20-06-2012, 04:28 PM
An Android Application Sandbox System for Suspicious Software Detection
[attachment=24925]
Introduction
Anti-virus research is an ongoing process of identifying
and analysing new and unknown malware for extracting
possible detection schemes that can be used within antivirus
software. A virus scanner [33] can block viruses,
worms, and Trojan horses from infecting the often real
time monitored system. Although behavioural detection is
mostly included in anti-virus software, most malware is detected
by scanning for and finding a certain patterns, also
called signatures.
Smartphone Security
In developed countries, mobile phones often outnumber
potential subscribers. For example, in Germany over 80
million handsets are spread over a total of approximately
82 million residents [27]. According to [11], the figures in
other countries are similar, and the share of smartphones is
increasing. While many phones are being primarily used for
making calls and sending text messages, browsing the internet
and using third-party applications gained a significant
share in mobile device usage. This trend clearly requires
a deeper look at the security aspects of mobile platforms,
especially those which allow internet usage along with installing
third-party applications. These are commonly referred
to as smartphones.
Static Software Analysis vs. Sandboxing Techniques
For malware detection, a detailed knowledge of application’s
characteristics is essential, which may be obtained by
various means. According to [2], two common practices exist
- static and dynamic analysis of software. Both have advantages
and disadvantages [17], and numerous approaches
to both static and dynamic analysis paradigms exist.
Static analysis involves various binary forensic techniques,
including decompilation, decryption, pattern matching
[33] and static system call analysis [30]. All of these
techniques have in common that the (potentially malicious)
software is not being executed.
Android Application Sandbox
Sandboxes are often located within kernel space since
access to critical parts of the OS can be realized. The kernel
is a very essential part of a system because it acts as bridge
between hardware and software.
One approach of sandbox systems is to monitor system
and library calls including their arguments. This is often
done trough system call redirecting, also known as system
call hijacking [35]. System calls, short system calls, are
function invocations made from user space into the kernel
in order to request some services or resources from the operating
system [16]. For understanding how system calls
can be hijacked, we will first explain how they are invoked
in general. Figure 2 shows an example for the read() system
call on a Linux based system. In turn, Figure 1 shows
the same example from Figure 2 but here the system call is
finally redirected.
Experiments
To proof the correct working of the whole system we
will now describe an example run of the AASandbox. The
example application we are using here is a self-written fork
bomb which uses Runtime.Exec() to start an external binary
program. The application creates subprocesses of itself in
an infinite loop. The intended behaviour is that the operating
system is not responding after a while. This kind of
attack is typically known as Denial of Service (DoS) and is
an typical example of an attack.
Conclusion
In this work we presented a sandbox created for
analysing Android applications applicable as cloud service.
Therefore, we showed how the Android emulator can be
used to run Android applications in an isolated environment.
Unlike other sandboxes, we added a pre-check functionality
that can analyse Android executables in a static
manner. This can indicate usage of malicious patterns
within source code. In the dynamic analysis, system calls
can be traced and corresponding reports are logged. These
can be used for further investigations, either performed
manually or automatically.
[attachment=24925]
Introduction
Anti-virus research is an ongoing process of identifying
and analysing new and unknown malware for extracting
possible detection schemes that can be used within antivirus
software. A virus scanner [33] can block viruses,
worms, and Trojan horses from infecting the often real
time monitored system. Although behavioural detection is
mostly included in anti-virus software, most malware is detected
by scanning for and finding a certain patterns, also
called signatures.
Smartphone Security
In developed countries, mobile phones often outnumber
potential subscribers. For example, in Germany over 80
million handsets are spread over a total of approximately
82 million residents [27]. According to [11], the figures in
other countries are similar, and the share of smartphones is
increasing. While many phones are being primarily used for
making calls and sending text messages, browsing the internet
and using third-party applications gained a significant
share in mobile device usage. This trend clearly requires
a deeper look at the security aspects of mobile platforms,
especially those which allow internet usage along with installing
third-party applications. These are commonly referred
to as smartphones.
Static Software Analysis vs. Sandboxing Techniques
For malware detection, a detailed knowledge of application’s
characteristics is essential, which may be obtained by
various means. According to [2], two common practices exist
- static and dynamic analysis of software. Both have advantages
and disadvantages [17], and numerous approaches
to both static and dynamic analysis paradigms exist.
Static analysis involves various binary forensic techniques,
including decompilation, decryption, pattern matching
[33] and static system call analysis [30]. All of these
techniques have in common that the (potentially malicious)
software is not being executed.
Android Application Sandbox
Sandboxes are often located within kernel space since
access to critical parts of the OS can be realized. The kernel
is a very essential part of a system because it acts as bridge
between hardware and software.
One approach of sandbox systems is to monitor system
and library calls including their arguments. This is often
done trough system call redirecting, also known as system
call hijacking [35]. System calls, short system calls, are
function invocations made from user space into the kernel
in order to request some services or resources from the operating
system [16]. For understanding how system calls
can be hijacked, we will first explain how they are invoked
in general. Figure 2 shows an example for the read() system
call on a Linux based system. In turn, Figure 1 shows
the same example from Figure 2 but here the system call is
finally redirected.
Experiments
To proof the correct working of the whole system we
will now describe an example run of the AASandbox. The
example application we are using here is a self-written fork
bomb which uses Runtime.Exec() to start an external binary
program. The application creates subprocesses of itself in
an infinite loop. The intended behaviour is that the operating
system is not responding after a while. This kind of
attack is typically known as Denial of Service (DoS) and is
an typical example of an attack.
Conclusion
In this work we presented a sandbox created for
analysing Android applications applicable as cloud service.
Therefore, we showed how the Android emulator can be
used to run Android applications in an isolated environment.
Unlike other sandboxes, we added a pre-check functionality
that can analyse Android executables in a static
manner. This can indicate usage of malicious patterns
within source code. In the dynamic analysis, system calls
can be traced and corresponding reports are logged. These
can be used for further investigations, either performed
manually or automatically.