AndroBlare

AndroBlare is a port of KBlare on the Android platform. It actually contains a version of KBlare that has been adapted and extended to take into account an Android specific feature: the binder. At the kernel level, future work may also focus on extending KBlare to take ashmem into account, which is not the case yet.

At userspace level, we slightly modified the dalvik virtual machine to make Blare aware of the execution of non-native applications. Blare knows that a process is going to execute a program when it calls the syscall execve. However, for the Android applications written in Java, the process in which applications run do not execute them as native binary (i.e with the execve syscall). Instead of that, they read and interpret the dalvik bytecode of the application. There is therefore no specific call to execve and Blare is not aware of the execution of the Android applications written in Java. To make Blare aware of their execution, we introduce a communication mechanism between instances of Dalvik virtual machine and Blare in the kernel. We use this channel to notify Blare that an Android application is going to be executed.