Screen After Previous Screens: Spatial-Temporal Recreation .

Screen After Previous Screens:Spatial-Temporal Recreation of AndroidApp Displays from Memory ImagesBrendan Saltaformaggio, Rohit Bhatia,Xiangyu Zhang, Dongyan Xu, Golden G. Richard III*Purdue University*University of New Orleans

A Crime To Investigate Without access to the suspect’spassword or breaking Telegram’sfully encrypted storage!

Memory Forensics or Mission Impossible?GUI TreeTime:

State of the Art: GUITAR - GUI Tree ARchaeology[CCS ’15, Best Paper]Drawing-Content-BasedBipartite Graph MatchingRemaining GUIData Structures112323AliceGUI Tree

The “Screen 0” Limitation of GUITARScreen -5In MemoryGUI Data:Time:Screen -4Screen -3Screen -2Screen -1Screen 0

Are The Old Screens Really Gone?Screen -5Screen -4Screen -3Screen -2Screen -1App screen changes are highly dynamicHow can every screen be fully rebuilt so fast?Some data must remain to bring the screens backScreen 0

Are The Old Screens Really Gone? Yes and NoScreen -5Screen -4Screen -3Screen -2Screen 0App Internal DataGUI Screen DataNot for GUI drawing:Raw Chat Strings,Account Balance, GUITAR’s Target:GUI Tree,Draw Ops, Data Structure Count(Thousands)Screen -1100806040200Time (Relative to Screen Changes)Internal DataScreen -5Screen -4Screen -3Screen -2Screen -1Screen 0

Android Asks The App To Draw A ScreenAndroid sends a Redraw Command1) A Canvas is sent for the app to fillCanvas- Apps register draw routines with Android2) The app builds GUI structures which“package” the internal data- Destroying the previous screen!Canvas3) The filled canvas is rendered on thedevice’s screen

Idea: Ask The Memory Image To Draw A ScreenChallenges:1) How to injectthe RedrawCommand?- Screen-specificdraw routines3) Memory Static Data- Execution context is goneCanvas?Redraw Command2) Need to understandthe app internal data?Previous Approaches:- Data structuresignature scanning- App-specific reverseengineeringOur Goal: “Plug And Play”App-Agnostic Recovery

RetroScope: Spatial-Temporal Display RecreationInterleavedRe-ExecutionEnginePerforms app-agnosticscreen reconstructionfrom an app’s internaldata within a memoryimageScreen -3Redraw CommandCanvasScreen -2Screen -1Screen 0

Symbiont App: Two Apps In OneState MergerStep 1) Start theSymbiont App to hostthe memory imageStep 2) Move thememory image state intothe Symbiont App- Map memory segments- Merge Java runtimes- Register draw functions

Interleaved Re-Execution Engineobj.* Passobj'.* Passobj'.func( )αδobj.fldobj'.fld Passobj.func PassCode Context Barrierβobj.fldobj'.fldobj'.fldobj.func( )γStep 3) Initialize theInterleaved Re-ExecutionEngine (IRE)Formally modeled theinterleaving of states as afinite automataobj.fld Passobj'.func PassThe Overly Simple Explanation:Live Code outputs to Live Environment &Old Code reads from Old EnvironmentTransition rules guided byexecuting instructionsemantics

Interleaved Re-Execution EngineStep 3) Initialize theInterleaved Re-ExecutionEngine (IRE)obj.* Passobj'.* Passobj'.func( )αδobj'.fld Passobj.func PassCode Context Barrierβobj.fldobj'.fldobj'.fldobj.func( )obj.fldInterleavedRe-ExecutionEngineγobj.fld Passobj'.func Pass

Selective ReanimationInterleavedRe-ExecutionEngineStep 4) Redirect a redrawcommand to the TargetAppobj.* Passobj'.* Passobj'.func( )δobj.fldCanvasβobj'.fld Passobj.func Passobj.fldobj'.fldobj.func( )Code Context BarrierRedraw Commandαobj'.fldThe IRE monitors thestate transitions andcorrects the executionγobj.fld Passobj'.func Pass

Selective ReanimationInterleavedRe-ExecutionEngineMemory image app’s drawroutines naturally accessesits internal dataobj.* Passobj'.* Passobj'.func( )αδobj.fldβobj'.fld Passobj.func PassCode Context BarrierCanvasobj.fldobj'.fldRedraw Commandobj'.fldobj.func( )γobj.fld Passobj'.func Pass

Selective ReanimationInterleavedRe-ExecutionEngineMemory image app’s drawroutines naturally accessesits internal dataobj.* Passobj'.* Passobj'.func( )αδobj.fldβobj'.fld Passobj.func PassCode Context BarrierCanvasobj.fldobj'.fldRedraw Commandobj'.fldobj.func( )γobj.fld Passobj'.func Pass

Selective ReanimationInterleavedRe-ExecutionEngineIRE ensures that functioncalls to the new canvas aredirected to the live GUIsystemobj.* Passobj'.* Passobj'.func( )αδobj.fldβobj'.fld Passobj.func PassCode Context BarrierCanvasobj.fldobj'.fldobj'.fldobj.func( )γobj.fld Passobj'.func Pass

Selective ReanimationInterleavedRe-ExecutionEngineThe newly filled Canvas isrendered by the live GUIsystem and savedobj.* Passobj'.* Passobj'.func( )αδobj.fldβobj'.fld Passobj.func PassCode Context BarrierCanvasobj.fldobj'.fldobj'.fldobj.func( )γobj.fld Passobj'.func Pass

Selective ReanimationInterleavedRe-ExecutionEngineThis process repeats foreach registered drawroutineobj.* Passobj'.* Passobj'.func( )αδobj.fldβobj'.fld Passobj.func PassCode Context BarrierCanvasobj.fldobj'.fldobj'.fldobj.func( )γobj.fld Passobj'.func Pass

Breaking The Case Wide Open!

Evaluation15 Apps on 3 “Suspect” Devices: HTC One, LG G3, Samsung Galaxy S4AppScreensRecoveredGround Truth(lower bound)Calendar6611 of:11AverageContacts3341,078 Byte-CodeInstructions,Facebook158 New Java6 Objects, and5StructuresGmail 13,535 New C/C 66Per ScreenHTC One(More In Paper)Chase BankingByte Code Inst.Re-ExecutedNew JavaObjectsNew C/C 192498571WhatsApp663212291571104216

Case 1: WeChat (And Others) Deleted MessagesScreen -4Screen -3Screen -2From LG G3 DeviceScreen -1Screen 0

Case 2: WhatsApp Background UpdateScreen -5Screen -4Screen -3Screen -2Screen -1From Samsung Galaxy S4 DeviceScreen 0Screen 1

Related WorksB. Saltaformaggio, Z. Gu, X. Zhang, and D. Xu. DSCRETE: Automatic Rendering ofForensic Information from Memory Images via Application Logic Reuse. In Proc. USENIXSecurity, 2014. Best Student Paper.M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects toenable systematic integrity checking. In Proc. CCS, 2009.B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel datastructures. In Proc. CCS, 2009.J. Lee, T. Avgerinos, and D. Brumley. TIE: Principled reverse engineering of types in binaryprograms. In Proc. NDSS, 2011.A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverseengineering data structures. In Proc. NDSS, 2011.R. Walls, B. N. Levine, and E. G. Learned-Miller. Forensic triage for mobile phones withDEC0DE. In Proc. USENIX Security, 2011.

ConclusionRetroScope represents a new paradigm of spatial-temporal memoryforensics for app GUI screensRetroScope’s novel IRE selectively reanimates an app’s screenredrawing functionality without any app-specific knowledgeRecovers visually accurate, temporally ordered screens (ranging from3 to 11 screens) for a wide variety of privacy-sensitive apps

Thank you!Questions?Brendan Saltaformaggiobsaltafo@cs.purdue.edu

Privacy Implications of RetroScope?The privacy-sensitive apps are not broken, per se- Unlike disk or network, memory is assumed private- Little incentive to “protect” memory- E.g., Malware in your app’s memory all bets are offRetroScope is just emulating the standard behavior of Android- To disrupt RetroScope would also hinder an app’s ability to draw screens- Encrypting memory doesn’t work because RetroScope would reanimate the decryption logic- Privacy vs. Usability-E.g., Zeroing data would require getting it back in order to redraw (slowing down the UI)Citizens’ privacy is protected by strict legal protocols and regulations (see [9,21])- Search warrants & strict chain of custody documentation prior to performing “invasive” forensics

Screen -5 Screen -4 Screen -3 Screen -2 Screen -1 Screen 0 0 20 40 60 80 t s) 100 . Samsung Galaxy S4 e re aper) App Screens Recovered GroundTruth (lower bound) Byte Code Inst. Re-Executed New Java Objects . The privacy-sensitive apps are not broken, per se-Unlike disk or network, memory is assumed private