[Soot-list] application Control Flow Graph
Steven Arzt
Steven.Arzt at cased.de
Thu Jul 9 10:54:09 EDT 2015
Hi Marjan,
This brings us back to the original question: How do you construct this custom entry point at the moment? If you do it properly (for instance using the SetupApplication class in FlowDroid), SPARK will be able to run and you can use the JimpleBasedInterproceduralCFG class to iterate over the units in your program.
If something doesn’t work, please provide the actual code you are using and specify what you still need or what doesn’t work. Otherwise it’s hard to tell what the real problem is.
Best regards,
Steven
Von: Marjan Radi [mailto:marjan.radi at yahoo.com]
Gesendet: Donnerstag, 9. Juli 2015 16:50
An: Steven Arzt; Soot List
Betreff: Re: AW: AW: [Soot-list] application Control Flow Graph
Dear Steven,
After initializing soot with the customized entry point, I run the SPARK analysis. Is SPARK analysis uses FlowDroid for constructing the dummy main? If it is correct so, the blocks of the CFG must have an order.
Best Regards,
Marjan
On Thursday, July 9, 2015 9:25 AM, Steven Arzt <Steven.Arzt at cased.de> wrote:
Hi Marjan,
If you do not use FlowDroid to construct the dummy main method at the moment, what do you use for constructing the callgraph? SPARK definitely needs a dummy main method, that’s why I was under the impression that you use FlowDroid to construct it. The only other alternative I can think of is to use CHA (which is horrible imprecise). In the latter case, the JimpleBasedInterproceduralCFG should not order the entry points at all, but keep them as totally separate graphs.
Best regards,
Steven
Von: Marjan Radi [mailto:marjan.radi at yahoo.com]
Gesendet: Donnerstag, 9. Juli 2015 16:20
An: Steven Arzt; 'Soot List'
Betreff: Re: AW: [Soot-list] application Control Flow Graph
Dear Steven,
Thanks for your reply.
Since the application that I want to analyze has AsyncTasks, I have customized the entry points. I did not use FlowDroid. So, I wanted to know without using FlowDroid, dose "JimpleBasedInterproceduralCFG" consider any order between methods to construct the CFG?
Marjan,
Best Regards
On Thursday, July 9, 2015 2:56 AM, Steven Arzt <Steven.Arzt at cased.de> wrote:
Hi Marjan,
I think we first have to sort out what you actually need. For an Android app, tools like FlowDroid first construct a dummy main method which simulates the Android lifecycle. This method, for instance, first calls onCreate() on an activity and then onResume(), because this is what the Android OS would do if the app was run on an emulator or a real device. Therefore, it’s correct for the analysis to first run through onCreate() and then through onResume().
The concept of an “enty point” doesn’t really exist in Android; there is none. Instead, apps are much more tightly coupled with the OS. You might even consider an Android app to be a plugin to the OS. The app derives classes from OS classes and overrides methods which are then called by the OS at runtime. Since most program analysis frameworks, however, depend on an entry point such as the classical main() method, we fake one that emulates this plugin model.
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Marjan Radi
Gesendet: Donnerstag, 9. Juli 2015 06:55
An: Steven Arzt; 'Soot List'
Betreff: Re: [Soot-list] application Control Flow Graph
Dear Steven,
Thank you for your reply. I have two questions:
1- I have tried to use "JimpleBasedInterproceduralCFG", but it is not clear to me how can I use its methods, how can I use it to construct the application CFG and how to iterate through this graph. I looked at <https://github.com/Sable/soot/tree/develop/src/soot/jimple/toolkits/ide/exampleproblems> https://github.com/Sable/soot/tree/develop/src/soot/jimple/toolkits/ide/exampleproblems, but it could not help me. Is there any example that uses this class which I can look at to do my implementation?
2- I want to construct the android applications' CFG and they have multiple entry points. I think "JimpleBasedInterproceduralCFG" combines the blocks of program entry points randomly and it dose not consider any specific order for the blocks of different methods in the program entry points. Am I correct? or is there any way that we can force "JimpleBasedInterproceduralCFG" to consider a specific order on the sequence of its blocks (based on the program entry points)? For example, it first considers the blocks of onCreate() method and it is followed by the blocks of onResume() method (onCreate() and onResume() are both program entry points).
Best Regards,
Marjan
On Wednesday, July 8, 2015 4:10 AM, Steven Arzt <Steven.Arzt at cased.de> wrote:
Hi Marjan,
There is a class called JimpleBasedInterproceduralCFG that combines the intra-procedural control flow graph with a callgraph. This class is used inside the IFDS implementation to propagate data flow facts through the whole program. You can essentially navigate through the graph using getSuccsOf(). If you arrive at a call site, you can dispatch your analysis into the callees returned by getCalleesOfCallAt().
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Marjan Radi
Gesendet: Sonntag, 5. Juli 2015 21:31
An: Soot List
Betreff: [Soot-list] application Control Flow Graph
Hi,
I am using soot for analyzing android programs. I wanted to identify all the methods which have called between every two program point, and each program point is the beginning of a method of the program. I tried to use intra procedural data flow analysis, but soot constructs Control Flow Graph of each method separately and I can not construct the whole application control flow graph.
I would be appreciated if you could give me an idea about how can I do this.
Best Regards,
Marjan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150709/556289c9/attachment-0001.html
More information about the Soot-list
mailing list