Last update: 2017-08-01

My project for GSoC 2017 is Android Sandbox Detection and Countermeasure. This post records my progress during the GSoC 2017 period. Related repositories include:

  • DroidBot: A lightweight test input generator for Android
  • anti-emulator: Detecting an emulated Android environment
  • DenDroid: An Android Trojan equipped with anti-sandbox techniques
  • ReDroid: Trace comparing and control flow fixing

Community Bonding Period

  1. Modify AOSP (branch android_6.0.1-r77) to expand trace buffer to 64MB. [DONE]
  2. Port strazzere’s anti-emulator app to Android Marshmallow. [DONE]
  3. Get DenDroid, a real-world malware with anti-sandbox behavior ready for testing. [DONE]
  4. Modify DroidBot to support re-producible event sequences for trace comparing. PR [DONE]
  5. Have a look into Mining Sandbox and FuzzDroid papers. [DONE]

Phase 1

Phase 1 mainly contains testing anti-sandbox samples and comparing their traces.

  • May 30th - Jun. 5th
    1. Write a testing script for automatically collect running traces on both real devices and emulators. [DONE]
    2. Test anti-emulator and DenDroid samples with the testing script. [DONE]
    3. Design the trace comparing algorithm and implement the first version of it [DONE].
    4. Run the trace comparing algorithm on the traces collected on the samples [DONE].
  • Jun. 6th - Jun. 12th
    1. Improve the anti-emulator sample with timing attacks and some other techniques. [DONE]
      • Using OpenGL ES 2.0 API for graphic performance timing attack. Emulators usually have larger gap between lowest and highest FPS.
    2. Test the two sample apps on DroidBox, TaintDroid and VirusTotal and see if they can detect the frameworks. [PENDING]
    3. Improve the trace comparing algorithm according to the test results. [DONE]
      • Using bipartite matching and for thread mapping.
      • Using thread name and traces’ max common prefix length for similarity between threads.
  • Jun. 12th - Jun. 18th
    1. Write a testing report for the two samples. [PENDING]
    2. Scale the testing app samples to a more expanded data set. [DONE]
    3. Improve the trace comparing algorithm according to the expanded test results. [DONE]
      • Using android.jar rt.jar and some other runtime framework jars for common package name filtering.
      • Using LibRadar for 3rd party library package name filtering.
  • Jun. 18th - Jun. 24th
    1. Evaluate the scaled testing results. [DONE]
    2. Summarize the testing reports for scaled data set as a report for phase 1 evaluation. [PENDING]
    3. Investigate techniques for repairing the control flow of Android apps. [DONE]
  • Jun. 25th - Jun. 27th
    1. Flexible time.

Phase 2

Phase 2 mainly contains implementing anti-sandbox detector and control flow fixer.

  • Jun. 28th - Jul. 9th
    1. Fix issues of anti-sandbox detector found in previous evaluation. [DONE]
    2. Add finder for the collection of possible APIs leading to control flow divergence. [DONE]
    3. Investigate JDWP protocol for control flow correction. [DONE]
    4. Investigate the possibility for recording return values in ART runtime (aosp/art/runtime/) [DONE]
  • Jul. 10th - Jul. 16th
    1. Design & implement a prototype of control flow correction tool [DONE]
      • Manually written rules
      • Based on JDWP protocol
      • (MAYBE) Cancel ANR timeout in android source
    2. Evaluate the control flow correction prototype on Anti-emulator sample [DONE]
  • Jul. 17th - Jul. 23rd
    1. Implement return value collector prototype (for Boolean return valued methods) [DONE]
    2. Make the control flow correction tool rule being generated automatically [REPLANNED TO PHASE 3]
    3. Evaluate the new automatic tool on Anti-emulator example [DONE]
    4. Redesign the control flow correction tool to make it implemented by Xposed for the following reasons [DONE]:
      • The JDWP implemented by Android runtime support neither forceEarlyReturn feature nor runtime stack modification
      • Xposed is feasible to modify the return values of all methods easily
  • Jul. 24th
    1. Flexible time.

Phase 3

Phase 3 mainly contains implementing control flow fixer and DSM generator, applying various improvements, working on documents and shifting final products.

  • Jun. 25th - Jun. 30th
    1. Modify AOSP to make android.os.Debug.isDebuggerConnected undetectable [DONE]
    2. Implement the prototype of Xposed-based control flow correction tool [DONE]
    3. Publish the prebuilt images [DONE]
  • Jun. 31st - Aug. 6th
    1. Design and implement the dynamic loading module for DSM patch rules
    2. Implement the automatic DSM generator using JDWP-based tracing results
  • Aug. 7th - Aug. 13th
    1. Pick up some app examples, evaluate the DSM tool on them and generate a report
    2. Pick up an open-source licence for the project
    3. Refine documents and coding style
  • Aug. 14th - Aug. 20th
    1. Refine documents and coding style
    2. Generate / Refine some critical documents, including
      • User manual
      • Implementation Overview
      • Future work
      • App analysis report
  • Aug. 21th - Aug. 29th
    1. Final evaluation work