[Soot-list] Android Framework Methods in Callgraph

Steven Arzt Steven.Arzt at cased.de
Mon Jun 16 08:01:14 EDT 2014 

I would appreciate it if there were such an option ^^ If there is one, I am not aware of it.

-----Ursprüngliche Nachricht-----
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Marc-André Laverdière-Papineau
Gesendet: Montag, 16. Juni 2014 14:00
An: Steven Arzt; 'Dacong Yan'; 'Bernd Bergler'
Cc: 'Soot Mailing List'
Betreff: Re: [Soot-list] Android Framework Methods in Callgraph

I would have expected a fallback to cha in such a case. Is there an option to turn that on without having cha everywhere?
--
Marc-André Laverdière-Papineau
Doctorant - PhD Candidate
Sent from my Android device with K-9 Mail. Please excuse my brevity.

On June 15, 2014 10:41:41 PM GMT+05:30, Steven Arzt <Steven.Arzt at cased.de> wrote:
>Hi all,
>
>Note that the SPARK callgraph algorithm has an implicit requirement. It 
>needs constructor call sites for every object. If you have the 
>following code
>
>A a = getA();
>a.foo();
>
>and you do not have an implementation of the getA() factory method 
>(since it is for instance an Android framework method for which you 
>only have a stub implementation), there is no constructor call that 
>SPARK could fine.
>Hence,
>SPARK has no concrete type information for a and will not produce a 
>call edge for the "a.foo()" call. While this behavior is correct by 
>construction, it is not exactly helpful in the Android world.
>
>You could use a full Android implementation instead of the stub JAR 
>file, but this will cost you many times the memory and computation time 
>that you have now. For large applications, this requires a big machine 
>and a lot of patience.
>
>In FlowDroid, we have library summaries for such cases and do not 
>depend on the call edges in such cases (methodRef.getMethod() is mapped 
>against the library summaries). This is sufficient for our taint 
>tracker.
>
>Best regards,
>  Steven
>
>-----Ursprüngliche Nachricht-----
>Von: soot-list-bounces at CS.McGill.CA
>[mailto:soot-list-bounces at CS.McGill.CA]
>Im Auftrag von Dacong Yan
>Gesendet: Samstag, 14. Juni 2014 08:02
>An: Bernd Bergler
>Cc: Soot Mailing List
>Betreff: Re: [Soot-list] Android Framework Methods in Callgraph
>
>Have you tried this "Options.v().setPhaseOption("cg", 
>"all_reachable")"?
>
>On Fri, Jun 13, 2014 at 12:54 PM, Bernd Bergler 
><bernd.bergler at gmail.com>
>wrote:
>> Hi!
>> I am currently working on the analysis of an Android application with
>soot.
>> After a bit of research and a lot of info from this mailing list 
>> everything is working quite nicely.
>> I can construct the CallGraph and solve the IFDSReachingDefinitions 
>> problem as expected.
>>
>>
>> I am interested in the input of specific Android framework
>methods(e.g.
>> ContentRecolver.query()).
>> But I am to able to get the Units which contain the actual invoke. I 
>> works as expected for methods within the app.
>> I cant even get edges from or to the desired method from the 
>> callgraph, but when looking at the jimple file I see as expected the 
>> invoke of the method which should result in an edge in the callgraph.
>>
>> $r6 = virtualinvoke $r1.<android.content.ContentResolver:
>> android.database.Cursor
>>
>query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.St
>> ring[],java.lang.String)>($r2,
>> null, null, null, null);
>>
>> It seems like the callgraph contains only app internal calls. Is
>there
>> a setting so i get the full call graph( wich all the edges to the 
>> stubs in the
>> android.jar)
>>
>> Any suggestions what could be wrong or how i could get the desired
>result?
>>
>> The code which should return the associated units.
>>         CallGraph callGraph = Scene.v().getCallGraph();
>>         String method = "<android.content.ContentResolver:
>> android.database.Cursor
>>
>query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.Str
>ing[]
>,java.lang.String)>";
>>         SootMethod smX = Scene.v().getMethod(method);
>>         Iterator<Edge> edges = callGraph.edgesInto(smX);
>>         while (edges.hasNext()) {
>>             //Returns no edge
>>             System.out.println(smX.getName());
>>         }
>>
>>         edges = callGraph.edgesOutOf(smX);
>>         while (edges.hasNext()) {
>>             //Returns no edge
>>             System.out.println(smX.getName());
>>         }
>>
>>
>>       //System.out.println(smX.getActiveBody());
>>       //crashes because not body asscocaited with framework mehtod
>>
>>         Collection<Unit> units = icfg.getCallersOf(smX);
>>
>>         for (Unit unit : units) {
>>             //Returns no edge
>>             System.out.println(unit.toString());
>>         }
>>
>>
>> The code to generate the callgraph:
>>
>>         Options.v().set_src_prec(Options.src_prec_apk);
>>
>>
>Options.v().set_process_dir(Collections.singletonList(getApkFile().getA
>bsolu
>tePath()));
>>         Options.v().set_android_jars(platfromFolder);
>>         Options.v().set_whole_program(true);
>>         Options.v().set_allow_phantom_refs(true);
>>         Options.v().set_output_format(Options.output_format_none);
>>         Options.v().setPhaseOption("cg.spark", "on");
>>         Options.v().ignore_resolution_errors();
>>         Options.v().set_output_format(Options.output_format_J);
>>
>>         Scene.v().loadNecessaryClasses();
>>
>>         SootMethod entryPoint =
>> app.getEntryPointCreator().createDummyMain();
>>         Options.v().set_main_class(entryPoint.getSignature());
>>         
>> Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
>>
>> I use a self built version of soot and heros.
>>
>> Bernd
>>
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at CS.McGill.CA
>> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>>
>
>
>
>--
>Dacong (Tony) Yan
>Ph.D. Student
>Computer Science and Engineering
>The Ohio State University, Columbus
>http://www.cse.ohio-state.edu/~yan
>_______________________________________________
>Soot-list mailing list
>Soot-list at CS.McGill.CA
>https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
>_______________________________________________
>Soot-list mailing list
>Soot-list at CS.McGill.CA
>https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

More information about the Soot-list mailing list