ANDROID SANDBOX
Presented byANUSHA TUKE
2
ContentsIntroductionAndroidSandboxStatic software analysis vs. sandboxingAndroid application sandboxSystem call diagramsStatic &dynamic analysis of AASandbox.ExperimentsConclusionReferences.
3
• Emerging trend : Smart phones
- computational power , sensors & communication
• Threat :Malware attacks
• Anti virus: block virus, worms & Trojan horses.
• Behavioural detection: signatures.
• Generate signatures: Analysis of significant & meaningful patterns
• Sandbox: execution of suspicious binaries in an isolated environment. E.g
CWSandbox .
Introduction
4
ANDROID
An operating system for mobile device
Based on the Linux kernel
Developed by Google and later the
Open Handset Alliance (OHA).
Allows writing managed code in the
Java language
5
What is Sandbox?a sandbox is a "sealed" container, which
allows un-trusted programs to have executed within the sandbox.
6
Static Software Analysis vs. Sandboxing
Static analysis Sandboxing
Forensic techniques:
decompilation,decryption,patter
n matching.
Filtering binaries by malicious
patterns, called signatures.
Fast & relatively simple.
Code pattern has to be known in
advance.
Applications are run in an isolated
environment(sandbox).
Policy to stop system to prevent
potential damage.
Monitoring & recording system.
User space sandbox.
Kernal space sandbox.
7
Android Application Sandbox for suspicious software detection
Located in kernal space since access to critical part of OS is
realized.
System call hijacking
Monitor system & library calls.
Android uses a modified Linux basis to host a Java-based
middleware running the user applications.
Calls are monitored on lowest level possible.
8
Read() system call from user space.
9
Hijacked read() system call.
10
Features Loadable kernal module(LKM) is placed in Android emulator environment.
LKM intended to hijack all available system calls.
Two step analysis of android applications Kernal space sandbox. Fast static pre-check
Aasandbox takes android application archive which is packaged in *.apk file as input.
Java virtual machine-Dalvik.
11
Static analysis of AASandbox APK scanned for special patterns eg.
Runtime.Exec() Decompression- zip file.
AndroidManifest.xml- descriptions, security permissions.
Classes.dex- complete bytecode. Res/- layout, language etc.
Decompilation Classes.dex-bytecode which is converted
to Baksmali-human readable format, easily parsable pseudocode.
Pattern search: Java native
interface,System.getRuntime().exec(..),services & IPC provision,android permission.
12
Prepare & start emulator
• Mobile device emulator
• AVD (android virtual device)configuration
Install AASandbox
• LKM(policy)• Inserted by
ADB(android debugging bridge).
Install APK & start monkey
• ADB• 500 generated
events.
Dynamic analysis of Android applications.
App installed in android emulator. User inputs –”Android Monkey” tool generates pseudo random streams of user
events.
13
Experiments as examples Ex application- self written fork bomb it
uses Runtime.Exec() to start external
binary program.
App is started & analysis is done. Static analysis
–REPORTS/ForkBomb.apk/
Subdirectories like unzipped/ &
disasm/
The log file output after static analysis.
14
Dynamic analysis of codeDynmic analysis
Android emulator starts installed
via adb install ForkBomb.apk
Android monkey is started via
adb shell monkey –p $ACTIVITY –
vv –throttle 1000 500. Output of emulator will be logged
into LOGS/ForksBomb.apk-s2.log
as shown format
15
Experimental analysis
Upto 150 applictions..
Information is now possible to create a system call histogram as shown
Analysis is done through the official android market representing the top 150 popular application.
Current status, malware characteristics & behaviour known from other platform ,e.g. Symbian OS are analysed in sandbox.
16
ConclusionAndroid emulator can be used to run android applications
in isolated environment.
The pre-check functionality that analyses indicate usage of
malicious pattern in source code.
In dynamic analysis, system calls are traced & corresponding
reports are logged.
17
REFERENCES [1] M. Becher, F. Freiling, and B. Leider. On the effort to create smartphone
worms in windows mobile. In Information Assurance and Security Workshop,
2007. IAW ’07. IEEESMC, pages 199–206, 20-22 June 2007.
[2] Bundesamt f¨ur Sicherheit in der Informationstechnik. Mobile endger¨ate und
mobile applikationen: Sicherheitsgef¨ahrdungen und schutzmassnahmen, 2006.
[3] W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. IEEE
Security and Privacy, 7(1):50–57, 2009.
[4] S. Forrest, S. Hofmeyr, and A. Somayaji. The evolution of system-call
monitoring. In ACSAC ’08: Proceedings of the 2008 Annual Computer Security
Applications Conference,pages 418–430. IEEE Computer Society, 2008.
[5] A. Rubini. Kernel system calls. http://www.ar.linux.it/docs/ksys/ksys.html.
[Online; accessed 01-March-2010].
THANK YOU