small footprint inspection techniques for android
play

Small footprint inspection techniques for Android Damien Cauquil, - PowerPoint PPT Presentation

Nov 17, 2022 •886 likes •1.23k views

Reverse engineering and side effects Reverse engineering on Android Minimal footprint techniques Fino approach and implementation Demo Small footprint inspection techniques for Android Damien Cauquil, Pierre Jaury 29C3 December 29, 2012

  1. Reverse engineering and side effects Reverse engineering on Android Minimal footprint techniques Fino approach and implementation Demo Small footprint inspection techniques for Android Damien Cauquil, Pierre Jaury 29C3 December 29, 2012 Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 1 / 33

  2. Reverse engineering and side effects Reverse engineering on Android Minimal footprint techniques Fino approach and implementation Demo Introduction Damien Cauquil Company Sysdream (head of research) Twitter @virtualabs Blog http://virtualabs.fr Pierre Jaury Company Sysdream Twitter @kaiyou Blog http://kaiyou.org Sysdream, IT security services Location Paris, France Website http://sysdream.com Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 2 / 33

  3. Table Of Contents 1 Reverse engineering and side effects 2 Reverse engineering on Android 3 Minimal footprint techniques 4 Fino approach and implementation 5 Demo

  4. Reverse engineering and side effects 1 Reverse engineering and side effects Why reverse engineering? Static or dynamic analysis? It is all a matter of physics Side effects amplification 2 Reverse engineering on Android 3 Minimal footprint techniques 4 Fino approach and implementation 5 Demo

  5. Reverse engineering and side effects Why reverse engineering? Reverse engineering on Android Static or dynamic analysis? Minimal footprint techniques It is all a matter of physics Fino approach and implementation Side effects amplification Demo Why reverse engineering? Curiosity Security assessment Cracking Interoperability . . . → Exploring the internals → Understanding the program Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 5 / 33

  6. Reverse engineering and side effects Why reverse engineering? Reverse engineering on Android Static or dynamic analysis? Minimal footprint techniques It is all a matter of physics Fino approach and implementation Side effects amplification Demo Static or dynamic analysis? Static analysis Dynamic analysis Look at the program Monitor what is available Explore the binary Run the program Use disassembly tools Run the program, again Read some low-level . . . (much like fuzzing) bytecode Make some other Make plenty of assumptions assumptions Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 6 / 33

  7. Reverse engineering and side effects Why reverse engineering? Reverse engineering on Android Static or dynamic analysis? Minimal footprint techniques It is all a matter of physics Fino approach and implementation Side effects amplification Demo It is all a matter of physics And those very annoying side effects Generalizing about the internals given observations Dynamic reverse engineering Physics Consider a program Consider a system Monitor the program Monitor the system Apply various actions Apply various actions Generalize about the Generalize a law program Measure uncertainty Side effects Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 7 / 33

  8. Reverse engineering and side effects Why reverse engineering? Reverse engineering on Android Static or dynamic analysis? Minimal footprint techniques It is all a matter of physics Fino approach and implementation Side effects amplification Demo Side effects amplification Anti-debugging and other very nice techniques Side effects are bad, yet one might enjoy. . . amplifying them on purpose making them terrible in non-native environments creating new sources of side effects targetting tricky sources of side effects putting analysts in terribly hairy situations → anti-debugging Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 8 / 33

  9. Reverse engineering on Android 1 Reverse engineering and side effects 2 Reverse engineering on Android State of the art Android reverse cookbook Why so unsatisfied? 3 Minimal footprint techniques 4 Fino approach and implementation 5 Demo

  10. Reverse engineering and side effects Reverse engineering on Android State of the art Minimal footprint techniques Android reverse cookbook Fino approach and implementation Why so unsatisfied? Demo State of the art (awe)?Some tools Static analysis Dynamic analysis Smali/Baksmali Android virtual machine APK-tool ARM emulators dex2jar DDMS jd-gui APKill . . . . . . Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 10 / 33

  11. Reverse engineering and side effects Reverse engineering on Android State of the art Minimal footprint techniques Android reverse cookbook Fino approach and implementation Why so unsatisfied? Demo Android reverse cookbook The daily life of a reverse analyst Wake up Run the application on a standard device Run the application inside an emulator Inspect the memory Inspect network traffic Fetch and disassemble the package Read the dalvik dex bytecode and match it to behaviors Inject some home-cooked hooks with Smali . . . Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 11 / 33

  12. Reverse engineering and side effects Reverse engineering on Android State of the art Minimal footprint techniques Android reverse cookbook Fino approach and implementation Why so unsatisfied? Demo Why so unsatisfied? We remain bulls in china shops No proper anti-anti-debugging tools → Spend hours patching Smali code to bypass protections Heavy debugging tools that are easily detected Many unexpected side effects due to virtulization More side effects due to execution path/memory inspection Patches adding even more side effects → Biased reports Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 12 / 33

  13. Minimal footprint techniques 1 Reverse engineering and side effects 2 Reverse engineering on Android 3 Minimal footprint techniques Why go minimal? Measuring the footprint Minimizing the footprint 4 Fino approach and implementation 5 Demo

  14. Reverse engineering and side effects Reverse engineering on Android Why go minimal? Minimal footprint techniques Measuring the footprint Fino approach and implementation Minimizing the footprint Demo Why go minimal? Side effects are bad Be faster (less overhead) Be stealthier Go further Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 14 / 33

  15. Reverse engineering and side effects Reverse engineering on Android Why go minimal? Minimal footprint techniques Measuring the footprint Fino approach and implementation Minimizing the footprint Demo Measuring the footprint How much do these side effects really annoy you? Side effects are bad. How bad? Worst case scenario Most of the time State inconsistencies, Time overhead (slow down deadlocks the program) Access conflicts Space overhead (use more memory) Application crashing Concurrency constraints Device freezing Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 15 / 33

  16. Reverse engineering and side effects Reverse engineering on Android Why go minimal? Minimal footprint techniques Measuring the footprint Fino approach and implementation Minimizing the footprint Demo Minimizing the footprint (((Anti-) { 2 } )+)debugging techniques, and more Many technical responses: minimizing the space footprint → go modular! minimizing the time overhead → live aside, do not hook! avoiding state inconsistencies → always prefer pure functions! avoiding concurrency conflicts → always check the current thread! Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 16 / 33

  17. Reverse engineering and side effects Reverse engineering on Android Why go minimal? Minimal footprint techniques Measuring the footprint Fino approach and implementation Minimizing the footprint Demo Minimizing the footprint (((Anti-) { 2 } )+)debugging techniques, and more A general approach: no patch of existing bytecode simple and modular payload no interaction with unknown threads as little memory interaction as possible stick with pure functions and read access as far as possible communication only through covert channels no unintended user interaction (no graphical popup, . . . ) → remain as silent as possible Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 17 / 33

  18. Fino approach and implementation 1 Reverse engineering and side effects 2 Reverse engineering on Android 3 Minimal footprint techniques 4 Fino approach and implementation Minimal from scratch Dead code injection Covert communication Entry point discovery Fino 5 Demo

  19. Reverse engineering and side effects Minimal from scratch Reverse engineering on Android Dead code injection Minimal footprint techniques Covert communication Fino approach and implementation Entry point discovery Demo Fino Minimal from scratch Because patching is great, but. . . Usual solution for debuggers: 1 write some sketchy debugging code 2 add plenty of modules for execution and memory inspection 3 note the many side effects and anti-debugging snippets 4 patch the debugger, then go to 2 A somehow different approach: 1 put avoiding side effects as a core design choice 2 write a modular debugging framework 3 add less modules because of the design constraints Damien Cauquil, Pierre Jaury Small footprint inspection techniques for Android 19 / 33

Recommend

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich Olga Gadyatskaya RAID 2016 Sensitive Resource Protection in Android Android is the most popular mobile OS: - ~ 2 billion of third-party apps

523 views • 24 slides
Mul$media Techniques in Android Some of the informa$on in

Mul$media Techniques in Android Some of the informa$on in

Mul$media Techniques in Android Some of the informa$on in this sec$on is adapted from WiseAndroid.com Mul$media Support Android provides comprehensive

361 views • 17 slides
Android UI Development: Tips, Tricks, and Techniques Romain Guy Chet Haase Android UI Toolkit

Android UI Development: Tips, Tricks, and Techniques Romain Guy Chet Haase Android UI Toolkit

Android UI Development: Tips, Tricks, and Techniques Romain Guy Chet Haase Android UI Toolkit Team Google Android UI Development: c i f i r r Tips, Tricks, and Techniques e T y l l a t o T Romain Guy Chet Haase Android UI

498 views • 38 slides
To Towards(Understanding(Android(System( Vu Vulnerabilities:( Te Techniques(and(Insights(

To Towards(Understanding(Android(System( Vu Vulnerabilities:( Te Techniques(and(Insights(

ACM#Asia#Conf.#on#Comp.#and#Comm.#Security#( AsiaCCS ),#Auckland,#Jul#2019# To Towards(Understanding(Android(System( Vu Vulnerabilities:( Te Techniques(and(Insights( Daoyuan'Wu 1 ,#Debin Gao 1 ,#Eric#K.#T.#Cheng 2 ,# Yichen Cao 3

332 views • 21 slides
Te Testing and Inspection Te Techniques fo for Transportation and Offshore an and Mar arin

Te Testing and Inspection Te Techniques fo for Transportation and Offshore an and Mar arin

Te Testing and Inspection Te Techniques fo for Transportation and Offshore an and Mar arin ine Structures Mo Mohammad S. Khan, Ph.D., P.E. Ex Exec ecut utive e Vice e Pres esiden dent High Hi h Per erforma manc nce e Tec

981 views • 71 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques

Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques

Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques Developed in the Fuego Core Project in the Fuego Core Project Helsinki-Rutgers Ph.D. Workshop 2007 Tancred Lindholm, Jaakko Kangasharju

280 views • 27 slides
Big Data, Little Cluster: Using a Small Footprint of GPU Servers to Interactively Query and

Big Data, Little Cluster: Using a Small Footprint of GPU Servers to Interactively Query and

Big Data, Little Cluster: Using a Small Footprint of GPU Servers to Interactively Query and Visualize Massive Datasets May 9, 2017 Todd Mostak | Co-founder + CEO, MapD @toddmostak | @mapd The data explosion is just beginning Exabytes 40k

593 views • 31 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden SECURE SOFTWARE ENGINEERING GROUP 2 This we would still hope for @Override

589 views • 20 slides
Xen on ARM Stefano Stabellini What is Xen? a type-1 hypervisor small footprint (less

Xen on ARM Stefano Stabellini What is Xen? a type-1 hypervisor small footprint (less

Xen on ARM Stefano Stabellini What is Xen? a type-1 hypervisor small footprint (less than 90K LOC) Xen: Open Source GPLv2 with DCO (like Linux) Diverse contributor community Xen: Open Source source: Mike Day

523 views • 27 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
RVI DACON INSPECTION TECHNOLOGIES INSPECTION Who we are Conventional and Oil and Gas,

RVI DACON INSPECTION TECHNOLOGIES INSPECTION Who we are Conventional and Oil and Gas,

RVI DACON INSPECTION TECHNOLOGIES INSPECTION Who we are Conventional and Oil and Gas, Refinery, Over 400 personnel Thailand headquarters Advanced NDT and Petrochemical, Heavy including more than with International Inspection Services

427 views • 11 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
HMIP Inspection Derbys Experience AYM 3.4.19. HMIP Inspection New HMIP inspection cycle

HMIP Inspection Derbys Experience AYM 3.4.19. HMIP Inspection New HMIP inspection cycle

HMIP Inspection Derbys Experience AYM 3.4.19. HMIP Inspection New HMIP inspection cycle implemented from June 2018. Derby YOS first YJ partnership to be inspected in England and Wales. Fieldwork commenced 18.6.18. 2 weeks of

276 views • 6 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
Slide Mounting Techniques for very small to microscopic animals In order to mount most animals on

Slide Mounting Techniques for very small to microscopic animals In order to mount most animals on

Slide Mounting Techniques for very small to microscopic animals In order to mount most animals on slides they must be cleared, dehydrated, embedded in a hardening resin and covered with a cover slip. As usual there are many techniques, some more

266 views • 3 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
Page Replacement Mechanism for Small Foot-Print Database in Android Devices Pratik Patodi M.

Page Replacement Mechanism for Small Foot-Print Database in Android Devices Pratik Patodi M.

Outline Introduction SQLite Internals Our Approach Experiments and Results Adaptive Logging Object Oriented Database Conclusion Page Replacement Mechanism for Small Foot-Print Database in Android Devices Pratik Patodi M. Tech Project

1.08k views • 86 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle Emmanuel Agu Android UI Design Example GeoQuiz App Reference: Android Nerd Ranch, pgs 1 32 App presents questions to test users knowledge

1k views • 96 slides

More recommend