In October, Corellium presented an interactive workshop at the Arm DevSummit called “App Unknown: An Introduction to Rapid Security Analysis on Arm.”
In October, Corellium presented an interactive workshop at the Arm DevSummit called “App Unknown: An Introduction to Rapid Security Analysis on Arm.” Spots for the workshop filled up in a matter of hours, so we wanted to share some highlights and resources here for those who weren’t able to attend!
The workshop was designed to introduce the audience to essential tools and methods for quickly assessing an unknown application for potential security threats. Someone sends you an app you don’t recognize — how can you get an idea if it’s doing something bad?
Virtual devices like Corellium’s offer an ideal place to test unknown apps. You don’t have to worry about contaminating a physical test device with malware, and you can simply delete the virtual device when you’re done testing. Our devices also offer unique built-in tools that give you greater control over the device environment and a ready-made setup for rapid analysis. Plus, Corellium’s devices run on Arm, giving you a realistic platform for testing without the hassle of recompiling.
One of the first things you might want to inspect in an unknown app is network traffic. This can give you an idea if the app is sending traffic to a nefarious source. There are a number of ways you might approach this:
Corellium’s built-in Network Monitor tool makes it easy to inspect HTTP and HTTPS network traffic on your virtual device. Network Monitor leverages sslsplit to capture and present HTTP and HTTPS network traffic, transparently defeating certificate pinning. For any captured packet, you can drill in to view more information, the request, and the response.
Another key approach to assessing an unknown app is system call tracing, or intercepting and recording the system calls that are called and received by a process. This approach enables you to drill down into precisely what an application is doing and how it’s interacting with the surrounding system. It’s an invaluable dynamic analysis technique when source is not readily available.
Traditionally, to perform this type of tracing, you would use strace, a Linux diagnostic utility that can be used to monitor interactions between processes and the Linux kernel. The strace utility relies on a kernel feature known as ptrace. This makes it susceptible to anti-ptrace techniques.
Corellium’s CoreTrace tool provides even more sophisticated tracing. EL2 patches the kernel system call entry to trap into the hypervisor, so it can record the system call and its arguments. Because it’s implemented at the hypervisor level, it avoids anti-ptrace techniques and cannot be easily detected by applications. CoreTrace can also trace the entire system at once — it isn’t limited to a single process.
If you happen to be up against a kernel vulnerability, one powerful tool at your disposal is to run the app with KASAN, Kernel Address Sanitizer. KASAN is a dynamic memory error detector designed to find out-of-bound and use-after-free bugs, and it works by checking whether all memory accesses are valid with compiler instrumentation.
KASAN is appropriate to use in virtual environments like Corellium or QEMU. It can also be used on commercial products with unlocked bootloaders, or by SOC or OEM vendors. To try this in a Corellium virtual environment, upload a custom kernel to a Corellium device and check for KASAN output in the Corellium console.
The final method we reviewed in our workshop for assessing an unknown app is kernel debugging. Kernel debugging provides unparalleled introspection, but it can be difficult to set up, and it requires an understanding of Linux or XNU kernel internals. Often, it’s easier to reach for SystemTap first.
Corellium devices make kernel debugging much more convenient by injecting a gdb stub into the device kernel’s memory. If you’re interested in exploring kernel debugging with a virtual Corellium device, check out our resources on kernel debugging or building custom kernels.
Thoughts, stories and ideas from the Corellium team.
Thoughts, stories and ideas from the Corellium team.
Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?
It’s hard to find useful, well contributed to information on mobile security testing and best practices. Recent cybersecurity publications from U.S. gov agencies often confuse the search. Here’s one interpretation of how they’re interrelated.
Armv9 and Corellium: Why we chose Arm vs X86
Last week, Arm gave us a glimpse into the future by unveiling the next-generation of Arm processors: the Armv9 architecture. This is a huge deal for the future of mobile devices, and there are two groups of features in Armv9 that we’re particularly excited about.
A statement from Amanda Gorton, CEO of Corellium, regarding Apple lawsuit
In an effort, we believe, to stifle innovation and the freedom of mobile developers, Apple has filed a complaint against Corellium, claiming our company infringed on its copyrighted works.
$25M to Accelerate Arm Testing, Research, and Development
We've raised a Series A round with our friends at Paladin and Cisco Investments.
A statement from Amanda Gorton, CEO of Corellium, regarding Apple DMCA filing
Apple’s latest filing against Corellium should give all security researchers, app developers, and jailbreakers reason to be concerned.
Corellium Open Security Initiative
In honor of Corellium’s fourth birthday, we’re announcing the Corellium Open Security Initiative to support independent public research into the security and privacy of mobile applications and devices.
How We Ported Linux to the M1
A brief overview of our approach to porting Linux to the Apple Mac Mini M1 and a tutorial for installing our Ubuntu POC
Announcing Support for iOS on Individual Cloud Accounts
We’re very excited to announce that virtual iOS-based devices are now available for individual accounts on our groundbreaking security research platform.
Announcing the 2021 COSI Award Winner
Today, we're very excited to announce that the winner of the 2021 COSI Award is James Sebree, a Principal Research Engineer at Tenable.