TY - GEN
T1 - NCScope
T2 - 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2022
AU - Zhou, Hao
AU - Wu, Shuohan
AU - Luo, Xiapu
AU - Wang, Ting
AU - Zhou, Yajin
AU - Zhang, Chao
AU - Cai, Haipeng
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/7/18
Y1 - 2022/7/18
N2 - More and more Android apps implement their functionalities in native code, so does malware. Although various approaches have been designed to analyze the native code used by apps, they usually generate incomplete and biased results due to their limitations in obtaining and analyzing high-fidelity execution traces and memory data with low overheads. To fill the gap, in this paper, we propose and develop a novel hardware-Assisted analyzer for native code in apps. We leverage ETM, a hardware feature of ARM platform, and eBPF, a kernel component of Android system, to collect real execution traces and relevant memory data of target apps, and design new methods to scrutinize native code according to the collected data. To show the unique capability of NCScope, we apply it to four applications that cannot be accomplished by existing tools, including systematic studies on self-protection and anti-Analysis mechanisms implemented in native code of apps, analysis of memory corruption in native code, and identification of performance differences between functions in native code. The results uncover that only 26.8% of the analyzed financial apps implement self-protection methods in native code, implying that the security of financial apps is far from expected. Meanwhile, 78.3% of the malicious apps under analysis have anti-Analysis behaviors, suggesting that NCScope is very useful to malware analysis. Moreover, NCScope can effectively detect bugs in native code and identify performance differences.
AB - More and more Android apps implement their functionalities in native code, so does malware. Although various approaches have been designed to analyze the native code used by apps, they usually generate incomplete and biased results due to their limitations in obtaining and analyzing high-fidelity execution traces and memory data with low overheads. To fill the gap, in this paper, we propose and develop a novel hardware-Assisted analyzer for native code in apps. We leverage ETM, a hardware feature of ARM platform, and eBPF, a kernel component of Android system, to collect real execution traces and relevant memory data of target apps, and design new methods to scrutinize native code according to the collected data. To show the unique capability of NCScope, we apply it to four applications that cannot be accomplished by existing tools, including systematic studies on self-protection and anti-Analysis mechanisms implemented in native code of apps, analysis of memory corruption in native code, and identification of performance differences between functions in native code. The results uncover that only 26.8% of the analyzed financial apps implement self-protection methods in native code, implying that the security of financial apps is far from expected. Meanwhile, 78.3% of the malicious apps under analysis have anti-Analysis behaviors, suggesting that NCScope is very useful to malware analysis. Moreover, NCScope can effectively detect bugs in native code and identify performance differences.
UR - http://www.scopus.com/inward/record.url?scp=85136808099&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85136808099&partnerID=8YFLogxK
U2 - 10.1145/3533767.3534410
DO - 10.1145/3533767.3534410
M3 - Conference contribution
AN - SCOPUS:85136808099
T3 - ISSTA 2022 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis
SP - 629
EP - 641
BT - ISSTA 2022 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis
A2 - Ryu, Sukyoung
A2 - Smaragdakis, Yannis
PB - Association for Computing Machinery, Inc
Y2 - 18 July 2022 through 22 July 2022
ER -