wip intro

.forgejo/workflows/publish.yaml

@@ -26,8 +26,11 @@ jobs:
       - run: |
           cd "${GITHUB_WORKSPACE}"
           /bin/typst compile --input commit=$(git rev-parse --short HEAD) --font-path /usr/share/fonts/ main.typ
+          /bin/typst compile --input draft=false --input abstract-only=true main.typ abstract.pdf
       - run: |
           curl -s --show-headers --user "histausse:${{secrets.TOKEN_HISTAUSSE_PACKAGE}}" -X DELETE "${GITHUB_SERVER_URL}/api/packages/these-ammii/generic/thesis/latest/draft.pdf"
           curl -s --show-headers --user "histausse:${{secrets.TOKEN_HISTAUSSE_PACKAGE}}" --upload-file "${GITHUB_WORKSPACE}/main.pdf" "${GITHUB_SERVER_URL}/api/packages/these-ammii/generic/thesis/latest/draft.pdf"
+          curl -s --show-headers --user "histausse:${{secrets.TOKEN_HISTAUSSE_PACKAGE}}" -X DELETE "${GITHUB_SERVER_URL}/api/packages/these-ammii/generic/thesis/latest/abstract.pdf"
+          curl -s --show-headers --user "histausse:${{secrets.TOKEN_HISTAUSSE_PACKAGE}}" --upload-file "${GITHUB_WORKSPACE}/main.pdf" "${GITHUB_SERVER_URL}/api/packages/these-ammii/generic/thesis/latest/abstract.pdf"
 
 #          curl -s --show-headers --user "histausse:${{secrets.TOKEN_HISTAUSSE_PACKAGE}}" --upload-file "${GITHUB_WORKSPACE}/main.pdf" "${GITHUB_SERVER_URL}/api/packages/these-ammii/generic/thesis/${GITHUB_SHA}/draft.pdf"

1_introduction/main.typ

@@ -1,4 +1,4 @@
-#import "../lib.typ": todo, epigraph, eg
+#import "../lib.typ": todo, epigraph, eg, APK, jm-note
 
 = Introduction <sec:intro>
 
@@ -17,11 +17,10 @@ This threat model goes as far as to consider that an adversarie can have physica
 On the device, this security model imply the sandboxing of each applications, with a system of permissions to allow the applications to perform potentially unwanted actions.
 For example, an applications cannot access the contact list without requesting the permission to the user first.
 Android keep improving its security version from version, be it by improving the sandboxing (#eg starting with Android 10, application can no longer access the clipboard if they are not focused) or safer default (#eg since Android 9, by default, all network connection must use TLS).
+// Android Bouncer, ca marche pas tres bien quand même ect ect (stralker ware?)
+
 
 /*
-* A mettre qqp:
-* - "Evaluating the Reusability of Android Static Analysis Tools" https://dx.doi.org/10.1007/978-3-031-66459-5_10 10.1007/978-3-031-66459-5_10 21st International Conference on Software and Systems Reuse, ICSR 2024 https://hal.science/hal-04557993v1
-* - "Class Loaders in the Middle: Confusing Android Static Analyzers" in Digital Threats: Research and Practice http://dx.doi.org/10.1145/3754457 
 *
 *
 *
@@ -46,4 +45,37 @@ Android keep improving its security version from version, be it by improving the
 
 #todo[3) savent pas gerer le chargement dyn et reflection]
 
+#[
+#set heading(numbering: none, outlined: false, bookmarked: false)
 
+== Contributions
+
+The contributions of this thesis are the following:
+
++ We evaluate the reusability of Android static analysis tools published by the community:
+  We rebuild the tools in their original environment as container images.
+  With those containers, those tools are now readilly available capable of running either Docker of Singularity.
+  We also tested those tools on a dataset of real-life applications balanced in order to have a significant number of applications with different caracteristics to assess which caracteristic impact the success of a tools. 
+  This work was presented at the ICSR 2024 conference~@rasta.
++ We model the default class loading behavior of Android.
+  Based on this model, we defined a class of obfuscation technique that we called _shadow attacks_ where an class definition in an #APK shadows the actual class definition.
+  We show that common state of the arts tools like Jadx or Flowdroid do not implement this model correctly and thus can fall for those shadow attacks.
+  We surveilled a large number of rescent Android applications and found that applications with classes shadowing the actual definition do exists, those are the result of quirks in the #APK compilation process and not deliberate obfuscation attempts.
+  This work was publish in the Digital Threats journal~@classloaderinthemiddle. #todo[update ref when not 'just published' anymore]
++ We propose an approach to allow static analysis tools to analyse application that perform dynamic code loading:
+  We collect at runtime the bytecode dynamically loaded and the reflection calls informations, an patch the #APK file to perform those operation statically.
+  Finally, we evaluate the impact this transformation has on the #jm-note[resiliance][wrong word?] of the tools we containerized previously.
+
+== Outline
+
+This dissertation is composed of 6 chapters. 
+This introduction is the first chapter.
+It is followed by @sec:bg that gives background information about Android and the different analysis techniques targetting Android applications.
+
+The next 3 chapters are dedicated to the contributions of this thesis.
+First @sec:rasta studdies the reusability of static analysis tools.
+Next in @sec:cl, we model the default class loading algorithm used by Android and the show the consequences for reverse engineering tools that implement a wrong model.
+Then @sec:th presents an approach that allows for static analysis tools to analyse applications that load bytecode at runtime.
+
+Finally, @sec:conclusion summarizes the contributions of this thesis and opens perspectives for futur work.
+]

3_rasta/main.typ

@@ -1,6 +1,6 @@
 #import "../lib.typ": todo
 
-= RASTA
+= RASTA <sec:rasta>
 
 #todo[Bring back element from previous version of rasta]
 

4_class_loader/main.typ

@@ -1,6 +1,6 @@
 #import "../lib.typ": todo, epigraph
 
-= Class Loaders in the Middle: Confusing Android Static Analyzers
+= Class Loaders in the Middle: Confusing Android Static Analyzers <sec:cl>
 
 #epigraph("Esmerelda Weatherwax, Wyrd Sisters, Terry Pratchett")[Things that try to look like things often do look more like things than things.]
 

README.md

@@ -29,5 +29,11 @@ typst compile main.typ
 
 Additionally, the argument `--input commit=$(git rev-parse --short HEAD)` will add the current commit at the beginning of the draft, and `--input draft=false` will build the clean version, without TODOs or line numbers.
 
+The abstract can be compile separately:
+
+```
+typst compile --input draft=false --input abstract-only=true main.typ abstract.pdf
+```
+
 
 The CI should build the latest draft at <https://git.mineau.eu/api/packages/these-ammii/generic/thesis/latest/draft.pdf>

bibliography.bib

@@ -1,3 +1,37 @@
+@InProceedings{rasta,
+	author="Mineau, Jean-Marie
+	and Lalande, Jean-Francois",
+	editor="Achilleos, Achilleas
+	and Fuentes, Lidia
+	and Papadopoulos, George Angelos",
+	title="Evaluating the Reusability of Android Static Analysis Tools",
+	booktitle="Reuse and Software Quality",
+	year="2024",
+	publisher="Springer Nature Switzerland",
+	address="Cham",
+	pages="153--170",
+	abstract="Reproducibility and reusability in computer science experiments become a requirement for research works. Reproducibility ensures that results can be confirmed by using the same dataset and software of previous papers. Reusability helps other researchers to build new approaches with distributed software artifacts. For researchers in the field of security of mobile platforms, ensuring reproducibility and reusability is difficult to implement. In particular for reusability, datasets of Android applications may contain recent applications that past analysis software cannot process. As a consequence, past software produced by researchers may be difficult to reuse, which endangers the reproducibility of research. This paper intends to explore the reusability of past software dedicated to static analysis of Android applications. We pursue the community effort that identified publications between 2011 and 2017 that perform static analysis of mobile applications and we propose a method for evaluating the reusability of the associated tools. We extensively evaluate the success or failure of these tools on a dataset containing Android applications that can have up to six years of distance from the original publication. We also measure the influence of some important characteristics of the application such as being a goodware or a malware or the application size. Our results show that 54.5{\%} of the evaluated tools are no longer usable and that the size of the bytecode and the min SDK version have the greatest influence on the reusability of tested tools.",
+	isbn="978-3-031-66459-5"
+}
+
+@article{classloaderinthemiddle,
+	author = {Mineau, Jean-Marie and Lalande, Jean-Fran\c{c}ois},
+	title = {Class loaders in the middle: confusing Android static analyzers},
+	year = {2025},
+	publisher = {Association for Computing Machinery},
+	address = {New York, NY, USA},
+	url = {https://doi.org/10.1145/3754457},
+	doi = {10.1145/3754457},
+	abstract = {When executing a mobile application, Android executes either the classes provided by the developer or the ones provided by the operating system. The dynamic linking and loading of the different classes is a complex task that may be exploited by an attacker. In particular, if the developer adds a class whose name collides with another class of Android, they may confuse a reverse engineer. In this paper, we explore the possible collisions that can occur between classes defined multiple times at different locations, i.e., multiple times in the APK file or, at the same time, in the APK and the operating system. We highlight three attacks that we call shadow attacks. In particular, we show that static analysis tools used by a reverse engineer choose the shadow implementation for most of the evaluated tools, and output a wrong result. In particular, the flow analysis of Androguard or Flowdroid can be fooled by an attacker. In a dataset of 49 975 applications, we also explored if shadow attacks are used in the wild and found that most of the time, there is no malicious behavior behind them. The main results are that 23.52 \% of applications shadow a class of the SDK and 3.11 \% a hidden class of the system.},
+	note = {Just Accepted},
+	journal = {Digital Threats},
+	month = jul,
+	keywords = {Android, static analysis, class loading, code obfuscation}
+}
+
+
+
+
 @inproceedings{weiAmandroidPreciseGeneral2014,
 	title = {Amandroid: {{A Precise}} and {{General Inter-component Data Flow Analysis Framework}} for {{Security Vetting}} of {{Android Apps}}},
 	shorttitle = {Amandroid},