Evading Android Emulator

Similar documents
Virtualization. Types of Interfaces

Full and Para Virtualization

Cloud Computing #6 - Virtualization

Virtualization. Jukka K. Nurminen

COS 318: Operating Systems. Virtual Machine Monitors

White Paper on NETWORK VIRTUALIZATION

Introduction to Virtual Machines

Full System Emulation:

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Virtualization. Dr. Yingwu Zhu

Is Virtualization Killing SSI Research?

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

The Art of Virtualization with Free Software

Virtualization. Pradipta De

Virtualization. Introduction to Virtualization Virtual Appliances Benefits to Virtualization Example Virtualization Products

Outline. Outline. Why virtualization? Why not virtualize? Today s data center. Cloud computing. Virtual resource pool

Chapter 14 Virtual Machines

Basics of Virtualisation

Data Centers and Cloud Computing

COM 444 Cloud Computing

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

Introduction to Virtualization & KVM

Virtual Machines. Virtual Machines

Virtualization Technology

Virtual Hosting & Virtual Machines

Intro to Virtualization

12. Introduction to Virtual Machines

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Dynamic Load Balancing of Virtual Machines using QEMU-KVM

PERFORMANCE ANALYSIS OF KERNEL-BASED VIRTUAL MACHINE

CS 695 Topics in Virtualization and Cloud Computing. Introduction

Is Virtualization Killing SSI Research?

Compromise-as-a-Service

An Introduction to Android

Cloud Computing. Up until now

Development of Type-2 Hypervisor for MIPS64 Based Systems

Distributed and Cloud Computing

The Xen of Virtualization

Cloud Computing CS

Enabling Technologies for Distributed Computing

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

How To Understand The Power Of A Virtual Machine Monitor (Vm) In A Linux Computer System (Or A Virtualized Computer)

ANDROID OPERATING SYSTEM

IOS110. Virtualization 5/27/2014 1

M.Sc. IT Semester III VIRTUALIZATION QUESTION BANK Unit 1 1. What is virtualization? Explain the five stage virtualization process. 2.

Virtual Machines.

Cloud Computing. Chapter 8 Virtualization

Hypervisors and Virtual Machines

CS 695 Topics in Virtualization and Cloud Computing and Storage Systems. Introduction

Virtual Machines. Virtualization

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

McAfee Product Entitlement Definitions

Operating System Organization. Purpose of an OS

Distributed Systems. Virtualization. Paul Krzyzanowski

A cure for Virtual Insanity: A vendor-neutral introduction to virtualization without the hype

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

CS312 Solutions #6. March 13, 2015

Virtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC

Towards Trustworthy Architectures for Secure Cloud Servers and End-User Devices

Virtualization in Linux

Enabling Technologies for Distributed and Cloud Computing

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Virtualization Technologies. Embrace the new world of healthcare

Chapter 3 Operating-System Structures

This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

Scaling in a Hypervisor Environment

Efficient Load Balancing using VM Migration by QEMU-KVM

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

Virtualization for Future Internet

IMCM: A Flexible Fine-Grained Adaptive Framework for Parallel Mobile Hybrid Cloud Applications

Networking for Caribbean Development

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

A hypervisor approach with real-time support to the MIPS M5150 processor

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

Hypervisor-Based, Hardware-Assisted System Monitoring

Enterprise-Class Virtualization with Open Source Technologies

Virtualizing a Virtual Machine

Software Licensing in Virtual Environments. Managing the Terms of Software Use in Virtualized Systems

Virtualization Technologies (ENCS 691K Chapter 3)

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Embedded Virtualization & Cyber Security for Industrial Automation HyperSecured PC-based Control and Operation

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Data Centers and Cloud Computing. Data Centers. MGHPCC Data Center. Inside a Data Center

Virtualization. Michael Tsai 2015/06/08

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Virtualization Technology. Zhiming Shen

Hey, We Catch You: Dynamic Analysis of Android Applications. Wenjun Hu(MindMac) PacSec, Tokyo

COS 318: Operating Systems. Virtual Machine Monitors

Chapter 5 Cloud Resource Virtualization

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Virtualization for Hard Real-Time Applications Partition where you can Virtualize where you have to

ISERink Overview. Version 1.1. February 1, 2015

The MIPS architecture and virtualization

VtRES Towards Hardware Embedded Virtualization Technology: Architectural Enhancements to an ARM SoC. ESRG Embedded Systems Research Group

Transcription:

Evading Android Emulator Thanasis Petsas petsas@ics.forth.gr petsas@ics.forth.gr - www.syssec-project.eu 1

What is a Virtual Machine? A software based computer that functions like a physical machine A VM typically has two components Host OS: The host server that provides computing resources Guest OS: a separate and independent instance of an OS Hypervisor: a layer between host and guest Isolates each guest OS from another petsas@ics.forth.gr - www.syssec-project.eu 2

Traditional vs. Virtual Architecture Traditional Architecture ( Quote from VMware ) petsas@ics.forth.gr - www.syssec-project.eu 3

Traditional vs. Virtual Architecture Traditional Architecture Virtual Architecture ( Quote from VMware ) petsas@ics.forth.gr - www.syssec-project.eu 3

Why to Use a Virtual Machine? Application isolation Consolidation Better use of the Hardware Reduced energy consumption Portability Quick image cloning, running a new instance Manageability Better Software development and testing petsas@ics.forth.gr - www.syssec-project.eu 4

Android Emulator Can run virtual mobile devices on a computer mimics all of the hardware and software features of a typical mobile device petsas@ics.forth.gr - www.syssec-project.eu 5

Why to Use an Android Emulator Develop Android apps without using a device Test apps across multiple Android versions fast Automation Perform dynamic analysis of suspicious apps Isolation controlled environment Fast reversion of the environment to a clean state A lot of such tools online petsas@ics.forth.gr - www.syssec-project.eu 6

Can a Program Evade Dynamic Analysis? Evasive malware Can understand if it is running on a VM or a physical system Hides its malicious behavior when running on a VM Pieces of code used to evade dynamic analysis Red Pill able to detect a VM by detecting the hypervisor Blue Pill can shift an OS from the physical computer to a virtualized state under its control petsas@ics.forth.gr - www.syssec-project.eu 7

Evading Dynamic Analysis in Android Category Type Examples Static Pre-installed static information IMEI has a fixed value Dynamic Dynamic information does not change Sensors produce always the same value Hypervisor VM instruction emulation Native code runs differently petsas@ics.forth.gr - www.syssec-project.eu 8

Static Heuristics Device ID (IdH) IMEI, IMSI Current build (buildh) Fields: PRODUCT, MODEL, DEVICE Routing table (neth) virtual router address space: 10.0.2/24 Emulated network IP address: 10.0.2.15 petsas@ics.forth.gr - www.syssec-project.eu 9

Static Heuristics Device ID (IdH) IMEI, IMSI Current build (buildh) Fields: PRODUCT, MODEL, DEVICE Routing table (neth) virtual router address space: 10.0.2/24 Emulated network IP address: 10.0.2.15 petsas@ics.forth.gr - www.syssec-project.eu 9

Static Heuristics Device ID (IdH) IMEI, IMSI Current build (buildh) Fields: PRODUCT, MODEL, DEVICE Routing table (neth) virtual router address space: 10.0.2/24 Emulated network IP address: 10.0.2.15 IMEI 123456789012347 null petsas@ics.forth.gr - www.syssec-project.eu 9

Static Heuristics Device ID (IdH) IMEI, IMSI Current build (buildh) Fields: PRODUCT, MODEL, DEVICE Routing table (neth) virtual router address space: 10.0.2/24 Emulated network IP address: 10.0.2.15 IMEI 123456789012347 null petsas@ics.forth.gr - www.syssec-project.eu 9

Static Heuristics Device ID (IdH) IMEI, IMSI Current build (buildh) Fields: PRODUCT, MODEL, DEVICE IMEI 123456789012347 null DEVICE Nexus generic Routing table (neth) virtual router address space: 10.0.2/24 Emulated network IP address: 10.0.2.15 petsas@ics.forth.gr - www.syssec-project.eu 9

Static Heuristics Device ID (IdH) IMEI, IMSI Current build (buildh) Fields: PRODUCT, MODEL, DEVICE IMEI 123456789012347 null DEVICE Nexus generic Routing table (neth) virtual router address space: 10.0.2/24 Emulated network IP address: 10.0.2.15 petsas@ics.forth.gr - www.syssec-project.eu 9

Static Heuristics Device ID (IdH) IMEI, IMSI Current build (buildh) Fields: PRODUCT, MODEL, DEVICE Routing table (neth) virtual router address space: 10.0.2/24 Emulated network IP address: 10.0.2.15 IMEI 123456789012347 null DEVICE Nexus generic /proc/ net/tcp Ordinary network Emulated network petsas@ics.forth.gr - www.syssec-project.eu 9

Dynamic Heuristics (1/2) GPS Accelerometer Gyroscope Gravity Sensor Proximity Sensor Sensors: Rotation Vector A key difference between mobile & conventional systems new opportunities for mobile devices identification Can emulators realistically simulate device sensors? o Magnetic Field Partially: same value, equal time intervals petsas@ics.forth.gr - www.syssec-project.eu 10

Dynamic Heuristics (2/2) Sensor-based heuristics Android Activity that monitors sensors output values We implemented this algorithm for a variety of sensors Accelerometer (accelh) magnetic field (magnfh) rotation vector (rotvech), proximity (proximh) gyroscope (gyrosh) petsas@ics.forth.gr - www.syssec-project.eu 11

Hypervisor Heuristics Try to identify the virtual machine monitor Android Emulator is based on QEMU Heuristics Based on QEMU s incomplete emulation of the actual hardware Identify QEMU scheduling Identify QEMU caching behavior petsas@ics.forth.gr - www.syssec-project.eu 12

Identify QEMU Scheduling (1/2) Virtual PC in QEMU is updated only after the execution of a basic block (branch) OS scheduling does not occur during a basic block QEMU Binary Translation (BT) Detection Monitor scheduling addresses of a thread o Real Device: Various scheduling points o Emulator: A unique scheduling point BTdetectH petsas@ics.forth.gr - www.syssec-project.eu 13

Identify QEMU Scheduling (2/2) petsas@ics.forth.gr - www.syssec-project.eu 14

Identify QEMU Scheduling (2/2) Emulator: A specific scheduling point petsas@ics.forth.gr - www.syssec-project.eu 14

Identify QEMU Caching Behavior (1/2) Memory Memory I-Cache D-Cache Cache ARM x86 Device Emulator (QEMU) petsas@ics.forth.gr - www.syssec-project.eu 15

Identify QEMU Caching Behavior (2/2) 1 Execute instruction at address A petsas@ics.forth.gr - www.syssec-project.eu 16

Identify QEMU Caching Behavior (2/2) 1 Execute instruction at address A Instr. is written to I-Cache Instr. is written to Cache petsas@ics.forth.gr - www.syssec-project.eu 16

Identify QEMU Caching Behavior (2/2) 1 Execute instruction at address A Instr. is written to I-Cache Instr. is written to Cache 2 Write new instruction at address A petsas@ics.forth.gr - www.syssec-project.eu 16

Identify QEMU Caching Behavior (2/2) 1 Execute instruction at address A Instr. is written to I-Cache Instr. is written to Cache 2 Write new instruction at address A Instr. is written to D-Cache Instr. is written to Cache petsas@ics.forth.gr - www.syssec-project.eu 16

Identify QEMU Caching Behavior (2/2) 1 Execute instruction at address A Instr. is written to I-Cache Instr. is written to Cache 2 Write new instruction at address A Instr. is written to D-Cache Instr. is written to Cache 3 Execute new instruction at address A petsas@ics.forth.gr - www.syssec-project.eu 16

Identify QEMU Caching Behavior (2/2) 1 Execute instruction at address A Instr. is written to I-Cache Instr. is written to Cache 2 Write new instruction at address A Instr. is written to D-Cache Instr. is written to Cache 3 Execute new instruction at address A Instr. is read from I-Cache Old instr.! Instr. is read from I-Cache New instr.! petsas@ics.forth.gr - www.syssec-project.eu 16

Identify QEMU Caching Behavior (2/2) 1 Execute instruction at address A Instr. is written to I-Cache Instr. is written to Cache 2 Write new instruction at address A Instr. is written to D-Cache Instr. is written to Cache 3 Execute new instruction at address A Instr. is read from I-Cache Old instr.! Device Instr. is read from I-Cache New instr.! Emulator petsas@ics.forth.gr - www.syssec-project.eu 16

Resilience of dynamic analysis tools petsas@ics.forth.gr - www.syssec-project.eu 17

Countermeasures Static heuristics Emulator modifications Dynamic heuristics Realistic sensor event simulation Hypervisor heuristics Accurate binary translation Hardware-assisted virtualization Hybrid application execution petsas@ics.forth.gr - www.syssec-project.eu 18

More about Emulation Evasion Check the papers Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (Eurosec 2014) Evading Android Runtime Analysis via Sandbox Detection (ASIACCS 2014) petsas@ics.forth.gr - www.syssec-project.eu 19

Next How can we enhance an Android malware with Emulation Evasion capabilities without haven t access to the source code? petsas@ics.forth.gr - www.syssec-project.eu 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information