Improve Dynamic Sandbox on the Cloud with Non-QEMU Based OS Through Hooks and Mocks Techniques
2016; Springer Science+Business Media; Linguagem: Inglês
10.1007/978-981-10-0557-2_52
ISSN1876-1119
AutoresNgoc-Tu Chau, Long Nguyen-Vu, Souhwan Jung,
Tópico(s)Digital and Cyber Forensics
ResumoIn malware analysis, analysis emulators are either the QEMU-based or non-QEMU based. QEMU-baseds, for example: Android Virtual Device – AVD, are developed to provide a test environment for Android developer. They could provide fully emulated mobile device features by using QEMU, a service that can emulate other environments. Non-QEMU based, for example: Android-x86, is faster in comparing with QEMU-based emulator since its purpose is to deploy Android Operating System directly on real architecture devices. However, non-QEMU based only works best on real hardware and could not provide full emulated services because it does not have QEMU service. In order to properly apply QEMU-based emulator and non-QEMU based as malware analysis environment into the cloud, either the performance of QEMU-based emulator should be improved or Android-x86 should support emulated services. Deploying QEMU-based emulator on Cloud is costly. Also, applying existing solution for performance improvement is complicated. Furthermore, applications could use JNI method to check for QEMU existence to identify emulator environment. On the other hand, non-QEMU based sandbox cannot fully emulate mobile device features since it does not have QEMU service. In compare with QEMU-based, problem of non-QEMU based can be solved through software solution and thus reduce deployment cost on Cloud. This paper proposes a combination of Hook and Mock technique as a work-around solution for non-QEMU based sandbox. Hooking technique could mangle the results of API calls and Mock technique could build the emulated Mobile Network environment around non-QEMU sandbox to execute mobile specific actions like unsolicited RIL request for simulating incoming call or incoming SMS.
Referência(s)