BlogCorellium Workshop at Arm DevSummit 2020
December 18, 2020
8 min read

Corellium Workshop at Arm DevSummit 2020

In October, Corellium presented an interactive workshop at the Arm DevSummit called “App Unknown: An Introduction to Rapid Security Analysis on Arm.”

In October, Corellium presented an interactive workshop at the Arm DevSummit called “App Unknown: An Introduction to Rapid Security Analysis on Arm.” Spots for the workshop filled up in a matter of hours, so we wanted to share some highlights and resources here for those who weren’t able to attend!

Click here to download the workshop slides.

The workshop was designed to introduce the audience to essential tools and methods for quickly assessing an unknown application for potential security threats. Someone sends you an app you don’t recognize — how can you get an idea if it’s doing something bad?

Virtual devices like Corellium’s offer an ideal place to test unknown apps. You don’t have to worry about contaminating a physical test device with malware, and you can simply delete the virtual device when you’re done testing. Our devices also offer unique built-in tools that give you greater control over the device environment and a ready-made setup for rapid analysis. Plus, Corellium’s devices run on Arm, giving you a realistic platform for testing without the hassle of recompiling.

Network Capture 

One of the first things you might want to inspect in an unknown app is network traffic. This can give you an idea if the app is sending traffic to a nefarious source. There are a number of ways you might approach this:

  • tcpdump
  • mitmproxy
  • Certificate Pinning
  • Frida

Corellium’s built-in Network Monitor tool makes it easy to inspect HTTP and HTTPS network traffic on your virtual device. Network Monitor leverages sslsplit to capture and present HTTP and HTTPS network traffic, transparently defeating certificate pinning. For any captured packet, you can drill in to view more information, the request, and the response.

System Call Tracing

Another key approach to assessing an unknown app is system call tracing, or intercepting and recording the system calls that are called and received by a process. This approach enables you to drill down into precisely what an application is doing and how it’s interacting with the surrounding system. It’s an invaluable dynamic analysis technique when source is not readily available.

Traditionally, to perform this type of tracing, you would use strace, a Linux diagnostic utility that can be used to monitor interactions between processes and the Linux kernel. The strace utility relies on a kernel feature known as ptrace. This makes it susceptible to anti-ptrace techniques. 

Corellium’s CoreTrace tool provides even more sophisticated tracing. EL2 patches the kernel system call entry to trap into the hypervisor, so it can record the system call and its arguments. Because it’s implemented at the hypervisor level, it avoids anti-ptrace techniques and cannot be easily detected by applications. CoreTrace can also trace the entire system at once — it isn’t limited to a single process. 

KASAN

If you happen to be up against a kernel vulnerability, one powerful tool at your disposal is to run the app with KASAN, Kernel Address Sanitizer. KASAN is a dynamic memory error detector designed to find out-of-bound and use-after-free bugs, and it works by checking whether all memory accesses are valid with compiler instrumentation. 

KASAN is appropriate to use in virtual environments like Corellium or QEMU. It can also be used on commercial products with unlocked bootloaders, or by SOC or OEM vendors. To try this in a Corellium virtual environment, upload a custom kernel to a Corellium device and check for KASAN output in the Corellium console. 

Kernel Debugging

The final method we reviewed in our workshop for assessing an unknown app is kernel debugging. Kernel debugging provides unparalleled introspection, but it can be difficult to set up, and it requires an understanding of Linux or XNU kernel internals. Often, it’s easier to reach for SystemTap first. 

Corellium devices make kernel debugging much more convenient by injecting a gdb stub into the device kernel’s memory. If you’re interested in exploring kernel debugging with a virtual Corellium device, check out our resources on kernel debugging or building custom kernels.



Keep reading

Thoughts, stories and ideas from the Corellium team.

Keep reading

Thoughts, stories and ideas from the Corellium team.

View all posts
Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

Anthony Ricco14 May 2022

Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

It’s hard to find useful, well contributed to information on mobile security testing and best practices. Recent cybersecurity publications from U.S. gov agencies often confuse the search. Here’s one interpretation of how they’re interrelated.

Technical Writeups
Armv9 and Corellium: Why we chose Arm vs X86

Amanda Gorton5 Apr 2021

Armv9 and Corellium: Why we chose Arm vs X86

Armv9 and Corellium: Why we chose Arm vs X86

Last week, Arm gave us a glimpse into the future by unveiling the next-generation of Arm processors: the Armv9 architecture. This is a huge deal for the future of mobile devices, and there are two groups of features in Armv9 that we’re particularly excited about.

Technical Writeups

Amanda Gorton7 Nov 2019

A statement from Amanda Gorton, CEO of Corellium, regarding Apple lawsuit

A statement from Amanda Gorton, CEO of Corellium, regarding Apple lawsuit

In an effort, we believe, to stifle innovation and the freedom of mobile developers, Apple has filed a complaint against Corellium, claiming our company infringed on its copyrighted works.

Media Room
Usage-Based Billing

Amanda Gorton8 Jan 2021

Usage-Based Billing

Usage-Based Billing

A quick demo of our usage-based subscription option.

Demo
$25M to Accelerate Arm Testing, Research, and Development

Hayden Bleasel17 Dec 2021

$25M to Accelerate Arm Testing, Research, and Development

$25M to Accelerate Arm Testing, Research, and Development

We've raised a Series A round with our friends at Paladin and Cisco Investments.

Media Room

Amanda Gorton29 Dec 2019

A statement from Amanda Gorton, CEO of Corellium, regarding Apple DMCA filing

A statement from Amanda Gorton, CEO of Corellium, regarding Apple DMCA filing

Apple’s latest filing against Corellium should give all security researchers, app developers, and jailbreakers reason to be concerned.

Media Room
Corellium Open Security Initiative

Amanda Gorton16 Aug 2021

Corellium Open Security Initiative

Corellium Open Security Initiative

In honor of Corellium’s fourth birthday, we’re announcing the Corellium Open Security Initiative to support independent public research into the security and privacy of mobile applications and devices.

Media Room
How We Ported Linux to the M1

Amanda Gorton20 Jan 2021

How We Ported Linux to the M1

How We Ported Linux to the M1

A brief overview of our approach to porting Linux to the Apple Mac Mini M1 and a tutorial for installing our Ubuntu POC

Technical Writeups
Announcing Support for iOS on Individual Cloud Accounts

Amanda Gorton25 Jan 2021

Announcing Support for iOS on Individual Cloud Accounts

Announcing Support for iOS on Individual Cloud Accounts

We’re very excited to announce that virtual iOS-based devices are now available for individual accounts on our groundbreaking security research platform.

Media Room
Announcing the 2021 COSI Award Winner

Amanda Gorton29 Oct 2021

Announcing the 2021 COSI Award Winner

Announcing the 2021 COSI Award Winner

Today, we're very excited to announce that the winner of the 2021 COSI Award is James Sebree, a Principal Research Engineer at Tenable.

Media Room
Mobile Physical Memory Security

Amanda Gorton21 Dec 2020

Mobile Physical Memory Security

Mobile Physical Memory Security

While developing our mobile hardware models, we've run into a large array of schemes aimed at improving physical memory security.

Technical Writeups
View all posts