- Goa 2021
- Speakers
- SungHyoun Song
SungHyoun Song
Talk Title:
Deep dive into ART(Android Runtime) for dynamic binary analysis
Abstract:
Google has changed Android runtime drastically each time a new version of Android is released to optimize the performance, storage usage, and system updates of apps. The profiling data has started to be generated in the recent version of Android 10, based on the user's behavior in ART (Android Runtime). Based on the profiling data, the byte code is optimized (Profile-Guided optimization and Cloud Profile optimization) by the compiler (AOT/JIT). ART also interprets and executes different types of code (byte code, oat code and jit code) generated by the compiler. Such complexity in the structure and the operation method makes ART difficult to understand correctly. However, since all the code of the app is interpreted and executed through ART, if the attacker understands how ART works, it is possible to steal all the information necessary to analyze the app. Therefore, in this paper, we analyze the flow and structure of how the app code is interpreted and executed by objects existing in Android 10 ART. Then, by modifying the ART based on the analysis results, we develop a framework that can steal the information in real time, such as smali code, interface, parameters, return value, fields and stack trace of a method that is executed dynamically. In addition, we present an easy technique to effectively analyze the app without accessing the execution code by using tools such as decompiler or disassembler.
Bio:
SungHyoun Song is a security researcher at FSI(Financial Security Institute), in charge of Mobile Security for Financial Industry in Korea. He has experienced mobile security, reverse engineering, penetration test and authentication mechanism for ten Years. Currently focusing on Linux kernel exploitation and Android runtime. Also he has participated in several international security conferences such as ITU-T, SEC-T, PacSec, HITCON, BlackAlps, beVX.
2012~2013) He was co-editor and speaker of ITU-T X.1156 in Swiss
- (subject) "Non-repudiation framework based on a one time password"
- (info) http://www.itu.int/ITU-T/workprog/wp_item.aspx?isn=9416
2017) He was speaker of HITCON in Taiwan
- (subject) "A hidden agent of fingerprint authentication in Android"
- (info) https://hitcon.org/2017/CMT/agenda
2018) He was speaker of SEC-T in Sweden
- (subject) "Bypass Android Security Mechanisms using Custom Kernel"
- (info) https://www.sec-t.org/archive/2018_events/talks/
2018) He was speaker of PacSec in Japan
- (subject) "Bypass Android Security Mechanisms using Custom Kernel"
- (info) https://pacsec.jp/pastevents.html
2018) He was speaker of BlackAlps in Swiss
- (subject) "Bypass Android Security Mechanisms using Custom Kernel"
- (info) https://www.blackalps.ch/ba-18/talks.php
2018) He was speaker of beVXCon in HongKong
- (subject) "Bypass Android Security Mechanisms using Custom Kernel"
- (info) https://www.beyondsecurity.com/bevxcon/speakers.html