Development tips
Scene
- application classes (to be analyzed)
- the main class (entry point)
- points-to info
- call-graphs
Unit
A Unit is a statement
- Get values used in it: getUseBoxes
- Get valued defined in it: getDefBoxes
- Get units jumping to it: getBoxesPointingToThis
- Get units it is jumping to: getUnitBoxes
Boxes is a reference:
- UnitBoxes: code, branching
- ValueBoxes
IRs
Four IR are parallel, having different characteristics:
- Baf: bytecode similar
- Jimple: 3-address, semi-like Java, applicable to most analysis
- Shimple: SSA form, simplifies analysis
- Grimp: more human-readable than Jimple
Inter-procedural analysis
Need -w flag for whole-program analysis.
Phases/Packs
cgphasewjpp(Pre-processing pack)wjtp(whole jimple transformation pack)wjapwjop
- List help for a pack:
java soot.Main -ph PACK
Other flags/configurations/args
-include-allAll classes referred to by any argument classes will be treated as application classes.-f Jto produce a Jimple file
Choose data-flow framework
- Backwards or forwards flow analysis?
- Branching or not?
- May or must analysis?
- Soot data-flow framework is designed to handle any form of cfg implementing the interface soot.toolkits.graph.DirectedGraph
- Soot provides four implementations of flow sets:
ArraySparseSet,ArrayPackedSet,ToppedSetandDataFlowSet. We will describe only the first three.ArraySparseSetis an unbounded flow set. The set is represented as an array of referencesArrayPackedSetis a bounded flow set. Requires that the programmer provides a FlowUniverse objectToppedSetwraps another flow set (bounded or not) adding information regarding whether it is the top set (⊤) of the lattice.
Control flow graph
Types:
BriefUnitGraphis very simple in the sense that it doesn’t have edges representing control flow due to exceptions being thrown.ExceptionalUnitGraphincludes edges from throw clauses to their handler (catch block, referred to in Soot as Trap), that is if the trap is local to the method body.TrapUnitGraphlikeExceptionalUnitGraph, takes into account exceptions that might be thrown.
Points-to & Call-graph Anlaysis
- Types: SPARK, Paddle, VTA, CHA
- It seems like VTA has more information than SPARK, but some of them might be wrong
CHA: Class Hierarchy Analysis - it assumes that all reference variables can point to any object of the correct type
- The call graph has methods to query for the edges coming into a method, edges coming out of method and edges coming from a particular statement
(
edgesInto(method),edgesOutOf(method)andedgesOutOf(statement), respectively - IR for Abstracting CFG: https://github.com/domainexpert/sootexamples/tree/master/intermediate_representation/src/dk/brics/soot/intermediate
- Implement the analysis interface: https://github.com/Sable/soot/wiki/Implementing-an-intra-procedural-data-flow-analysis-in-Soot#3-implementing-the-analysis-interface
Examples and tutorials
- Soot option manager
- droidsafe-src/SootUtils.java at master · MIT-PAC/droidsafe-src
- Implementing an intra procedural data flow analysis in Soot · Sable/soot Wiki
- java - Is it Possible to Use the Soot Analyses Without Calling soot.Main.main(...)? - Stack Overflow
- LNCS 8174 - Instrumenting Android and Java Applications as Easy as abc - RV2013-AndroidTutorial.pdf
How to create dummyMain (by reusing code from FlowDroid)
parseAppResources(apkPath);
entryPointCreator = createEntryPointCreator(null);
SootMethod dummyMainMethod = entryPointCreator.createDummyMain();
// Zhen: looks like for every intent receiver, a null intent is passed in
Scene.v().setEntryPoints(Collections.singletonList(dummyMainMethod));
if (!dummyMainMethod.getDeclaringClass().isInScene())
Scene.v().addClass(dummyMainMethod.getDeclaringClass());
// addClass() declares the given class as a library class. We need to
// fix this.
dummyMainMethod.getDeclaringClass().setApplicationClass();
Options
Ref: https://www.sable.mcgill.ca/soot/tutorial/usage/
How to speed things up:
-no-bodies-for-excluded-x pkg, -exclude pkg