DexLego: Reassembleable Bytecode Extraction for Aiding Static Analysis

The scale of Android applications in the market is growing rapidly. To efficiently detect the malicious behavior in these applications, an array of static analysis tools are proposed. However, static analysis tools suffer from code hiding techniques like packing, dynamic loading, self modifying, and reflection. In this paper, we thus present DexLego, a novel system that performs a reassembleable bytecode extraction for aiding static analysis tools to reveal the malicious behavior of Android applications. DexLego leverages just-in-time collection to extract data and bytecode from an application at runtime, and reassembles them to a new Dalvik Executable (DEX) file offline. The experiments on DroidBench and real-world applications show that DexLego precisely reconstructs the behavior of an application in the reassembled DEX file, and significantly improves analysis result of the existing static analysis systems.

[1]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[2]  Marcelo d'Amorim,et al.  Static Analysis of Implicit Control Flow: Resolving Java Reflection and Android Intents (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[3]  Xiangyu Zhang,et al.  iRiS: Vetting Private API Abuse in iOS Applications , 2015, CCS.

[4]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[5]  Sam Malek,et al.  Testing android apps through symbolic execution , 2012, ACM SIGSOFT Softw. Eng. Notes.

[6]  Heng Yin,et al.  Dark Hazard: Learning-based, Large-Scale Discovery of Hidden Sensitive Operations in Android Apps , 2017, NDSS.

[7]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[8]  Juanru Li,et al.  AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware , 2015, RAID.

[9]  Gang Tan,et al.  NativeGuard: protecting android applications from third-party native libraries , 2014, WiSec '14.

[10]  Yue Jia,et al.  Sapienz: multi-objective automated testing for Android applications , 2016, ISSTA.

[11]  Hongwei Zhang,et al.  SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security , 2016, HASP 2016.

[12]  Saumya Debray,et al.  A Generic Approach to Automatic Deobfuscation of Executable Code , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14]  Ning Zhang,et al.  CaSE: Cache-Assisted Secure Execution on ARM Processors , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[15]  Fengwei Zhang,et al.  Ninja: Towards Transparent Tracing and Debugging on ARM , 2017, USENIX Security Symposium.

[16]  Porfirio Tramontana,et al.  Using GUI ripping for automated testing of Android applications , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[17]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[18]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[19]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[20]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[21]  Xiangyu Zhang,et al.  J-Force: Forced Execution on JavaScript , 2017, WWW.

[22]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Guillaume Bonfante,et al.  CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions , 2015, CCS.

[24]  吉田 則裕,et al.  Android Open Source Projectを対象としたパッチレビュー活動の調査 , 2012 .

[25]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[26]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[27]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[28]  Wenke Lee,et al.  From Zygote to Morula: Fortifying Weakened ASLR on Android , 2014, 2014 IEEE Symposium on Security and Privacy.

[29]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[30]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[31]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[32]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[33]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[34]  John C. S. Lui,et al.  TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime , 2016, CCS.

[35]  Yajin Zhou,et al.  Blender: Self-randomizing Address Space Layout for Android Apps , 2016, RAID.

[36]  Trent Jaeger,et al.  TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone , 2017, MobiSys.

[37]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[38]  Stefano Calzavara,et al.  HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving , 2017 .

[39]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[40]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[41]  Dinghao Wu,et al.  Reassembleable Disassembling , 2015, USENIX Security Symposium.

[42]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[43]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[44]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[45]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.