Description
Day 1, 14:05-14:35
Abstract
In this talk, we will share the complete process of how Quark-Engine replaced its core library to enhance resilience and performance. Also, we will share the situations we came across and the strategies of keeping growing in the open-source community. Quark-Engine is a well-known open-source Android malware analysis engine written in python. Many essential features inside are based on Androguard, an open-source Python package for analyzing Android files. However, Androguard is no longer maintained by its author. To ensure the health of Quark-Engine, we had decided to replace Androguard with Rizin, one of the most popular open-source reverse engineering frameworks. There are many challenges behind this work, and we will share how we overcome each of them.
Description
Introduction of Quark-Engine In this talk, we will briefly introduce Quark-Engine, which covers the key features of Quark, the design of the scoring system, and the usage of Quark. Also, we will take an Android malware sample to show how Quark can analyze malware in a simple but practical way, and how Quark enhances the efficiency of malware analysis.
Why does Quark-Engine need to change the core library? Androguard is an open-source Python package for analyzing Android files. With the help of Androguard, Quark can implement its essential features. However, the project is no longer maintained recently. The health of Quark-Engine is getting dangerous. Therefore, we decided to replace Androguard with Rizin, one of the most popular open-source reverse engineering frameworks and supported by a strong community.
What is Rizin? Rizin supports executable file formats on most platforms. It can analyze files, reassemble, and debug, etc. Also, Rizin has a robust community to support the entire project. Besides, Rizin has almost all the features that Androguard has. It is a perfect solution for replacing Androguard. After the replacement, we found that not only Quark's health is getting better, but the performance also gets significantly improved.
What’s the challenge of core library replacement Furthermore, the usage of the two libraries is different. Many functions in Quark are needed to redesign. During replacing the core library, we must ensure that everything goes on smoothly, which brings us a lot of challenges, but it also brings us a lot of fun. We will share all these interesting findings in this talk.
The comparison of the two Quark-Engine Finally, we will compare the differences between Rizin and Androguard. We will deep dive into the detail, including performance and accuracy. Then, we will talk about how to evaluate the performance by common tools and the strategy we used to optimize the Rizin-based Quark.
Slides not uploaded by the speaker. HackMD: https://hackmd.io/@pycontw/2021/%2F%40pycontw%2FBJMCsZKfF
Speaker: Sheng-Fone Lu
I'm a Taiwanese college student, majoring in Computer Science and Engineering. I am passionate about cyber-security, reverse engineering, and operating system. A freshman of the open-source community, and a core member of Quark-Engine Team.