Andorid - Monitor - framwork

10th IEEE International Conference on Software Testing, Verification and Validation

ADRENALIN-RV:AndroidRuntimeVeri?cation

usingLoad-timeWeaving

HaiyangSun,AndreaRos`a,OmarJaved,andWalterBinder

FacultyofInformatics,Universit`adellaSvizzeraitaliana(USI),Lugano,Switzerland

Email:?rst.last@usi.ch

Abstract—Androidhasbecomeoneofthemostpopularoperat-ingsystemsformobiledevices.AsthenumberofapplicationsfortheAndroidecosystemgrows,soistheircomplexity,increasingtheneedforruntimeveri?cationontheAndroidplatform.Unfortunately,despitethepresenceofseveralruntimeveri?cationframeworksforJavabytecode,DEXbytecodeusedinAndroiddoesnotbene?tfromsuchawidesupport.Whileafewruntimeveri?cationtoolssupportapplicationsdevelopedforAndroid,suchtoolsofferonlylimitedbytecodecoverageandmaynotbeabletodetectpropertyviolationsincertainclasses.Inthispaper,weshowthatADRENALIN-RV,ournewruntimeveri?cationtoolforAndroid,overcomesthislimitation.Incontrasttootherframeworks,ADRENALIN-RVweavesmonitoringcodeatloadtimeandisabletoinstrumentallloadedclasses.Inadditiontothedefaultclassesinsidetheapplicationpackage(APK),ADRENALIN-RVcoversboththeAndroidclasslibraryandlibrariesdynamicallyloadedfromthestorage,network,orgenerateddynamically,whichrelatedtoolscannotverify.EvaluationresultsdemonstratetheincreasedcodecoverageofADRENALIN-RVwithrespecttootherruntimevalidationtoolsforAndroid.ThankstoADRENALIN-RV,wewereabletodetectviolationsthatcannotbedetectedbyothertools.

I.INTRODUCTION

Androidhasbecomethedominantoperatingsystemformobiledevices.TheincreaseinpopularityhasledtoarapidgrowthofthenumberofapplicationsforAndroid,aswellastheircomplexity.Asapplicationsbecomemorecomplex,advancedtestingtechniquesandruntimeveri?cationarefun-damentaltomitigatebuggyandmaliciousapplications.Whiletestingisusedduringdevelopment,runtimeveri?cationistypicallyusedtomonitoraprogramafterdeployment,makingthemcomplementary.

Ourworkfocusesonruntimeveri?cationontheAndroidplatform.Whilethereisalargebodyofruntimeveri?cationframeworkssuitableforJavabytecode[1]–[4],suchtoolscannotbereadilyappliedtoDEXbytecodeusedbyAndroidapplications,astheJavaandDEXbytecodeformatsaredifferent.Asaresult,therearefewruntimeveri?cationtoolsforAndroid.Moreover,thebytecodecoverageofexistingtoolsisratherlimited.Forexample,RV-Droid[5]andRV-Android[6]canbeusedtomonitorseveralpropertiesofAndroidapplications,butarenotabletoinstrumentclassesofthecoreAndroidlibrary.Inaddition,theyrelyonstaticweaving,whichpreventstheinstrumentationofclassesloadeddynamically,includingthird-partylibrariesdownloadedfromaremoteserverorclassesgenerateddynamically.Violationsofpropertiesinsuchclasseswillremainundetected.

978-1-5090-6031-3/17 $31.00 ? 2017 IEEEDOI 10.1109/ICST.2017.61

532

InthispaperwetacklethelimitedcodecoverageofexistingtoolsbyintroducingADRENALIN-RV(AnDRoid-ENabledAspect-orientedLoad-timeINstrumnetationforRuntimeVer-i?cation),ournewruntimeveri?cationtoolfortheAndroidplatform.Differentlyfromrelatedtoolsbasedonstaticweav-ing,ADRENALIN-RVisbasedonload-timeweavingandisabletoinstrumenteveryclassloadedbytheruntimeenviron-ment.Inadditiontothedefaultclassesinsidetheapplicationpackage,ADRENALIN-RVcoversbothclassesoftheAndroidlibraryanddynamicallyloadedclasses,includinglibrariesdownloadedfromthenetworkanddynamicallygenerated.OurevaluationresultsshowthatADRENALIN-RVoffersaconsiderablyincreasedcodecoveragewithrespecttorelatedtools,andthatitisabletodetectviolationsthatcannotbedetectedwithstaticweaving.

Thisworkmakesthefollowingcontributions.WepresentADRENALIN-RV,ournewruntimeveri?cationtoolfortheAndroidplatform.WeshowthatADRENALIN-RVachievesmorecodecoveragethanRV-DroidandRD-AndroidonselectedAndroidapplications.Moreover,weshowthatADRENALIN-RVcan?ndviolationsthatcannotbefoundbyrelatedtools.

Thispaperisorganizedasfollows.SectionIIprovidesanoverviewoftheAndroidplatform.SectionIIIdescribesADRENALIN-RVanddetailsitsarchitecture.SectionIVoutlinesthemainchallengesindevelopingADRENALIN-RV.InSectionVwepresentourevaluationresults.SectionVIsummarizeslessonslearnedinimplementingandevaluatingADRENALIN-RV.Finally,wepresentrelatedworkinSec-tionVIIandgiveourconcludingremarksinSectionVIII.

II.BACKGROUND:THEANDROIDPLATFORM

AndroidisaLinux-basedoperatingsystem.ApplicationsrunningonAndroidexecuteinadedicatedsandbox:eachapplicationexecutesinaseparateprocessandhasaccesstoonlyitsown?les.AndroidapplicationsarewritteninJavaandarebuiltfrominterconnectedcomponents.Eachcomponenthasadifferentroleandcanserveasanentrypointfortheapplication.

WhilewritteninJava,AndroidapplicationsdonotexecuteontheJavaVirtualMachine(JVM).DependingontheversionofAndroid,theyexecuteeitherontheAndroidRuntime(ART,sinceAndroid5),orontheDalvikVirtualMachine(DVM,

AndroidFile SystemDynamicallyGeneratedScopeSpecsRVsSpecsDynamic Class LoadingUSB Cable Instr. ServerBytecode proxyServiceNetwork Target Appfork.apkInstr. CacheSpecs Processor ZygoteLibrariesWeaverFig.1.ADRENALIN-RVarchitecture.The?gureshowsonlyoneofthemonitoredapplicationsontheAndroidplatform.Otherrunningapplicationsareomittedforclarity.

beforeAndroid5).1Duetothelimitedresourcesonmobiledevices,AndroidusesDEXbytecodeinsteadofJavabytecode.ApplicationclassesmustbeconvertedfromJavabytecodetoDEXbytecodebeforedeployment.

ComponentsofthesameapplicationexecuteinasingleVMinstancebydefault.However,anycomponentcanbecon?guredtoexecuteinaseparateprocess,andthusinasep-arateVM.CreatinganewVMinstanceinvolvesconsiderableoverheadduetoVMbootstrapandinitializationofthecorelibraries.Asprocessstartandterminationoccurfrequently,theoverheadofVMinitializationwouldcauseaseriousperformancedegradation.Tomitigatesuchissues,AndroidstartsaspecialprocesscalledZygoteearlyduringsystemboot,whichonlybootstrapstheVMandinitializesthecoreclasses.Hence,ZygotebecomesalivesnapshotofanewlyinitializedVM.Thatsnapshotcanbeef?cientlyduplicatedwhenneededthankstothecopy-on-writeimplementationofthefork()systemcall:whenanewVMinstanceisneeded,Zygoteissimplyforked,yieldingachildVMwhichcanreadilyexecuteapplicationcode.

Forthepurposeofthispaper,applicationclassescanbeclassi?edintothreegroups,accordingtowhentheyareloadedintheVMduringapplicationexecution.The?rstgroupiscomposedofclassescontainedinAndroidApplicationPackage(APK)?les.EachapplicationisshippedinanAPK?le,acompressedpackagecontainingthemainclassesoftheapplication(inDEXformat)andotherresources.Classesinthepackageareloadedwhentheapplicationislaunched.Thesecondgroupconsistsoflibraryclasses.SuchclassesareloadedbyZygoteduringbootstrapandaresharedamongallapplicationprocesses.ThethirdgroupiscomposedofclassesloadeddynamicallybyapplicationsthroughtheDexClass-LoaderAPI.2ThisAPIisfrequentlyusedtoloadclassesnot

thepurposeofthepaper,thespeci?cruntimeenvironmentusedby

Androiddoesnotmatter.WeusethetermVMtorefertoeitherARTorDVMindiscriminately.

2https://developer.android.com/reference/dalvik/system/DexClassLoader.html

1For

includedintheAPK?leoftheapplication,suchasthird-partylibrariesstoredinthe?lesystemoronaremoteserver.Itisalsousedbysomemaliciousapplicationstohidetheirbehavior[7].

III.ADRENALIN-RV

InthissectionwedescribethearchitectureofADRENALIN-RV.First,wedetailtheprocessofinstrumentingAndroidclasseswithmonitoringcode.Then,wedescribehowourtoolcaninterceptandweaveallclassesloadedonAndroid.Figure1depictsthehigh-levelarchitectureofADRENALIN-RV.A.Instrumentation

ADRENALIN-RVreliesonDiSL[8],adynamicpro-gramanalysisframeworkbasedonJavabytecodeinstru-mentation.DiSLinstrumentsclassesonaseparateserver,herecalledinstrumentationserver,accordingtospeci-?edruntime-veri?cationspeci?cations(henceforthcalledRVspecs).ADRENALIN-RVhasseveralbuilt-inRVspecsthatcanbereadilyveri?edonAndroidapplications—SectionVshowcasessomeofthem.

TheinstrumentationserverrunsoutsidetheAndroidplat-form.Theclassestobeinstrumentedaresenttotheinstru-mentationserveroverthenetworkorviaaUSBcable,andinstrumentedclassesaresentbackoverthesamemedium.USBsupportisnecessarytoinstrumentclasseswhenthenet-workisnotavailableonthedevice(e.g.,duringthebootphasebeforethenetworkmodulehasbeenloaded).Inthisway,ADRENALIN-RVcaninstrumentthesystemclasslibrariessincethebeginningofthebootphase.

Often,userswishtomonitordifferentsetsofpropertiesfordifferentapplications.Toeasetheprocessofsettingthepropertiesofinterestforagivenapplication,theusercanmappropertiestoapplicationsintheRVspecs.Inparticular,userscande?nepropertiesofinterestforagivenbytecode?le.RVspecswillbeprocessedbyacustomcomponentoftheinstrumentationserver,thespecsprocessor,beforestarting

533

theinstrumentationprocess.Theprocessorensuresthatonlythemonitoringcodecorrespondingtothedesiredpropertiesforaclassiswoven.

Anotherfrequentneedwhenmonitoringapplicationsistorepeattheanalysismultipletimes,withoutchangingthespeci?cations.Inthisscenario,theinstrumentedbytecodedoesnotchangebetweendifferentruns.Toavoidunnecessaryinstrumentation,weintroduceaninstrumentationcacheintheserver,whichstoresthelastversionoftheinstrumentedbytecodeandvalidateswhethertheinstrumentationforagivenbytecoderemainsthesame.Inthiscase,theinstrumentationprocessisavoided,andthebytecodestoredinthecachewillbeusedatruntime.B.Load-TimeWeaving

ToguaranteefullbytecodecoverageontheAndroidplat-form,itisfundamentaltointerceptandinstrumenteveryclassloadedbyanapplication.Thisimpliesthatallthreegroupsofapplicationclasses(seeSectionII)mustbeinterceptedatload-timeandinstrumentedwithmonitoringcode.Incontrasttorelatedtoolsrelyingonstaticweaving,ADRENALIN-RVenablesload-timeweavingforAndroid.ThismakesitpossibletoinstrumentanyclassloadedbytheVM,incontrasttostaticweavingwhichenablesonetoinstrumentonlyclassesintheapplicationAPK?le.

Toenableload-timeinstrumentation,wemodifytheVMtohookclassloading.ThisallowsADRENALIN-RVtomonitorallclasses,includingsharedlibrariesloadedbyZygoteandanydynamicallyloadedclass,suchasclassesdownloadedfromaremoteserver,loadedfromathird-partylibraryonthe?lesystem,ordynamicallygeneratedbytheapplication.Inaddition,weaddaninternalAPItoAndroidforsendingandreceivingclassesto/fromtheinstrumentationserver.Tocommunicatewiththeoutsideserver,weaddproxyserviceinAndroid,listeningtoallobservedVMinstances.

Inprinciple,eachclassloadedbytheVMcanbepassedtotheinstrumentationserver.However,usersmaybeinterestedinverifyingpropertiesofinterestonlyinselectedclasses.Userscanspecifyclassesofinterestthroughspeci?cations(scopespecs).Thesespecswillbeparsedbyabytecodeservice,acustomcomponentimplementedinC++whichusesBinder—theinter-process-calllibraryinAndroid—tocom-municatewiththebytecodeloadingprocesses.Thebytecodeserviceensuresthatonlyclassesofinterestaresenttotheinstrumentationserver.Theadditionofthiscomponentavoidsunnecessaryslow-downswhichcandegradetheperformanceoftheplatform.

IV.TECHNICALCHALLENGES

IncreasingthebytecodecoverageforAndroidapplicationsrequiresagreatdesigneffortinsolvinglimitationsoftheun-derlyingplatform,whichdoesnotallowtoreadilyinstrumentallloadedclasses.Here,weoutlinethemainchallengesininstrumentingclassesonAndroid,andpresenthowwesolvethoseissuesinADRENALIN-RV.

dex2jarDEX bytecodeJava bytecodeInstr. ServerdxDEX bytecodeJava bytecodeFig.2.Bytecodeconversionforinstrumentingapplicationclasses.

A.InterceptingClassLoading

Thedif?cultiesofinstrumentingAndroidclassesuponload-ingstemfromthelackofinterfacesallowingexternaltoolstobenoti?edaboutspeci?cevents.Forexample,classloadingcaneasilybeinterceptedontheJVMthankstotheJVMToolInterface(JVMTI),whichisintegratedintheJVMandallowsanexternalagenttoreplaceaclasswiththeinstrumentedversionbeforetheclassisloadedandlinked.Unfortunately,theAndroidVMdoesnotofferinterfacesakintotheJVMTI.Asaresult,itisnotpossibletoinstrumentclassesupontheirloadingwithoutmodifyingtheVM.

ToenablefullbytecodecoverageinADRENALIN-RV,wemodifytheVMclass-loadingprocesstoinstrumentclassesbeforetheyaremappedtomemory.BeforeloadingaDEX?leintomemory,themodi?edVMsendsthe?lethroughaproxytotheinstrumentationserver,whichinstrumentstheencodedclassandsendsbackanotherDEX?lewhichisthenloadedintomemory.Thisensuresthatbothapplicationclassesandtheassociatedlibrariesareinstrumented.B.CoreLibraries

WhentheAndroidsystemstarts,Zygoteloadsandinitial-izesthecoreclasses.AssubsequentVMinstancesareobtainedbyforkingZygote,theyallsharethecodeofthecorelibraries.Iftheuserisinterestedinmonitoringcoreclassesinoneapplication,suchclasseswillbeinstrumented,resultinginasingleinstrumentedversionofthecorelibrariessharedamongallapplications,includingthosenotbeingtargetedbytheuser.Itistechnicallyimpossibletoinstrumentonlythecorelibrariesfortheapplicationsthatarebeingmonitored.

Toensurethatcodeinthecodelibrariesismonitoredonlywhenusedbythetargetapplication,theinstrumentationusedbyADRENALIN-RVreliesonabypassfunctionality[9].Theinstrumentationisonlyenabledinthemonitoredapplicationandbypassedwithminimumoverheadinotherapplications.C.BytecodeConversion

AndroidclassesneedtobetranslatedfromJavabytecodetoDEXbytecodeforexecution.ManipulatingDEXbytecodeis

534

anaddedburdenondevelopingruntimeveri?cationtoolswith-outanytechnicalmerit,asDEXbytecodehasbeendevelopedprimarilytoavoidlicensingissuesandisof?ciallyproducedonlybyconversionfromJavabytecode.GiventheextensivesupportofframeworksformanipulatingJavabytecode,thereislittleinterestinmanipulatingDEXbytecodedirectly.

ADRENALIN-RVusesexistingbytecodeconversiontoolstotranslatebetweenthetworepresentationsasnecessary,andreliesonDiSLtoinstrumentJavabytecode.Inparticular,ADRENALIN-RVextractstheclassestobeinstrumentedfromthecorrespondingDEX?le,andusesdex2jar3toconvertthemfromDEXbytecodetoJavabytecode.Then,ourtoolpassestheconvertedJavabytecodetotheinstrumentationserver,whichweavesmonitoringcodeintotheconvertedclass.ADRENALIN-RVconvertstheinstrumentedJavabytecodebacktoDEXbytecodethroughdx.4Finally,thetoolre-packagestheclassintoaDEX?le,whichissentbacktotheAndroidplatform.ThebytecodeconversionprocessisshowninFigure2.

V.EVALUATION

InthissectionweevaluatetheincreasedbytecodecoverageofADRENALIN-RVfortwousecases.WestartbycomparingthebytecodecoverageofADRENALIN-RVwithrelatedtoolsonAndroidapplications.Then,weshowhowADRENALIN-RVcandetectpropertyviolationsthatrelatedtoolscannotdetect,thankstoload-timeweaving.Indetailingourevaluationresults,wealsoshowthepropertiesthatADRENALIN-RVcanmonitor,andhowtheusercanwritenewmonitoringcodeinADRENALIN-RV.5A.CodeCoverage

ADRENALIN-RVreliesonload-timeweavingtoinsertmonitoringcodeinAndroidapplications,differentlyfromrelatedtools.Forexample,RV-DroidandRV-Androidbothusestaticweaving.Here,weshowthatload-timeweavingyieldsasigni?cantlyextendedbytecodecoveragewrt.staticweaving.Asaresult,ADRENALIN-RVcanmonitormorecodethanRV-DroidandRV-Android.

WeconductourevaluationontwoAndroidapplicationsofdifferentnature.The?rstapplicationisGoogleMobileServices(GMS)6,whichincludesseveralservicesfromGoogleaswellaspopularAPIs.Thesecondapplicationisamalware7whichusesdynamicallyloadedcodetoobfuscateitsbehavior.TocompareADRENALIN-RVwithRV-DroidandRV-Android,weevaluateasetofpropertiesthatcanbemonitoredbyallthreetools.Inparticular,wechoosemultiplewell-known

3https://github.com/pxb1988/dex2jar

TABLEI

JAVAMOPPROPERTIESEVALUATED.

PropertyHasNextSafeEnum

DescriptionProgramshouldalwayscallhasNext()beforenext()onaniterator.

Collection(withanassociatedenumeration)shouldnotbemodi?edwhiletheenumerationisinuse.

Synchronizedcollectionshouldalwaysbeaccessedbyasynchronizediterator,andtheiteratorshouldalwaysbeaccessedinasynchronizedmanner.Whentheiteratorassociatedwithacollectionisaccessed,thecollectionshouldnotbeupdated.

SafeSyncMap

UnsafeIterator

UnsafeMapIteratorLikeUnsafeIterator,withdifferencesrelatedtothe

creationofiterators.

isoneofthetoolcontainedintheAndroidSoftwareDevelopmentKit(SDK).

5AllevaluationresultspresentedinthissectionhavebeenobtainedonAndroid4.4r1runningonaNexus5with2GBRAM.WeuseDiSL2.0.TheinstrumentationserverisdeployedonquadcoreIntelCorei7(2.5GHz,16GBRAM)andrunsunderJava8.6https://www.android.com/gms/

7https://github.com/ashishb/android-malware/tree/master/Android.Malware.atplapk.a4dx

JavaMOPpropertiesshowninTableI.Foreachproperty,wecollectthenumberofjoinpoint8shadows,i.e.,locationsinthesourcecodethatatrun-timeproduceajoinpoint,andthenumberofjoinpointexecutions.Finally,wedifferentiatetheresultaccordingtotheclasscategorizationintroducedinSectionII,i.e.,in1)APKclasses,2)sharedlibraries,and3)dynamicallyloadedclasses.WhilestaticweavingcanonlyinstrumentAPKclasses,load-timeweavingcaninstrumentallloadedclasses.Asaresult,RV-DroidandRV-Androidcaninterceptjoinpointsinthe?rstgroup,whereasADRENALIN-RVcaninterceptjoinpointsinallgroups.

Figure3depictsourresultsforGMS.ForallJavaMOPpropertiesconsidered,severaljoinpointshadowsrefertosharedlibrariesordynamicallyloadedclasses,asshownbyFigure3(a).Onaverage,～7%ofjoinpointshadowsarecontainedinsharedlibraries,while～13%ofthemarelocatedindynamicallyloadedcode.SafeEnumfollowsadifferentbe-havior,with～50%ofjoinpointshadowsthancanbedetectedonlybyload-timeweaving.However,thetotalnumberofjoinpointshadowsforthispropertyisquitelimited(only121inGMS),whereasthemeannumberofjoinpointshadowsforotherpropertiesisaround30000.Onaverage,～22%ofjoinpointshadowscannotbedetectedwithstaticweaving.

Figure3(b)showthenumberofjointpointexecutionsinGMS.Here,resultsvaryconsiderablyamongdifferentproper-ties.WhileinSafeEnumandSafeSyncMapahighpercentageofjoinpointexecutionsoccursinAPKclasses,thisholdsforonly52%ofthejoinpointexecutionsinUnsafeIter,and～40%ofjoinpointexecutionsinHasNextandUnsafeMap.Inthesepropertiesstaticweavingcancoverlessthanhalfofthejoinpointexecutions.Therefore,employingload-timeweavingisfundamentaltoguaranteeafullbytecodecoverageinsuchproperties.

Theimportanceofusingload-timeweavingisevenmoreremarkedbyFigure4,whichshowsourresultsonthemalware.Forthisapplication,staticweavingcancoveronlyasingle

Aspect-OrientedProgramming(AOP),thetermjoinpointreferstoanyidenti?ableexecutionpointinasystem.AsallthreetoolsrelyonAOP,weusethisterminologyinthepaper.

8In

535