Traditional anti,virus works by detecting sequences of bytes. Many evasion techniques manipulate data and code in very minor ways that, while not affecting the functionality of the program, change the sequences of bytes within it. An alternative approach is to identify programs based on their control flow graphs (CFGs). Using the Baksmali tool as a base, I’ve added code to parse the CFG for each method, read in a signature file, and run different comparison algorithms to effectively make a CFG based virus scanner. An algorithm for node,by,node matching has been designed and implemented specifically for this project. The algorithms, efficacy, and implementation of this tool will be discussed.Some technical background will be helpful. However, in addition to the control flow graph isomorphism algorithm, this talk will attempt to cover the necessary background knowledge including traditional anti,virus methods, Android APK structure and code, disassembly, basic blocks, and control flow graphs.

Back to Derbycon 2014 video list