Exploiting Binary-level CodeVirtualization to Protect AndroidApplications Against App Repackaging
Application repackaging is a severe problem for Android systems. Many Android malwareprograms pass the mobile platform fundamental security barriers through repackaging other legitimate apps.Most of the existing anti-repackaging schemes only work at the AndroidDEXbytecode level, but not forthe shared object files consisting of native ARM-based machine instructions. Lacking the protection atthe native machine code level opens a door for attackers to launch repackaging attacks on the sharedlibraries that are commonly used on Android apps. This paper presents CodeCloak, a novel anti-repackagingsystem to protect Android apps at the native code level. CodeCloak employs binary-level code virtualizationtechniques to protect the target application. At the native machine code level, it uses a newly designed stack-based virtualization structure to obfuscate and protect critical algorithm implementations that have beencompiled into native instructions. It leverages multiple dynamic code protection schemes to increase thediversity of the program behavior at runtime, aiming to increase the difficulties for performing code reverseengineering. We evaluate CodeCloak under typical app repackaging scenarios. Experimental results showthat CodeCloak can effectively protect apps against repackaging attacks at the cost of minimum overhead APPLICATION repackaging is a prevalent and severethreat to the Android ecosystem. With the help ofdynamic profiling and reverse engineering tools, an attackercan unpack an app, replace and insert code to, e.g., removeadvertisements, steal privacy information, or make purchaseswithout the user’s authorization [1]. A prior study shows thatover 80% of the malware samples were implemented throughrepacking legitimate apps [2]. Therefore, there is a criticalneed to protect Android apps from repackaging attacks.Code obfuscation is a viable means to protect applica-tions against reverse engineering and repackaging [3]. Bycreating code that preserves the intention and semantics ofthe original code but is challenging to understand, codeobfuscation increases the time and efforts for performingcode reverse engineering. There is considerable work inapplying code obfuscation to protect Android applicationsagainst repackaging. In Figure 1, we summarize some ofthe most relevant work. Many of the previous approachestarget at the AndroidDEXbytecode level. Proguard [4] andDexGuard [5] are two representative work, which, however,cannot effectively protect the obfuscated code if the entrypoint (such as thememcpymethod) is found using toolslike DexExtractor [6].Code Shoppy
In addition toDEXfiles, there are many Android appsbuilt upon shared libraries which were firstly written inhigh-level languages like C and C++ and then compiledinto native machine instructions. These shared libraries oftenimplemented the frequently used core algorithms. Therefore,there is a need to protect share object (SO) files against codereverse engineering and app repackaging. However, existingSOprotection schemes often adopt a simple but less effectivecode obfuscation or encryption strategy. They do not providesufficient protection against sophisticated code reverse engi-neering attacks. For example, UPX shelling [11] is one ofsuch protection methods, but an attacker can use the UPXShell tools [12] to launch the attack as shown in Figure1.OLLVM confusion [13] is compiler-based code obfuscationperformed at the source code level, but it is proven to bevulnerable under new anti-obfuscation methods [14], [15].This paper aims to propose a better code obfuscation ap-proach forSOfiles. Our work targets applications compiledfor the ARM instruction set, a de-facto Android hardwarearchitecture. As a departure from prior work, our code obfus-cation scheme, namely CodeCloak, works at the binary level.It employs a stack-based virtualization scheme to protectthe logic of algorithms and protocols implemented inSOfiles. At the native machine code level, it uses a novel stack-based virtualization structure to protect native ARM instruc-tions. To enhance the security strength, we adopt multiplevirtual protection schemes, where a scheme is dynamicallychosen at runtime. Furthermore, our implementation is fullycompatible with existing protection schemes forDEX. As aresult, CodeCloak closes the gap betweenDEXandSOfileprotection.We evaluate CodeCloak under typical app repackagingsettings. Our evaluation results show that CodeCloak caneffectively protect apps from repackaging attacks, and itachieves this at the cost of minimum overhead. One of the keycontributions of this paper is a novel approach for protectingnative share object files against app repackaging on Androidsystems. The other contribution is the first approach forbinary-level code virtualization for ARM instructions, and itcan be applied to many embedded systems that are poweredby ARM processor architectures.II. BACKGROUNDA. VM-BASED ANDROID APP PROTECTION SHCEMEThe VM protection process consists of the following steps.We first decompile the binarySOfile and extract the keyARM instructions according to the pre-set tags. Then, theextracted ARM instructions are mapped to virtual instruc-tions which are still turning equivalent. Next, the virtualinstructions are encoded into theSOfile in a binary formutilizing the custom encoding rules.
In this paper, we introduce CodeCloak, a new method ofnative ARM instruction virtualization protection based ontime diversity. It can effectively resist the threat of deeprepackaging attacks. As far as we know, CodeCloak is thefirst system to take advantage of virtualization technology toprotect nativeSOfiles
No comments:
Post a Comment