Any configuration example for FlowDroid taint analysis on latest version (2.5) ?

[louison]

Hi there,

I'm currently trying to use the latest version of FlowDroid, which looks very handy and more modular.
However, I'm a bit stuck with the new way of setting up a taint analysis programatically with sources and sinks.
I think one way to do it is to start with a InfoflowAndroidConfiguration instance, but not sure about all the options…

Do you have a working example somewhere that I could use as a starting point ?
I would like to use it as a library because i'm already using Soot in my program to instrument some methods from apks.

Thank you in advance :)

[StevenArzt]

You can use the command line client implementation as an example of how the FlowDroid API works. The class "MainClass" in "soot-infoflow-cmd" implements a small tool that runs a data flow analysis and prints out the results.

In general, you need the following things to run a data flow analysis:

• Your target APK file
• The path to your Android platforms ("platforms" directory in the Android SDK)
• A definition for sources and sinks

These are the options you always need to configure. They are all located in the "AnalysisFileConfiguration" class which is part of "InfoflowAndroidConfiguration". All the other options are additional features or tweaks that you can configure if you want, but for which you can also use the defaults. Once your files are configured (see list above), you can instantiate the "SetupApplication" class with your configuration object and call runInfoflow().

[louison]

Ok great ! thanks for that !
In the source code, I also saw a class CategorizedAndroidSourceSinkParser, is that a way to determine in which category a source is from ? I would want to use it with the complete SuSi SourcesAndSinks.txt file which already have sorted sources and sinks. Is that possible ?

[StevenArzt]

Yes, that is possible. You can use the method getCategory() un the class SourceSinkDefinition. When you look at the results of the data flow analysis, there is a method getDefinition() in SinkInfo and SourceInfo that will give you such a definition, which in turn contains the respective category.

[louison]

I have another question.
As I said before, I'm currently instrumenting methods thanks to Jimple with soot. So I already have a soot configuration which looks like that :

		try {
			app.setCallbackFile(analyzerDirectory + "AndroidCallbacks.txt");
			app.calculateSourcesSinksEntrypoints(analyzerDirectory + "SourcesAndSinks.txt");
			EasyTaintWrapper easyTaintWrapper = new EasyTaintWrapper(analyzerDirectory + "EasyTaintWrapperSource.txt");
			app.setTaintWrapper(easyTaintWrapper);
		} catch (IOException | XmlPullParserException e) {
			e.printStackTrace();
		}

		soot.G.reset();

		soot.options.Options.v().set_allow_phantom_refs(true); // allow phantom classes
//		soot.options.Options.v().set_validate(true); // validate internal bodies
		soot.options.Options.v().set_src_prec(soot.options.Options.src_prec_apk); // only apk are accepted for soot analysis
		soot.options.Options.v().set_android_jars(androidJars); // Load android platforms
		soot.options.Options.v().set_process_dir(Collections.singletonList(pathToApk)); // loading apk to soot
//		soot.options.Options.v().set_soot_classpath(androidJars);
		soot.options.Options.v().set_process_multiple_dex(true);
		soot.options.Options.v().set_whole_program(true);
		soot.options.Options.v().set_keep_line_number(true);
		soot.options.Options.v().set_output_format(soot.options.Options.output_format_jimple);
		soot.options.Options.v().setPhaseOption("cg.spark", "on");

		Scene.v().loadNecessaryClasses();

		SootMethod entryPoint = app.getEntryPointCreator().createDummyMain();
		soot.options.Options.v().set_main_class(entryPoint.getSignature());
		Scene.v().setEntryPoints(Collections.singletonList(entryPoint));

Do you have a best practice to use Soot first to instrument my apk code and then run infoflow ?
In other words, how I should configure the whole process to have a consistent soot environment during all the program (Like having all my classes in the Scene, …) ?

Thank you !

[StevenArzt]

There are two approaches you can use:

1. Stick to your old Soot configuration and run FlowDroid in-place. FlowDroid can be configured to use an existing Soot instance. In that case, you simply call runInfoflow() after initializing Soot on your own. Make sure to set the "Soot Integration Mode" to "UseExistingInstance" in your configuration,

2. Only run FlowDroid, but specify additional Soot options (such as the output format dex) using the IInfoflowConfig interface. In that case, FlowDroid will be responsible for initializing Soot. After FlowDroid has completed the data flow analysis, you can still use Soot as usual. Make sure to call PackManager.v().writeOutput() to write our your modified classes.

[louison]

Thank you for your help Steven !
So I tried to use the first solution you gave me (use the UseExistingInstance) like that :

soot.options.Options.v().set_allow_phantom_refs(true); // allow phantom classes
soot.options.Options.v().set_validate(true); // validate internal bodies
soot.options.Options.v().set_src_prec(soot.options.Options.src_prec_apk); // only apk are accepted for soot analysis
soot.options.Options.v().set_android_jars(androidJars); // Load android platforms
soot.options.Options.v().set_process_dir(Collections.singletonList(pathToApk)); // loading apk t
soot.options.Options.v().set_process_multiple_dex(true);
soot.options.Options.v().set_output_format(soot.options.Options.output_format_jimple);

Scene.v().loadNecessaryClasses();
InfoflowAndroidConfiguration configuration = new InfoflowAndroidConfiguration();
configuration.setSootIntegrationMode(InfoflowAndroidConfiguration.SootIntegrationMode.UseExistingInstance);

app = new SetupApplication(configuration);

But it doesn't work, the SetupApplication doesn't recognize the AndroidJar path and throw :

throw new RuntimeException("Android platform directory not specified");

When looking at the SetupApplication.java source code, it looks like there is no reference to SootIntegrationMode.UseExistingInstance. I can only see mentions to SootIntegrationMode.UseExistingCallgraph.

Am I missing something in my config or am I in a wrong Branch ?

Thanks

[louison]

Ok I assume that FlowDroid will only use current instance of Soot for loaded Classes and Callgraph, but not for options like android platform path or apk path

[StevenArzt]

If FlowDroid is configured to use an existing Soot instance, it will not initialize Soot on its own. That means that neither the APK nor the platforms directory is taken from the FlowDroid settings. FlowDroid simply assumes that there is a running Soot instance that it can just use. Therefore, it doesn't matter what you set in the FlowDroid options if you take an existing Soot instance.

Can you try the "develop" branch? At least there, I see a reference to the Soot integration mode in the method SootIntegrationMode.needsToBuildCallgraph(). If I recall correctly, we also use FlowDroid in that configuration in one of our research projects and I haven't heard any complaints from these colleagues. If nothing helps, can you post the stack trace of the exception and all other output that you get to the log (FlowDroid uses log4j).

[louison]

Hi Steven,
I see the SootIntegrationMode.needsToBuildCallgraph() in the master branch too.
Given this configuration :

125 soot.options.Options.v().set_allow_phantom_refs(true); // allow phantom classes
126 soot.options.Options.v().set_validate(true); // validate internal bodies
127 soot.options.Options.v().set_src_prec(soot.options.Options.src_prec_apk); // only apk are accepted for soot analysis
128 soot.options.Options.v().set_android_jars(androidJars); // Load android platforms
129 soot.options.Options.v().set_process_dir(Collections.singletonList(pathToApk)); // loading apk t
130 soot.options.Options.v().set_process_multiple_dex(true);
131 soot.options.Options.v().set_whole_program(true);
132 soot.options.Options.v().set_output_format(soot.options.Options.output_format_jimple);
133 soot.options.Options.v().set_output_format(soot.options.Options.output_format_dex);
134 Scene.v().loadNecessaryClasses();
135 InfoflowAndroidConfiguration configuration = new InfoflowAndroidConfiguration();
136 configuration.setSootIntegrationMode(SootIntegrationMode.UseExistingInstance);
137 Config.app = new SetupApplication(configuration);

I have the following stacktrace :

Using '/Users/lgitzing/Development/android-platforms/android-25/android.jar' as android.jar
Found dex file 'classes.dex' with 1728 classes in '/Users/lgitzing/Development/flow_droid_tests/apks/instance.apk'
Exception in thread "main" java.lang.RuntimeException: Android platform directory not specified
	at soot.jimple.infoflow.android.SetupApplication.<init>(SetupApplication.java:280)
	at soot.jimple.infoflow.android.SetupApplication.<init>(SetupApplication.java:211)
	at app.Config.initialiseSoot(Config.java:137)
	at app.Driver.init(Driver.java:40)
	at app.Driver.main(Driver.java:89)

Don't understand why FlowDroid doesn't take the AndroidJars I gave to the soot configuration at line 128 …

[StevenArzt]

@AmrAshraf Please do not ask new questions in existing threads, but open a new thread instead. This discussion here is about something else.

@LouisonGitzinger In your code, you specify the output format twice. That's not the problem here, but it doesn't look intended either.

The exception you get is a bug. That check shouldn't be performed if you use an existing Soot instance. I will commit a fix later on, together with the rest I am currently working on. In the meantime, you can just set some Android platform directory. It will be ignored, because no new Soot instance is created. However, the superfluous check should then pass.

[RishMeh19]

Sir, I am getting the following error after executing the command-:
java -jar soot-infoflow-cmd-jar-with-dependencies.jar -a com.nice.candy.wallpaper.hd.wallpapers.apk -p /home/rishabh/Documents/Flowdroid/platforms -s SourcesAndSinks

error-:
[main] INFO soot.jimple.infoflow.taintWrappers.EasyTaintWrapper - Loaded wrapper entries for 90 classes and 12 exclusions.
The data flow analysis has failed. Error message: String index out of range: -1
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1927)
at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1289)
at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:237)
at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:196)

is there any error in the main file?

[JeffreyFairbanks]

is there any fix to what was stated above? I also have that problem.

[StevenArzt]

Which version of FlowDroid do you use? The line 1289 isn't plausible for the current development branch.

In general, if you encounter a problem, please open a new issue unless your problem is definitely related to the current issue. It becomes very confusing if multiple different problems are cluttered in the same issue.