Development tips
Scene
- application classes (to be analyzed)
- the main class (entry point)
- points-to info
- call-graphs
Unit
A Unit is a statement
- Get values used in it: getUseBoxes
- Get valued defined in it: getDefBoxes
- Get units jumping to it: getBoxesPointingToThis
- Get units it is jumping to: getUnitBoxes
Boxes is a reference:
- UnitBoxes: code, branching
- ValueBoxes
IRs
Four IR are parallel, having different characteristics:
- Baf: bytecode similar
- Jimple: 3-address, semi-like Java, applicable to most analysis
- Shimple: SSA form, simplifies analysis
- Grimp: more human-readable than Jimple
Inter-procedural analysis
Need -w
flag for whole-program analysis.
Phases/Packs
cg
phasewjpp
(Pre-processing pack)wjtp
(whole jimple transformation pack)wjap
wjop
- List help for a pack:
java soot.Main -ph PACK
Other flags/configurations/args
-include-all
All classes referred to by any argument classes will be treated as application classes.-f J
to produce a Jimple file
Choose data-flow framework
- Backwards or forwards flow analysis?
- Branching or not?
- May or must analysis?
- Soot data-flow framework is designed to handle any form of cfg implementing the interface soot.toolkits.graph.DirectedGraph
- Soot provides four implementations of flow sets:
ArraySparseSet
,ArrayPackedSet
,ToppedSet
andDataFlowSet
. We will describe only the first three.ArraySparseSet
is an unbounded flow set. The set is represented as an array of referencesArrayPackedSet
is a bounded flow set. Requires that the programmer provides a FlowUniverse objectToppedSet
wraps another flow set (bounded or not) adding information regarding whether it is the top set (⊤) of the lattice.
Control flow graph
Types:
BriefUnitGraph
is very simple in the sense that it doesn’t have edges representing control flow due to exceptions being thrown.ExceptionalUnitGraph
includes edges from throw clauses to their handler (catch block, referred to in Soot as Trap), that is if the trap is local to the method body.TrapUnitGraph
likeExceptionalUnitGraph
, takes into account exceptions that might be thrown.
Points-to & Call-graph Anlaysis
- Types: SPARK, Paddle, VTA, CHA
- It seems like VTA has more information than SPARK, but some of them might be wrong
CHA
: Class Hierarchy Analysis - it assumes that all reference variables can point to any object of the correct type
- The call graph has methods to query for the edges coming into a method, edges coming out of method and edges coming from a particular statement
(
edgesInto(method)
,edgesOutOf(method)
andedgesOutOf(statement)
, respectively - IR for Abstracting CFG: https://github.com/domainexpert/sootexamples/tree/master/intermediate_representation/src/dk/brics/soot/intermediate
- Implement the analysis interface: https://github.com/Sable/soot/wiki/Implementing-an-intra-procedural-data-flow-analysis-in-Soot#3-implementing-the-analysis-interface
Examples and tutorials
- Soot option manager
- droidsafe-src/SootUtils.java at master · MIT-PAC/droidsafe-src
- Implementing an intra procedural data flow analysis in Soot · Sable/soot Wiki
- java - Is it Possible to Use the Soot Analyses Without Calling soot.Main.main(...)? - Stack Overflow
- LNCS 8174 - Instrumenting Android and Java Applications as Easy as abc - RV2013-AndroidTutorial.pdf
How to create dummyMain (by reusing code from FlowDroid)
parseAppResources(apkPath);
entryPointCreator = createEntryPointCreator(null);
SootMethod dummyMainMethod = entryPointCreator.createDummyMain();
// Zhen: looks like for every intent receiver, a null intent is passed in
Scene.v().setEntryPoints(Collections.singletonList(dummyMainMethod));
if (!dummyMainMethod.getDeclaringClass().isInScene())
Scene.v().addClass(dummyMainMethod.getDeclaringClass());
// addClass() declares the given class as a library class. We need to
// fix this.
dummyMainMethod.getDeclaringClass().setApplicationClass();
Options
Ref: https://www.sable.mcgill.ca/soot/tutorial/usage/
How to speed things up:
-no-bodies-for-excluded
-x pkg, -exclude pkg