BlogCorellium Workshop at Arm DevSummit 2020
December 18, 2020
4 min read

Corellium Workshop at Arm DevSummit 2020

In October, Corellium presented an interactive workshop at the Arm DevSummit called “App Unknown: An Introduction to Rapid Security Analysis on Arm.”

Arm dev summit, October 6-8, 2020 Virtual Conference
In October, Corellium presented an interactive workshop at the Arm DevSummit called “App Unknown: An Introduction to Rapid Security Analysis on Arm.” Spots for the workshop filled up in a matter of hours, so we wanted to share some highlights and resources here for those who weren’t able to attend!

Click here to download the workshop slides.

The workshop was designed to introduce the audience to essential tools and methods for quickly assessing an unknown application for potential security threats. Someone sends you an app you don’t recognize — how can you get an idea if it’s doing something bad?

Virtual devices like Corellium’s offer an ideal place to test unknown apps. You don’t have to worry about contaminating a physical test device with malware, and you can simply delete the virtual device when you’re done testing. Our devices also offer unique built-in tools that give you greater control over the device environment and a ready-made setup for rapid analysis. Plus, Corellium’s devices run on Arm, giving you a realistic platform for testing without the hassle of recompiling.

Network Capture 

One of the first things you might want to inspect in an unknown app is network traffic. This can give you an idea if the app is sending traffic to a nefarious source. There are a number of ways you might approach this:

  1. tcpdump

  2. mitmproxy

  3. Certificate Pinning

  4. Frida

Corellium’s built-in Network Monitor tool makes it easy to inspect HTTP and HTTPS network traffic on your virtual device. Network Monitor leverages sslsplit to capture and present HTTP and HTTPS network traffic, transparently defeating certificate pinning. For any captured packet, you can drill in to view more information, the request, and the response.

System Call Tracing

Another key approach to assessing an unknown app is system call tracing, or intercepting and recording the system calls that are called and received by a process. This approach enables you to drill down into precisely what an application is doing and how it’s interacting with the surrounding system. It’s an invaluable dynamic analysis technique when source is not readily available.

Traditionally, to perform this type of tracing, you would use strace, a Linux diagnostic utility that can be used to monitor interactions between processes and the Linux kernel. The strace utility relies on a kernel feature known as ptrace. This makes it susceptible to anti-ptrace techniques. 

Corellium’s CoreTrace tool provides even more sophisticated tracing. EL2 patches the kernel system call entry to trap into the hypervisor, so it can record the system call and its arguments. Because it’s implemented at the hypervisor level, it avoids anti-ptrace techniques and cannot be easily detected by applications. CoreTrace can also trace the entire system at once — it isn’t limited to a single process. 

KASAN

If you happen to be up against a kernel vulnerability, one powerful tool at your disposal is to run the app with KASAN, Kernel Address Sanitizer. KASAN is a dynamic memory error detector designed to find out-of-bound and use-after-free bugs, and it works by checking whether all memory accesses are valid with compiler instrumentation. 

KASAN is appropriate to use in virtual environments like Corellium or QEMU. It can also be used on commercial products with unlocked bootloaders, or by SOC or OEM vendors. To try this in a Corellium virtual environment, upload a custom kernel to a Corellium device and check for KASAN output in the Corellium console. 

Kernel Debugging

The final method we reviewed in our workshop for assessing an unknown app is kernel debugging. Kernel debugging provides unparalleled introspection, but it can be difficult to set up, and it requires an understanding of Linux or XNU kernel internals. Often, it’s easier to reach for SystemTap first. 

Corellium devices make kernel debugging much more convenient by injecting a gdb stub into the device kernel’s memory. If you’re interested in exploring kernel debugging with a virtual Corellium device, check out our resources on kernel debugging or building custom kernels.

 


Keep reading

Thoughts, stories and ideas from the Corellium team.

Keep reading

Thoughts, stories and ideas from the Corellium team.

View all posts
Corellium supports mobile security research on iOS 16

Amanda Gorton • 12 Sep 2022

Corellium Support for iOS 16

Corellium Support for iOS 16

Supporting mobile security research and testing in a world without jailbreaks

Chris Williams • 19 Aug 2022

Mapping iOS Persistence Attack Surface using Corellium

Mapping iOS Persistence Attack Surface using Corellium

Learn how to create a map of a device’s attack surface to discover vulnerabilities that can be used for maintaining a foothold after reboot.

Technical Writeups
The home screen of a white iPhone.

Anthony Ricco • 7 Jun 2022

Using the Safari Web Inspector with Corellium

Using the Safari Web Inspector with Corellium

How to Get Started Debugging JavaScript on your Corellium Device

Technical Writeups
Person looks at a screen of code reflected in his glasses

Anthony Ricco • 14 May 2022

Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

It’s hard to find useful, well contributed to information on mobile security testing and best practices. Recent cybersecurity publications from U.S. gov agencies often confuse the search. Here’s one interpretation of how they’re interrelated.

Technical Writeups
developer using Corellium platform

Hayden Bleasel • 17 Dec 2021

$25M to Accelerate Arm Testing, Research, and Development

$25M to Accelerate Arm Testing, Research, and Development

We've raised a Series A round with our friends at Paladin and Cisco Investments.

Media Room
fireworks

Amanda Gorton • 29 Oct 2021

Announcing the 2021 COSI Award Winner

Announcing the 2021 COSI Award Winner

Today, we're very excited to announce that the winner of the 2021 COSI Award is James Sebree, a Principal Research Engineer at Tenable.

Media Room
View all posts