Presentation is loading. Please wait.

Presentation is loading. Please wait.

BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses.

Published byMartha Preston Modified over 8 years ago

Similar presentations

Presentation on theme: "BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses."— Presentation transcript:

1 BareDroid Presenter: Callan Christophersen

2 What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses dynamic analysis techniques.

3 Purpose of BareDroid 1.Provide a feasible solution to smart malware that can detect emulators. 2.Provide the same functionality and scale for a similar price as emulators.

4 The Problem – Emulator Detection 1.Static artefacts. (e.g. flags) 2.Dynamic artefacts. (e.g. sensor input) 3.Hypervisor artefacts. (e.g. caching policies)

5 Problem 1 - Static artefacts An emulator can be discovered by: – Checking the number of cores. Most emulators only report one. – Checking the build model: build.MODEL =="google_sdk” (google bouncer). – Checking the sim IMSI or IMEI for GSM devices. – Checking if the device supports USB OTG. No emulator supports this. – Checking the network hardware configuration. Solution: Build more complete emulators or simply use real devices to test with.

6 Problem 2 - Dynamic artefacts Emulators can be detected by checking: – Can the device receive SMS. – Does the GPS fix ever change. Does the number of satellites change. – Do the WiFi/Bluetooth/RFC connections ever change. – Does the device move. Accelerometer, tested by making device vibrate – Does putting load on the CPU cause a change in the internal voltage. – Does the battery experience drain… and so on… Solution: It is very very hard to emulate all these thing to the point where if your emulator does not perfectly resemble a real device, it can be fingerprinted and evaded. So either build the perfect emulator or test on real devices.

7 Problem 3 - Hypervisor artefacts Fingerprinting the hypervisor: – Behavioural fingerprints: CPU has a known bug which is not emulated Model-Specific Registers. E.g. if the emulator allows you to use a register that the real CPU would not. – Timing attacks: Relative performance differences between hypervisors and real devices can be detected and this ratio can be used to identified the hypervisor. E.g. Qemu. – Hardware Specific Values: Peripherals such as IDE/SCSI devices must be emulated to be used. These devices are usually emulated in a characteristic way which means that these characteristics can be used to identify a specific hypervisor. Solution: it is not clear that these issues can ever be overcome by better engineering of hypervisors. We can however test apps with real devices.

8 So why do we use emulators? Speed. Emulators can be reset to a known safe state very fast. Scalability. Emulators can be copied to scale horizontally cheaply. To compete BareDroid would need to be able to reset real devices fast. To be feasible BareDroid would need to scale for a similar price point. – BareDroid does scale for less than twice the price of emulators.

9 How BareDroid works The data that needs to be restored can be seen as a set of partitions. BareDroid relies on a kernel-level mechanism to lock a partition (mark it read only). BareDroid treats the system partitions differently from the user partitions. – System partitions use a chain of trust. (modified infrequently) – User partitions use a swap system. (modified frequently)

10 System Partitions Rarely modified. Since they contain: – Bootloader, Recovery, kernel etc. An initial partition is restored to a safe state and it is then used to check a subsequent partition. This process iterates over all system partitions. The checks are simply a verification that the data of the partition has been signed with one of the keys in the embedded keystore such as the OEM key. If a check fails then that partition is restored. S1S2S3Sn Checks Checks… …

11 DM-Verity Dm-verity is a kernel mechanism which verifies each block of the system partition against a hash tree. Where the root hash has been verified by the previous partition. The system partition is checked in this way because of its size. Performing this kind of check allows this partition to be checked as it is being accessed.

12 User Partitions U 1, U 2, U 3, U 4, U 5, U 6, …, U n U’ 1, U’ 2, U’ 3, U’ 4, U’ 5, U’ 6, …, U’ n Û 1, Û 2, Û 3, Û 4, Û 5, Û 6, …, Û n App tested here Background thread restores U i ’ from Û i Dirty copy Clean copy Background thread restores U i from Û i Modified often since they contain all the user data like the apps. To allow for fast(er) restore times 3 copies of each partition are used: 1.A permanent clean copy, Û. Kernel lock is needed here. 2.A testing copy, U. 3.A copy to be restored, U’.

13 Restoring a partition When one of the checks fails the partition that the check refers to must be re-flashed. In the case of user partitions this happens automatically for each new analysis. In the case of the system partitions, these must be re-flashed between analyses. – This performance hit is not very great since the system partitions are typically quite small.

14 Mass analysis BareDroid operates in a phone cloud where management software starts the BareDroid process on each device and loads the apps to be tested. The management software interacts with the devices over ADB.

15 Evaluation – Analysis Technique BareDroid’s analysis is based on a modification to the SELinux policy for keeping records of system calls. From the results BareDroid can use this to determine if an app has done something malicious.

16 Evaluation – Effectiveness Table of known emulator sensitive malware file actions and their detections. *App crashed upon start, possibly due to emulator checks.

17 What if SELinux breaks? Then the Kernel lock on Û will no longer work. – A fix for this is to periodically check the hash of Û. An attacker could target the aboot partition and others trying to avoid BareDroid’s partition checks. – This would most likely be discovered since it would cause an irregular boot. In addition to this it is unlikely that an attacker would use a Linux kernel zero-day just to target BareDroid when they would most likely be caught. – BareDroid could recover by simply hard rebooting.

18 Evaluation - Speed According to Dr Robert Sheehan at UOA: “a response time of 0.2 seconds is noticeable, more than 5 seconds is unacceptable.” Well… Checking and restoring step: – With no errors: 31.762 Seconds – If dm-verity detects errors: 94.922 Seconds Full device restore: 141.268 Seconds Emulator restore: ~1 Second

19 Evaluation - Cost BareDroid cost per device: US $349 Emulator-based system cost per CPU: US $300

20 Improvements BareDroid could be stored and run from network shared drives in servers. This would considerably speed up the restore process. It would also remove the need for on device code for restores making previously discussed attacks impossible. Disadvantages: – Increased cost. The hardware required isn’t cheap. – Because of the commonality of the hardware involved the fingerprintability of BareDroid would be increased.

21 References Android source site: https://source.android.com/security/ https://source.android.com/security/ Detecting System Emulators by Thomas Raffetseder, Christopher Kruegel, and Engin Kirda: http://192.35.222.224/newweb/~chris/research/ doc/isc07_detection.pdf http://192.35.222.224/newweb/~chris/research/ doc/isc07_detection.pdf BareDroid paper available on course webpage: https://www.cs.ucsb.edu/~vigna/publications/20 15_ACSAC_Baredroid.pdf https://www.cs.ucsb.edu/~vigna/publications/20 15_ACSAC_Baredroid.pdf

22 Thanks Questions?

Download ppt "BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Lectures on File Management

Lectures on File Management
Computer System Organization Computer-system operation – One or more CPUs, device controllers connect through common bus providing access to shared memory.

Computer System Organization Computer-system operation – One or more CPUs, device controllers connect through common bus providing access to shared memory.
 RAID stands for Redundant Array of Independent Disks  A system of arranging multiple disks for redundancy (or performance)  Term first coined in 1987.

 RAID stands for Redundant Array of Independent Disks  A system of arranging multiple disks for redundancy (or performance)  Term first coined in 1987.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Soft. Eng. II, Spr. 2002Dr Driss Kettani, from I. Sommerville1 CSC-3325: Chapter 9 Title : Reliability Reading: I. Sommerville, Chap. 16, 17 and 18.

Soft. Eng. II, Spr. 2002Dr Driss Kettani, from I. Sommerville1 CSC-3325: Chapter 9 Title : Reliability Reading: I. Sommerville, Chap. 16, 17 and 18.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Instructions Slides 3,4,5 are general questions that you should be able to answer. Use slides 6-27 to answer the questions. Write your answers in a separate.

Instructions Slides 3,4,5 are general questions that you should be able to answer. Use slides 6-27 to answer the questions. Write your answers in a separate.
Case study 2 Android – Mobile OS.

Case study 2 Android – Mobile OS.
Presentation By Deepak Katta

Presentation By Deepak Katta
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot

Similar presentations

Ads by Google