these-ammii/thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

developp rasta methodology section
All checks were successful
/ test_checkout (push) Successful in 1m16s
Details

Browse source
This commit is contained in:
Jean-Marie Mineau 2025-08-13 17:52:52 +02:00
parent 01ce20ffda
commit af1187f041
Signed by: histausse
GPG key ID: B66AEEDA9B645AD2
4 changed files with 82 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

11
2_background/3_static_analysis.typ
View file

@ -1,6 +1,6 @@
#import "../lib.typ": APK, etal, ART, SDK, DEX, eg,
#import "../lib.typ": todo, jm-note, jfl-note
#import "@preview/diagraph:0.3.3": raw-render
#import "@preview/diagraph:0.3.5": raw-render
//== Android Reverse Engineering Techniques <sec:bg-techniques>
@ -29,6 +29,8 @@ A more advance control-flow analysis consist in building the control-flow graph.
This time, instead of methods, the nodes represent instructions, and the edges indicate which instruction can follow which instruction.
@fig:bg-fizzbuzz-cg-cfg c) represents the control-flow graph of @fig:bg-fizzbuzz-cg-cfg a), with code statement instead of bytecode instructions.
#todo[Add alt text for @fig:bg-fizzbuzz-cg and @fig:bg-fizzbuzz-cfg]
#figure({
set align(center)
stack(dir: ttb,[
@ -63,7 +65,8 @@ This time, instead of methods, the nodes represent instructions, and the edges i
"fizzBuzz(int)" -> "Log.e(String, String)"
}
```,
width: 40%
width: 40%,
alt: "",
),
supplement: none,
kind: "bg-fizzbuzz-cg-cfg subfig",
@ -104,7 +107,8 @@ This time, instead of methods, the nodes represent instructions, and the edges i
"l7": `Buzzer.buzz();`,
"l9": `Log.e("fizzbuzz", String.valueOf(i));`,
),
width: 50%
width: 50%,
alt: "",
),
supplement: none,
kind: "bg-fizzbuzz-cg-cfg subfig",
@ -114,7 +118,6 @@ This time, instead of methods, the nodes represent instructions, and the edges i
supplement: [Figure],
caption: [Source code for a simple Java method and its Call and Control Flow Graphs],
)<fig:bg-fizzbuzz-cg-cfg>
Once the control-flow graph is computed, it can be used to compute data-flows.
Data-flow analysis, also called taint-tracking, allows to follow the flow of information in the application.
Be defining a list of methods and fields that can generate critical information (taint sources) and a list of methods that can consume information (taint sink), taint-tracking allows to detect potential data leaks (if a data flow link a taint source and a taint sink).