分析Android儲存裝置存取之資料流動追蹤技術

關於Android惡意程式分析的研究，包含了追蹤記憶體、儲存裝置、網路使用等行為。但是目前為止，Android上分析技術的範圍只侷限在記憶體，並沒有完整的追蹤儲存裝置的部分，像是內部空間的NAND flash以及外部空間的SD Card。本篇論文將提出一個以位元組為單位，更細緻地追蹤Android儲存裝置上的檔案。除此之外，我們還實作出YAFFS2的檔案系統解析器，將硬碟上offset與檔案物件做關聯性，可以方便我們在底層去追蹤檔案。我們的系統還會追蹤某特定程式所接收的封包，並且在寫檔及送封包時，指出資料的來源。在實驗的部份，本系統可初步的成功分析到記憶體與儲存裝置之間、記憶體與網路之間的動態資料流動追蹤，提供一個完整的程式行為分析紀錄。

關鍵字

Android ；動態資料流動追蹤；儲存裝置

並列摘要

Recent research towards Android malware analysis introduced information flow tracking to profile memory, storage, and network behaviors. However, on Android state-of-the-art information flow tracking techniques limit their scope within memory, lacking of byte-granularity support for storage space like SD card or NAND flash. In this thesis, a byte-level information flow tracking on Android storage is proposed. In addition, a YAFFS2 file system parser is implemented to map a given offset on the disk back to the abstract object, namely the owner file, for semantics reconstruction. Our system precisely track the incoming packets only sent to the subject program. Our system also figures out the source of the data written into files or sent to network. The evaluation shows that our prototype system successfully tracks information flows from storage to/from memory and memory to/from network, providing more complete behavior profile for malware analysis.

並列關鍵字

Android ； Dynamic Information Flow Tracking ； Storage

參考文獻

[2] Zhu, David (Yu), Jaeyeon Jung, Dawn Song, Tadayoshi Kohno, and David Wetherall. “TaintEraser: Protecting Sensitive Data Leaks Using Application-level Taint Tracking.” SIGOPS Oper. Syst. Rev. 45, no. 1 (February 2011): 142–154. doi:10.1145/1945023.1945039.

[4] Luk, Chi-Keung, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. “Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation.” In ACM SIGPLAN Notices, 40:190–200, 2005.

[5] Clause, James, Wanchun Li, and Alessandro Orso. “Dytan: a Generic Dynamic Taint Analysis Framework.” In Proceedings of the 2007 International Symposium on Software Testing and Analysis, 196–206. ISSTA ’07. New York, NY, USA: ACM, 2007. doi:10.1145/1273463.1273490.

[7] Nethercote, Nicholas, and Julian Seward. “Valgrind: a Framework for Heavyweight Dynamic Binary Instrumentation.” SIGPLAN Not. 42, no. 6 (June 2007): 89–100. doi:10.1145/1273442.1250746.

[8] Qin, Feng, Cheng Wang, Zhenmin Li, H. Kim, Yuanyuan Zhou, and Y. Wu. “LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks.” In 39th Annual IEEE/ACM International Symposium on Microarchitecture, 2006. MICRO-39, 135–148, 2006. doi:10.1109/MICRO.2006.29.

國際替代計量

分析Android儲存裝置存取之資料流動追蹤技術

全文下載

主題瀏覽