System Calls Monitoring in Android: An Approach to Detect Debuggers, Anomalies and Privacy Issues

Abstract

The proposed thesis explores monitoring system calls in Android environments to detect the presence of debuggers, identify anomalies that can be indicators of security issues, and observe how user-sensitive data is handled. System calls are fundamental for every application since they are the mandatory gateway to request an action from the operating system; therefore, accessing any resource implies performing one. To achieve these goals, a system call capturing and analyzing tool named Ptracer has been developed. It places itself between an application and kernel to intercept every interaction among them and gather information like the stack backtrace and used parameters for each observed system call. Moreover, the captured information can be represented in a model based on a Nondeterministic Finite state Automaton (NFA) and refined during multiple learning iterations, effectively linking all the observed kernel interactions by a causal relationship. Such a model describes what is considered a “normal” application behaviour and will be used to detect anomalies by enforcing it during future application executions. The collected information will be extremely useful in detecting whether an external actor is trying to debug, tamper or breach the application since such attempts would alter its normal behaviour, execution speed, or pace. The final results will show how system calls interception is a rich source of information that can be used to protect the application from various attacks. Furthermore, by analyzing what actions are requested to the kernel, it is possible to determine what sensitive data the application requests and how often, with the goal of identifying privacy issues. The proposed future developments aim to reduce Ptracer’s analysis overhead, actively protect user privacy, and provide new and more sophisticated techniques for detecting MATE attacks and anomalies. These future goals will be achieved by improving the analysis quality to reach a deeper insight into the application and expanding the behavioural model by including different data types to counter a wider variety of attacks (e.g., DoS attacks). Moreover, new interception technologies like eBPF will be considered and discussed.