제목 : Hiding Behind Android Runtime (ART)

내용 :

Android 루트 킷 연구에 대한 논의부터 시작하여 이러한 기술이 현대 Android 시스템에서 사용하기가 점점 어려워지고 있습니다.

ART 내부로 들어가서 루트킷 생성과 관련된 파일 형식과 메커니즘을 논의합니다. 우리가 관련된 메커니즘을 이해하고 나면, 루트 킷 (rootkit)을 만드는 방법, 즉 무엇을 변경해야하는지, 어디에서 찾을 지, 어떻게 바꾸는 지, 그리고 시스템에서 끈기를 얻는 방법 등에 대해 논의 할 것입니다.

Description :

The introduction of the new Android Runtime (ART) brings several improvements in Android. But, as with any new technology, it also brings new ways to conduct or enhance malicious activities. In this presentation, we will detail one of those ways.

Once an attacker or malware has gained access to the Android device, the next step is to find ways to hide itself and gain persistence, and this is usually achieved by installing a rootkit. The majority of these rootkits are kernel mode rootkits and the common way of achieving persistence is by modifying files in the system partition. However, recent advancements in Android security, such as verified boot, have made this increasingly difficult. This presentation will demonstrate how to go around this difficulty by taking the game out of kernel mode and out of the system partition. We will show you how to take advantage of the mechanisms of ART to create a user mode rootkit.

We will start with a discussion of past Android rootkit research and how these techniques have become increasingly difficult to use in modern Android systems. Then we will go deep into ART internals where we will discuss the file formats and mechanisms relevant to rootkit creation. After we have understood the mechanisms involved, we will then discuss methods of crafting the rootkit i.e. what to change, where to find them, and how to change them, and techniques on gaining persistence on the system. We will also examine the limitations of this approach and possible future work in this area.

The talk will conclude with a live demonstration of an ART rootkit.