A dynamic information flow tracing system for Android
C C++ Objective-C Shell Assembly Haxe Other
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
DECAF_shared
android
audio
block
distrib
docs
elff
fpu
gdb-xml
hw
images
memcheck
pc-bios/keymaps
proxy
slirp-android
slirp
target-arm
target-i386
target-mips
tcg
telephony
.gitignore
Android.mk
CHANGES.TXT
COPYING
COPYING.LIB
Changelog
CleanSpec.mk
INSTALL
LICENSE
MODULE_LICENSE_GPL
Makefile
Makefile.android
Makefile.common
Makefile.target
NOTICE
README
README.md
a.out.h
acl.c
acl.h
aes.c
aes.h
aio-android.c
aio.c
alpha.ld
android-configure.sh
android-rebuild.sh
android-trace.h
android-trace_common.h
arch_init.c
arch_init.h
arm-dis.c
arm-semi.c
arm.ld
async.c
balloon.h
block.c
block.h
block_int.h
blockdev.c
blockdev.h
bswap.h
bt-host.c
bt-host.h
bt-vhci.c
buffered_file.c
buffered_file.h
cache-utils.c
cache-utils.h
cbuffer.c
cbuffer.h
charpipe.c
charpipe.h
compatfd.c
compatfd.h
console.c
console.h
cpu-all.h
cpu-common.h
cpu-defs.h
cpu-exec.c
cpus.c
cpus.h
curses.c
curses_keys.h
cutils.c
d3des.c
d3des.h
def-helper.h
device_tree.c
device_tree.h
dis-asm.h
disas.c
disas.h
dma-helpers.c
dma.h
dyngen-exec.h
dynlink-static.c
dynlink.h
elf.h
elf_ops.h
envlist.c
envlist.h
exec-all.h
exec.c
feature_to_c.sh
gdbstub.c
gdbstub.h
gen-charmap.py
gen-icount.h
gen-skin.py
hax.h
host-defs.h
host-utils.c
host-utils.h
hostregs_helper.h
hpet.h
hxtool
i386-dis.c
i386-vl.ld
i386.ld
ia64.ld
input.c
iohandler.c
iolooper-select.c
iolooper.h
ioport-user.c
ioport.c
ioport.h
json-lexer.c
json-lexer.h
json-parser.c
json-parser.h
json-streamer.c
json-streamer.h
keymaps.c
keymaps.h
kqemu.c
kqemu.h
kvm-all.c
kvm-android.c
kvm-android.h
kvm.h
linux_keycodes.h
loader.c
loadpng.c
m68k.ld
migration-dummy-android.c
migration-exec.c
migration-tcp-android.c
migration-tcp.c
migration.c
migration.h
mips-dis.c
module.c
module.h
monitor-android.h
monitor.c
monitor.h
net-android.c
net-checksum.c
net.c
net.h
notify.c
notify.h
offset_layout.py
os-posix.c
os-win32.c
osdep.c
osdep.h
oslib-posix.c
oslib-win32.c
path.c
poison.h
posix-aio-compat.c
ppc-dis.c
ppc.ld
qbool.c
qbool.h
qdict.c
qdict.h
qemu-aio.h
qemu-barrier.h
qemu-char.c
qemu-char.h
qemu-common.h
qemu-config.c
qemu-config.h
qemu-error.c
qemu-error.h
qemu-io.c
qemu-lock.h
qemu-log.h
qemu-malloc.c
qemu-monitor.hx
qemu-objects.h
qemu-option.c
qemu-option.h
qemu-options.h
qemu-options.hx
qemu-os-posix.h
qemu-os-win32.h
qemu-queue.h
qemu-sockets-android.c
qemu-sockets.c
qemu-thread.c
qemu-thread.h
qemu-timer-common.c
qemu-timer.c
qemu-timer.h
qemu_debug.h
qemu_file.h
qemu_socket.h
qemu_timers.h
qerror.c
qerror.h
qfloat.c
qfloat.h
qint.c
qint.h
qjson.c
qjson.h
qlist.c
qlist.h
qobject.h
qstring.c
qstring.h
readline.c
readline.h
savevm.c
sdl_keysym.h
shaper.c
shaper.h
sockets.c
sockets.h
softmmu-semi.h
softmmu_defs.h
softmmu_exec.h
softmmu_header.h
softmmu_outside_jit.c
softmmu_outside_jit.h
softmmu_template.h
sparc.ld
sys-tree.h
sysemu.h
tap-win32.c
targphys.h
tcpdump.c
tcpdump.h
thunk.c
thunk.h
trace.c
trace.h
trace_common.h
translate-all.c
translate-op.c
translate.make
uboot_image.h
usb-dummy-android.c
usb-linux.c
user-events-qemu.c
user-events.h
varint.c
varint.h
vgafont.h
vl-android-ui.c
vl-android.c
vl.c
vnc-android.c
vnc-tls.h
vnc.c
vnc.h
vnc_keysym.h
vnchextile.h
x86_64.ld

README.md

NDroid

NDroid is a dynamic taint analysis system on Android, which focus on tracing information flow through JNI with low performance overhead. More details about NDroid can be found in our published paper here.

####NDroid uses following open source projects:

####Please note that:

  • The old NDroid prototype's code is kind of messy and not extensible. Therefore, I am rebuilding NDroid with goals: making it faster, more effective and extensible.
  • Currently, this version is still under developing, so that it cannot be used to analyze apps. Once the core functions are completed, I will create a patch.
  • The TaintDroid source code I use is 4.1.1_r6.

####How to build?

  • Build TaintDroid 4.1.1_r6 following the instruction here.
  • Clone NDroid source code: cd TaintDroid/external/ & git clone https://github.com/0-14N/NDroid.git ndroid
  • Setup building environment: cd TaintDroid/ & . build/envsetup.sh & lunch full-eng
  • Build NDroid: cd TaintDroid/external/ndroid & ./android-configure.sh & make
  • Run NDroid: cd objs & ./emulator -sysdir TaindDroid/out/target/product/generic/ -kernel TaintDroid/prebuilt/android-arm/kernel/kernel-qemu-armv7 -qemu -monitor stdio
  • Try "ps", "pt", "pm pid" commands provided by DroidScope, make sure they all work.
  • Start tracing process with command "nd_trace_pid pid" or "nd_trace_uid uid"; stop tracing by typing "nd_stop_trace_pid pid" or "nd_stop_trace_uid uid".
  • The log of NDroid "NDroid.log" is under directory "objs".

####Issues:

  • If commands provided by DroidScope ("ps", "pt") output nothing, try modifying files "objs/kernelinfo.conf" and "ndroid/DECAF_shared/DroidScope/DS_Common.h", making the offesets correclty.
  • As reported by my friends, there are bugs for decoding Thumb-2 instructions and handling taint propagations of certain ARM instructions. (Not fixed yet.)

####Others:

  • There is little possibility that I will continue working on NDroid for following reasons:
    1. Android Lollipop totally abandoned DVM! (So do I ... )
    2. I have to admit that the performance overhead produced by NDroid makes it impractical for analyzing real apps with large amounts of native code.
    3. I don't have enough time since I am working on new research projects.