Questions running DroidSafe in CoDiDroid

[zjbthomas]

Hi @FoelliX , I want to run DroidSafe in CoDiDroid and I noticed that CoDiDroid relies on DroidSafe's .json file to parse the results. However, DroidSafe takes a very long time to build these report files even for small DroidBench apps, so I am wondering if there is a faster way for CoDiDroid to run with DroidSafe?

I believe I configure CoDiDroid correctly (adapted from config_linux.xml in your artifact) as DroidSafe finished its analysis. The query I used is Flows IN App('FlowSensitivity1.apk') USES 'DroidSafe' ?.

When I run DroidSafe alone, I usually use DSARGS ?= -noreports in its Makefile.common. It becomes faster but no json file generated so it is not suitable for CoDiDroid. Running DroidSafe alone without -noreports will result in the same quite long running time as within CoDiDroiid.

Thank you in advance!

[FoelliX]

Hi @zjbthomas,

CoDiDroid internally uses the AQL-System which implements a converter for DroidSafe (https://github.com/FoelliX/AQL-System/blob/master/src/de/foellix/aql/converter/droidsafe/ConverterDroidSafe.java) this converter relies on the JSON files indeed.

Never used DroidSafe with -noreports. How do you access its result then? Command-line output? In this case you could foward the output to an arbitrary result file and use this in your configuration for DroidSafe's <result>.
However, this would also require a custom converter that translates the output into an AQL-Answer (see https://github.com/FoelliX/AQL-System/wiki/Configuration#converters for more information about custom converters. To build a converter and to construct AQL-Answers I suggest to use the AQL-System: https://mvnrepository.com/artifact/de.foellix/AQL-System/1.2.0 - see https://github.com/FoelliX/AQL-System/blob/master/src/de/foellix/aql/datastructure/Answer.java and Helper functions such as createStatement in https://github.com/FoelliX/AQL-System/blob/master/src/de/foellix/aql/helper/Helper.java).

Cheers, FoelliX

[zjbthomas]

Hi @FoelliX , thanks for providing details on how to generate a new converter. I will try later but I want to make sure I ran the tool correctly as I checked your "Do Android Taint Analysis Tools Keep Their Promises?" paper and it seems like DroidSafe on average only need 200 seconds for each DroidBench app and times on on rare cases. Though for me even one DroidBench app needs more than 2 hours (even I ran it alone (not through AQL-system) and tested on different machines).

I am wondering if any configurations on AQL-system or DroidSafe I need to set? I copied the DroidSafe folder under /tools/ from your artifact but I am not sure if you use this one to run DroidBench.

I also attached my setting for AQL-system and DroidSafe. The Makefile.common should be the same as the one in your artifact.

setup_for_ds.zip

Thank you again for your reply!

[FoelliX]

Hi @zjbthomas,

I am wondering if any configurations on AQL-system or DroidSafe I need to set?

No

I copied the DroidSafe folder under /tools/ from your artifact but I am not sure if you use this one to run DroidBench.

From the CoDiDroid artifact, I guess? DroidSafe was not used along with CoDiDroid, however, since it uses the AQL-System it should work. Your configuration seems fine apart from one line:
<run>/path/to/tools/DroidSafe/aqlRun.sh %APP_APK% %APP_APK_FILENAME%</run>
should most-likely be:
<run>/path/to/tools/DroidSafe/aqlRun.sh %APP_APK% %APP_APK_FILENAME% %MEMORY%</run>
(with %MEMORY%)

The Makefile.common is the one delivered with DroidSafe - not touched.

Just tested the following:

fpauck@vm-fpauck:~/tools/DroidSafe/runs$ time /home/fpauck/tools/DroidSafe/aqlRun.sh /home/fpauck/tools/DroidSafe/DirectLeak1.apk DirectLeak1 32
find: ‘src’: No such file or directory
find: ‘res’: No such file or directory
I: Using Apktool 2.0.0-RC2 on DirectLeak1.apk
I: Loading resource table...
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/fpauck/tools/DroidSafe/droidsafe-src/bin/apktool-framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
Setting memory size to 32GB
Starting DroidSafe Run
Warning: android.renderscript.ProgramFragment is a phantom class!
Warning: libcore.icu.NativeIDN is a phantom class!
Warning: java.nio.charset.CharsetEncoderICU is a phantom class!
Warning: java.nio.charset.CharsetDecoderICU is a phantom class!
Create tags for the overriden system methods in user code.
Removing identity overrides.
Converting java.lang.reflect.Array.newInstance()...
Calling scalar optimizations.
Implementing native methods.
Resolving resources and Manifest.
Creating Harness.
Setting Harness Main as entry point.
Running PTA...
No context: 444
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1515
Total reachable method x contexts: 1291
Finished PTA: 0:00:14.548
Incorporating XML layout information
Resolving String Constants
Running PTA...
No context: 444
Api Call Depth: -1
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1719
Total reachable method x contexts: 9536
Finished PTA: 0:00:13.188
Adding Missing Modeling...
Starting String Analysis...
Warning: java.lang.ref.Finalizer is a phantom class!
JSA Hotspots: 6
Finished String Analysis: 0:00:00.389
Running PTA...
No context: 444
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1549
Total reachable method x contexts: 1386
Finished PTA: 0:00:10.653
Cloning static methods to introduce call site context...
Cloned static methods added: 123
Running Value Analysis
Running PTA...
No context: 444
Api Call Depth: -1
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1792
Total reachable method x contexts: 14078
Finished PTA: 0:00:10.525
Injecting String Analysis Results.
Converting Object.getClass calls to class constant.
Converting Class.getName calls to class name strings.
Running PTA...
No context: 444
Api Call Depth: -1
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1796
Total reachable method x contexts: 14154
Finished PTA: 0:00:11.346
Starting Value Analysis
Finished Value Analysis: 0:00:00.383
Running Value Analysis Tranform Suite...
Finished Value Analysis Transforms Suite: 0:00:00.127
Undoing String Analysis Result Injection.
Inserting Unmodeled Objects...
Running PTA...
No context: 444
Api Call Depth: -1
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1796
Total reachable method x contexts: 9984
Finished PTA: 0:00:10.949
Running PTA...
No context: 444
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1626
Total reachable method x contexts: 1508
Finished PTA: 0:00:10.484
Converting AbstractStringBuilder.toString()
Running PTA...
No context: 444
Api Call Depth: -1
Info: Not accounting for newInstance(String) calls.
Alloc node size (insensitive objects): 1858
Total reachable method x contexts: 14312
Finished PTA: 0:00:10.549
Starting Generate RCFG...
Finished Generating RCFG: 0:00:00.015
Building indicator reports
Indicator reports complete
Searching for catch blocks (precise)
Finished Catch Block Analysis: 0:00:00.007
Starting Information Flow Analysis...
locals.size() = 0
instances.size() = 1
arrays.size() = 0
statics.size() = 0
locals.size() = 1
instances.size() = 2
arrays.size() = 0
statics.size() = 0
locals.size() = 5
instances.size() = 3
arrays.size() = 0
statics.size() = 0
locals.size() = 5
instances.size() = 3
arrays.size() = 0
statics.size() = 0
:Total Info Sets:2
:Total Sets Size:2
Finished Information Flow Analysis: 0:00:00.734
Finding method calls on all important alloc nodes...
Finished finding method calls on alloc nodes.
Converting RCFG to SSL and dumping...
High Level Flows: 1
Num output events: 2
Finished converting RCFG to SSL and dumping: 0:00:00.075
Creating Eclipse Plugin Serialized Specification...
Finished Eclipse Plugin Serialized Specification: 0:00:00.118
Finished!

real    4m54.834s
user    6m55.620s
sys     0m7.988s

The last lines show the time required for this example case.

Cheers, FoelliX