Flowdroid

• What is neighbor/predecessor for Abstraction:
  • The concept is as follows. If a variable “a” is tainted at some statement “a = b + c”, the predecessor is the taint on “b” or “c” that existed before and that lead to “a” being tainted. In case both “b” and “c” were tainted before, we have one of them as predecessor and the taint on “a” has a neighbor with the other one as a predecessor. Essentially, neighbors capture non-unique predecessor relationships.
• FlowDroid implements modular classes of parseAppResources and createEntryPoint

• Setup IntelliJ IDEA
  • Import as Maven project
  • Run configuration — select the right MainClass
• soot-inforflow-android
  • SetupApplication: the analyzer state
  • runInfoflow: start the data flow analysis, returns InfoflowResults
    • Object states:
      • collectedSources
      • collectedSinks
      • infoflow: IInplaceInfoflow
    • Start a new Soot instance
    • Basic app parsing
    • For every entry-point (component), run the DFA
      • processEntryPoint
        • createInfoflow
        • runAnalysis
          • DummyMainMethod
          • Register memory watcher
          • Initialize the abstraction configuration
          • Build the call graph
          • Initialize the source sink manager
          • Perform constant propagation and remove dead code
          • Deal with reflective calls
          • Start taint analysis
          • Build bi-directional ICFG
          • Iterate on sources, for each source
            • Initialize memory manager
            • Initialize the alias analysis
            • Initialize aliasing infra
            • Create forward DFA solver
            • Looks for sources and take them as seeds
            • forwardSovler.solve()
            • Compute results (computeTaintPaths)
    • Write the results to disk:
      • InfoflowResults: SinkInfo -> SourceInfo
      • InfoflowResultsSerializer
    • Return the aggregated results