State of the ART: Exploring the New Android KitKat Runtime presented at HackInTheBox 2014

by Paul Vincent Sabanal,

Summary : Android KitKat introduced a new experimental runtime virtual machine called ART which features ahead-of-time compilation of Dalvik bytecode into native code, promising much faster execution of Android applications. While still currently (as of Android 4.4.2) in the experimental stage, it is poised to eventually replace Dalvik, and as such, deserves a closer look from curious security researchers.
This talk will start with a discussion of the inner workings of ART. Among the topics to be discussed are the details of the transformation process of a DEX file into an OAT file, the structure of the OAT file format, and other mechanisms such as memory management and garbage collection. New technology means more code and a wider attack surface. After discussing ART’s internals, we will then focus on the additional attack surfaces this new runtime brings. This talk will discuss how this new runtime impacts how we approach Android security research moving forward from both the offensive and defensive points of view. Examples will be given on how attackers such as malware authors and defenders, such as malware analysts, can both use features introduced in ART to improve their respective methodology.