[Soot-list] Android Framework Methods in Callgraph

Steven Arzt Steven.Arzt at cased.de
Sun Jun 15 13:11:41 EDT 2014 

Hi all,

Note that the SPARK callgraph algorithm has an implicit requirement. It
needs constructor call sites for every object. If you have the following
code

A a = getA();
a.foo();

and you do not have an implementation of the getA() factory method (since it
is for instance an Android framework method for which you only have a stub
implementation), there is no constructor call that SPARK could fine. Hence,
SPARK has no concrete type information for a and will not produce a call
edge for the "a.foo()" call. While this behavior is correct by construction,
it is not exactly helpful in the Android world.

You could use a full Android implementation instead of the stub JAR file,
but this will cost you many times the memory and computation time that you
have now. For large applications, this requires a big machine and a lot of
patience.

In FlowDroid, we have library summaries for such cases and do not depend on
the call edges in such cases (methodRef.getMethod() is mapped against the
library summaries). This is sufficient for our taint tracker.

Best regards,
  Steven

-----Ursprüngliche Nachricht-----
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA]
Im Auftrag von Dacong Yan
Gesendet: Samstag, 14. Juni 2014 08:02
An: Bernd Bergler
Cc: Soot Mailing List
Betreff: Re: [Soot-list] Android Framework Methods in Callgraph

Have you tried this "Options.v().setPhaseOption("cg", "all_reachable")"?

On Fri, Jun 13, 2014 at 12:54 PM, Bernd Bergler <bernd.bergler at gmail.com>
wrote:
> Hi!
> I am currently working on the analysis of an Android application with
soot.
> After a bit of research and a lot of info from this mailing list 
> everything is working quite nicely.
> I can construct the CallGraph and solve the IFDSReachingDefinitions 
> problem as expected.
>
>
> I am interested in the input of specific Android framework methods(e.g.
> ContentRecolver.query()).
> But I am to able to get the Units which contain the actual invoke. I 
> works as expected for methods within the app.
> I cant even get edges from or to the desired method from the 
> callgraph, but when looking at the jimple file I see as expected the 
> invoke of the method which should result in an edge in the callgraph.
>
> $r6 = virtualinvoke $r1.<android.content.ContentResolver:
> android.database.Cursor
> query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.St
> ring[],java.lang.String)>($r2,
> null, null, null, null);
>
> It seems like the callgraph contains only app internal calls. Is there 
> a setting so i get the full call graph( wich all the edges to the 
> stubs in the
> android.jar)
>
> Any suggestions what could be wrong or how i could get the desired result?
>
> The code which should return the associated units.
>         CallGraph callGraph = Scene.v().getCallGraph();
>         String method = "<android.content.ContentResolver:
> android.database.Cursor
>
query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[]
,java.lang.String)>";
>         SootMethod smX = Scene.v().getMethod(method);
>         Iterator<Edge> edges = callGraph.edgesInto(smX);
>         while (edges.hasNext()) {
>             //Returns no edge
>             System.out.println(smX.getName());
>         }
>
>         edges = callGraph.edgesOutOf(smX);
>         while (edges.hasNext()) {
>             //Returns no edge
>             System.out.println(smX.getName());
>         }
>
>
>       //System.out.println(smX.getActiveBody());
>       //crashes because not body asscocaited with framework mehtod
>
>         Collection<Unit> units = icfg.getCallersOf(smX);
>
>         for (Unit unit : units) {
>             //Returns no edge
>             System.out.println(unit.toString());
>         }
>
>
> The code to generate the callgraph:
>
>         Options.v().set_src_prec(Options.src_prec_apk);
>
>
Options.v().set_process_dir(Collections.singletonList(getApkFile().getAbsolu
tePath()));
>         Options.v().set_android_jars(platfromFolder);
>         Options.v().set_whole_program(true);
>         Options.v().set_allow_phantom_refs(true);
>         Options.v().set_output_format(Options.output_format_none);
>         Options.v().setPhaseOption("cg.spark", "on");
>         Options.v().ignore_resolution_errors();
>         Options.v().set_output_format(Options.output_format_J);
>
>         Scene.v().loadNecessaryClasses();
>
>         SootMethod entryPoint =
> app.getEntryPointCreator().createDummyMain();
>         Options.v().set_main_class(entryPoint.getSignature());
>         
> Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
>
> I use a self built version of soot and heros.
>
> Bernd
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>



--
Dacong (Tony) Yan
Ph.D. Student
Computer Science and Engineering
The Ohio State University, Columbus
http://www.cse.ohio-state.edu/~yan
_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

More information about the Soot-list mailing list