph

allPrecede(e,f)=|{r|(r,m)∈e∧(r,n)∈f∧max(m)<min(n)}|anySucceed(e,f)=|{r|(r,m)∈e∧(r,n)∈f∧max(m)>min(n)}|

2

3

3

InCallActivity

DialContactsActivity

Launcher

SizeA SizeB SizeC

MemoryAllocator

PruningErroneousEdges

TransitionGraph

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

4

2

3

3

Launcher

1

ErroneousEdge

PruningErroneousEdges

Launcher

PlayerActivity

MovieDetailsActivity

TransitionGraph

4

SizeA SizeB SizeC

ExistingAllocation

Launcher

PruningErroneousEdges

Launcher

DialContactsActivity

PlayerActivity

MovieDetailsActivity

TransitionGraph

4

31

SizeA SizeB SizeC

ExistingAllocation

Launcher

ErroneousEdge

PruningErroneousEdges

Launcher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

TransitionGraph

4

2

3

3

1

SizeA SizeB SizeC

ExistingAllocation

Launcher

ErroneousEdge

PruningErroneousEdges

Min-Cut

PlayerActivity

UndirectedTransitionGraph

4

2

3

3

Launcher

1

ErroneousEdge

Launcher

SizeA SizeB SizeC

ExistingAllocation

DialContactsActivity

InCallActivity

MovieDetailsActivity

PruningErroneousEdges

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

TransitionGraph

4

2

3

3

Launcher

GlobalOrdering

Launcher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

TransitionGraph

LocalOrderings

GlobalOrdering

Launcher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

TransitionGraph

TopologicalSortLauncher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

LocalOrderings

GlobalOrdering

Launcher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

TransitionGraph

TopologicalSortLauncher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

Launcher

OtherAllocations

GlobalOrdering

GlobalOrdering

TransitionGraph

TopologicalSortLauncher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

Launcher

DialContactsActivity

InCallActivity

PlayerActivity

MovieDetailsActivity

GarbageCollection SizeA SizeB SizeC

GarbageCollectedActivity

PlayerActivity

ConversationList

Conversation

GarbageCollectionfreesuppriorruns,potentiallycausingaspatialdisordering

GarbageCollection SizeA SizeB SizeC

PlayerActivity

OtherAllocations

Launcher

DialContactsActivity

InCallActivity

MovieDetailsActivity

GarbageCollection

PlayerActivity

Launcher

DialContactsActivity

InCallActivity

MovieDetailsActivity

Launcher

JoinableLocalOrderingsdonotendinGarbageCollectedActivities

PeriodofGarbageCollectionActiveUsage:41-50minutesIdle:98-112minutes

TestSequence

#ofActivityOrdered

#OfPaths

GroundTruthDistance

A 16 1 0

B 14 1 0

G 15 1 0

H 16 1 0

I 14 1 0

J 16 1 0

TestSequence

#ofActivityOrdered

#OfPaths

GroundTruthDistance

A 15 1 0

C 15 1 0

D 12 1 0

G 14 1 0

H 14 1 0

I 14 1 0

Micro-BenchmarksTestSequence

#ofActivityOrdered

#OfPaths

GroundTruthDistance

A 16 1 0

B 14 1 0

C 16 1 0

D 12 1 0

E 14 1 0

F 15 1 0

SamsungS4(Android5.0) LGG3(Android5.1) MotoG3(Android6.0)

AccurateResults

RecoveredActivityLaunchedBeforeTestSequence

10TestSequences

A-J

DesignGenerality:SpywareAttackInvestigation

BroadcastY

ActivityA

BroadcastX

ActivityB

TransitionGraph

DesignGenerality:SpywareAttackInvestigation

VideoTimeReceiver

FrontCameraActivity

StopRecordingReceiver

GmailComposeActivity

TransitionGraph

CommunicationReceiver

ConversationActivity

CallRecorderReceiver

InCallActivity

SMSSpyingService CallSpyingService

CameraPictureSpyingService

MicrophoneAudioSpyingService

CameraVideoSpyingService

DesignGenerality:Extensiontojemalloc

SizeA SizeB SizeC

Slot

Android mozjemalloc

Region

Run Run

BinBucket

“First-Available”“First-Available”

CaseStudy

Conclusion

Timelinerre-sequencesanAndroiduser’spastactions,evenforterminatedapplications

TimelinerinferstemporalorderingofActivitiesfrommemorylayoutofkeyself-identifyingdatastructures

AccuratereconstructionofvariousapplicablecrimescenariosandextensionbeyonduseractionsandAndroid

ThankYou!

Questions?RohitBhatia

bhatia13@purdue.edu