From dd86422fd3a26af28d9b004373d832d5412b4722 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Tue, 24 Jun 2025 20:34:34 +0200 Subject: [PATCH] add classloader paper --- 4_class_loader/0_intro.typ | 3 - 4_class_loader/4_in_the_wild.typ | 323 +++++ 4_class_loader/5_ttv.typ | 13 + 4_class_loader/6_conclusion.typ | 16 + 4_class_loader/X_var.typ | 25 + 4_class_loader/data/redef_sdk_16.csv | 11 + 4_class_loader/data/redef_sdk_7minus.csv | 11 + 4_class_loader/data/redef_sdk_8.csv | 11 + 4_class_loader/data/results_50k.csv | 5 + 4_class_loader/data/results_only.csv | 5 + .../figs/redef_sdk_relative_min_sdk.svg | 1281 +++++++++++++++++ 4_class_loader/main.typ | 3 + 12 files changed, 1704 insertions(+), 3 deletions(-) create mode 100644 4_class_loader/4_in_the_wild.typ create mode 100644 4_class_loader/5_ttv.typ create mode 100644 4_class_loader/6_conclusion.typ create mode 100644 4_class_loader/data/redef_sdk_16.csv create mode 100644 4_class_loader/data/redef_sdk_7minus.csv create mode 100644 4_class_loader/data/redef_sdk_8.csv create mode 100644 4_class_loader/data/results_50k.csv create mode 100644 4_class_loader/data/results_only.csv create mode 100644 4_class_loader/figs/redef_sdk_relative_min_sdk.svg diff --git a/4_class_loader/0_intro.typ b/4_class_loader/0_intro.typ index 74490df..e807463 100644 --- a/4_class_loader/0_intro.typ +++ b/4_class_loader/0_intro.typ @@ -62,6 +62,3 @@ Finally, @sec:cl-wild evaluates if these obfuscation techniques are used in the // In reality their use is tolerated and many applications use them to access some of Android features. // This tolerance is one of the key point that lead to confusion attacks that we describe later in the paper. -== TODO -== TODO -== TODO diff --git a/4_class_loader/4_in_the_wild.typ b/4_class_loader/4_in_the_wild.typ new file mode 100644 index 0000000..be5ad45 --- /dev/null +++ b/4_class_loader/4_in_the_wild.typ @@ -0,0 +1,323 @@ +#import "../lib.typ": num, todo +#import "X_var.typ": * + +== Shadow attacks in the wild + +In this section, we evaluate in the wild if applications that can be found in the Play store or other markets use one of the shadow techniques. +Our goal is to explore the usage of shadow techniques in real applications. +Because we want to include malicious applications (in case such techniques would be used to hide malicious code), we selected #num(50000) applications randomly from AndroZoo@allixAndroZooCollectingMillions2016 that appeared in 2023. +Malicious applications are spot in our dataset by using a threshold of 3 over the number of antivirus reporting an application as a malware. +Some few applications over the total cannot be retrieved or parsed leading to a final dataset of #nbapk applications. +We automatically disassembled the applications to obtain the list of included classes. +Then, we check if any shadow attack occurs in the APK itself or with #platc of SDK 34. + +=== Results + +/* +id code +on prend les classes des platform classes et +comparé à SDK 32 33 34: si la shadow class match, alors match +*/ + + +#todo[cl-shadow] +#figure({ + show table: set text(size: 0.80em) + table( + columns: 9, + stroke: none, + align: center+horizon, + inset: (x: 0% + 5pt, y: 0% + 2pt), + table.hline(), + table.header( + table.cell(colspan: 9, inset: 3pt)[], + [], + table.vline(end: 3), + table.vline(start: 4), + table.cell(colspan: 3)[*Number of apps*], + table.vline(end: 3), + table.vline(start: 4), + table.cell(colspan: 4)[*Average*], + table.vline(end: 3), + table.vline(start: 4), + table.cell(rowspan: 2)[*Identical Code*], + + [], + [], [*%*], [*% malware*], + [*Shadow classes*], [*Median*], [*Target SDK*], [*Min SDK*], + + ), + table.cell(colspan: 9, inset: 3pt)[], + table.hline(), + table.cell(colspan: 9)[For all applications of the dataset], + table.hline(), + table.cell(colspan: 9, inset: 3pt)[], + + ..scan_50k.map(e => ( + [*#e.method*], + num(e.nbapp), [#e.ratioapp%], [#e.ratiomal%], + num(e.avgshadow), num(e.median), num(e.avgtargetsdk), num(e.avgminsdk), + [#e.id%] + )).flatten(), + + table.cell(colspan: 9, inset: 3pt)[], + table.hline(), + table.cell(colspan: 9)[For applications with at least 1 shadow case], + table.hline(), + table.cell(colspan: 9, inset: 3pt)[], + + ..scan_only_shadow.map(e => ( + [*#e.method*], + num(e.nbapp), [#e.ratioapp%], [#e.ratiomal%], + num(e.avgshadow), num(e.median), num(e.avgtargetsdk), num(e.avgminsdk), + [#e.id%] + )).flatten(), + + table.cell(colspan: 9, inset: 3pt)[], + table.hline(), + )}, + caption: [Shadow classes compared to SDK 34 for a dataset of #nbapk applications] +) + +//The metadata provided by AndroZoo helps to have the flags reported by antiviruses used by VirusTotal#footnote[https://www.virustotal.com]. + + +We report in the upper part of @tab:cl-shadow the statistics about the whole dataset and the three shadow attacks: "self" when a class shadows another one in the APK, "SDK" when a class of the SDK shadows one of the APK, and "Hidden" when a hidden class of Android shadows one of the APK. +We observe that, on average, a few classes are shadowed by another class. +Note that the median value is 0 meaning that few apps shadow a lot of classes, but the majority of apps do not shadow anything. +The number of applications shadowing a hidden API is low, which is an expected result as these classes should not be known by the developer. +We observe a consequent number of applications, 23.52%, of applications that perform SDK shadowing. +It can be explained by the fact that some classes that newly appear are embedded in the APK for end users that have old versions of Android: it is suggested by the average value of Min SDK which is 21.7 for the whole dataset: on average, an application can be run inside a smartphone with API 21, which would require to embed all new classes from 22 to 34. +This hypothesis about missing classes is further investigated later in this section. + +In the bottom part of @tab:cl-shadow, we give the same statistics but we excluded applications that do not perform any shadowing. +For those pairs of shadow classes, we disassembled them using Apktool to perform a comparison using instructions represented in the Smali language. +For self-shadow, we compare the pair. +For the shadowing of the SDK or Hidden class, we compare the code found in the APK with implementations found in the emulator and `android.jar` of SDK 32, 33, and 34. + +_Self-shadowing_ +We observe a low number of applications doing self-shadow attacks. +For each class that is shadowed, we compared its bytecode with the shadowed one. +We observe that 74.8% are identical which suggests that the compilation process embeds the same class multiple times but makes variations in headers or metadata values. +We investigate later in @sec:cl-malware the case of malicious applications. + +#figure( + image( + "figs/redef_sdk_relative_min_sdk.svg", + width: 100%, + alt: "" + ), + caption: [Redefined SDK classes, sorted by the first SDK they appeared in.] +) + +_SDK shadowing_ +For the shadowing of SDK classes, we observe a low ratio of identical classes. +This result could lead to the wrong conclusion that developers embed malicious versions of the SDK classes, but our manual investigation shows that the difference is slight and probably due to compiler optimization. +To go further in the investigation, in @fig:cl-classes_by_first_sdk we represent these redefined classes with the following rules: + +- The class is classified on the X abscissa in the figure according to the SDK it first appeared in. +- The class is counted as "green" (solid) if it first appeared in the SDK *after* the APK min SDK (retro compatibility purpose). +- The class is counted as "red" (hatched) if it first appeared in the SDK *before* the APK min SDK (which is useless for the application as the SDK version is always available). + +We observe that the majority of classes are legitimate retro-compatibility additions of classes, especially after SDK 21 (which is the average min SDK, cf. @tab:cl-shadow). +Abnormal cases are observed for classes that appeared in API versions 7 and before, 8, and 16. +@tab:cl-topsdk reports the top ten classes that shadow the SDK for the three mentioned versions. +For SDK before 7, it mainly concerns HTTP classes: for example, the class `HttpParams` is an interface, containing limited bytecode that mostly matches the class already present on the emulator (98.03% of shadowed classes are identical). +`HttpConnectionParams` on the other hand differs from the platform class and we observe only 4.99% of identical classes. +Manual inspection of some applications revealed that the two main reasons are: + + +- instead of checking if the methods attributes are null inline like Android does, applications use the method `org.apache.http.util.Args.notNull()`. According to comments in the source code of Android#footnote[https://cs.android.com/android/platform/superproject/main/+/main:frameworks/base/core/java/org/apache/http/params/HttpConnectionParams.java;drc=3bdd327f8532a79b83f575cc62e8eb09a1f93f3d?], the class was forked in 2007 from Apache 'httpcomponents' project. Looking at the history of the project, the use of `Args.notNull()` was introduced in 2012#footnote[https://github.com/apache/httpcomponents-core/commit/9104a92ea79e338d876b1b60f5cd2b243ba7069f?]. This shows that applications are embedding code from more recent version of this library without realizing their version will not be the used one. +- very small changes that we found can be attributed to the compilation process (e.g. swapping registers: `v0` is used instead of `v1` and `v1` instead of `v0`), but even if we consider them different, they are very similar. + +The remaining 4.99% of classes that are identical to the Android version are classes where the body of the methods is replaced by stubs that throw `RuntimeException("Stub!")`. +This code corresponds to what we found in android.jar but not the code we found in the emulator, which is surprising. +Nevertheless, we decided to count them as identical, because `android.jar` is the official jar file for developer, and stubs are replaced in the emulator: it is intended by Google developers. + +Other results of @tab:cl-topsdk can be similarly discussed: either they are identical with a high ratio, or they are different because of small variations. +When substantial differences appear it is mainly because different versions of the same library have been used or an SDK class is embedded for retro-compatibility. + +#todo[cl-topsdk] +#figure({ + show table: set text(size: 0.80em) + table( + columns: 3, + stroke: none, + align: (left, right, right), + inset: (x: 0% + 5pt, y: 0% + 2pt), + table.hline(), + table.header( + table.cell(colspan: 3, inset: 2pt)[], + [*Class*], [*Occurrences*], [*Identical ratio*], + ), + table.cell(colspan: 3, inset: 2pt)[], + table.hline(), + table.cell(colspan: 3, inset: 2pt)[], + [redefined for SDK $<=$ 7], [], [], + table.hline(), + table.cell(colspan: 3, inset: 2pt)[], + ..redef_sdk_7minus.map(e => ( + raw(e.class), num(e.occ), [#e.idper%], + )).flatten(), + + table.cell(colspan: 3, inset: 2pt)[], + table.hline(), + table.cell(colspan: 3, inset: 2pt)[], + [redefined for SDK $=$ 8], [], [], + table.cell(colspan: 3, inset: 2pt)[], + table.hline(), + table.cell(colspan: 3, inset: 2pt)[], + ..redef_sdk_8.map(e => ( + raw(e.class), num(e.occ), [#e.idper%], + )).flatten(), + + table.cell(colspan: 3, inset: 2pt)[], + table.hline(), + table.cell(colspan: 3, inset: 2pt)[], + [redefined for SDK $=$ 16], [], [], + table.cell(colspan: 3, inset: 2pt)[], + table.hline(), + table.cell(colspan: 3, inset: 2pt)[], + ..redef_sdk_16.map(e => ( + raw(e.class), num(e.occ), [#e.idper%], + )).flatten(), + + + table.cell(colspan: 3, inset: 2pt)[], + table.hline(), + )}, + caption: [Shadow classes compared to SDK 34 for a dataset of #nbapk applications] +) +/* +\catcode`\$=12% deactivate $ sign // WORKAROUND +\begin{table}[tb] + \caption{Top 10 of shadow classes of the SDK} + \label{tab:topsdk} + \footnotesize +\begin{tabular}{lrr} + \toprule +\bf Class & \bf occurrences & \bf Identical ratio \\ +\midrule +\footnotesize redefined for SDK <= 7 & & \\ + \midrule + \csvreader[ + late after line = \\, + %separator=semicolon, + head to column names, + ]{redef_sdk_7minus.csv}{}{% + \class & \mynums{\occ} & \idper \% + }% +\midrule +\footnotesize redefined for SDK = 8 & & \\ +\midrule + \csvreader[ +late after line = \\, +%separator=semicolon, +head to column names, +]{redef_sdk_8.csv}{}{% + \class & \mynums{\occ} & \idper \% +}% +\midrule +\footnotesize redefined for SDK = 16 & & \\ +\midrule + \csvreader[ +late after line = \\, +%separator=semicolon, +head to column names, +respect dollar = false, % NOT WORKING :-(((((((((( https://tex.stackexchange.com/questions/486250/csvsimple-respect-dollar-not-working +]{redef_sdk_16.csv}{}{% + \class & \mynums{\occ} & \idper \% +}% +\bottomrule +\end{tabular} +\end{table} +\catcode`\$=3% reactivate $ sign // WORKAROUND +*/ + +_Hidden shadowing_ +For applications redefining hidden classes, on average, 16.1 classes are redefined (cf bottom part of @tab:cl-shadow). +The top 3 packages whose code actually differs from the ones found in Android are `java.util.stream`, `org.ccil.cowan.tagsoup` and `org.json`: + +- stream: when looking in more detail, we found that `java.util.stream` was only redefined by 6 applications, but the large number of classes redefined artificially puts the package at the top of the list. // It is explained by the fact that developers have included this library containing a lot of classes colliding with Android. +- tagsoup: `TagSoup` is a library for parsing HTML. // Developers do not know that it is part of Android as hidden classes. +- json: there is only one hidden class in `org.json`, redefined by #num(821) applications: `JSONObject$1`. + `org.json` is a package in Android SDK, not a hidden one. + However, `JSONObject$1` is an anonymous class not provided by `android.jar` because its class `JSONObject` is an empty stub, and thus, does not use `JSONObject$1`. + Thus, this class falls in the category of hidden #platc. + +All these hidden shadow classes are libraries included by the developers who probably did not know that they were already embedded in Android. + +=== Shadowing in malware applications + +#figure( + ```java + public class Reflection { + private static final int ERROR_SET_APPLICATION_FAILED = -20; + private static final String TAG = "Reflection"; + // ... + + static { + try { + Method declaredMethod = Class.class.getDeclaredMethod("forName", String.class); + Method declaredMethod2 = Class.class.getDeclaredMethod("getDeclaredMethod", String.class, Class[].class); + Class cls = (Class) declaredMethod.invoke(null, "dalvik.system.VMRuntime"); + Method method = (Method) declaredMethod2.invoke(cls, "getRuntime", null); + setHiddenApiExemptions = (Method) declaredMethod2.invoke(cls, "setHiddenApiExemptions", new Class[]{String[].class}); + sVmRuntime = method.invoke(null, new Object[0]); + } catch (Throwable th) { Log.e(TAG, "reflect bootstrap failed:", th); } + System.loadLibrary("free-reflection"); + // ... + } + // ... + } + ```, + caption: [Implementation of Reflection found un classes11.dex (shadows @lst:cl-refl1)], +) + +#figure( + ```java + public class Reflection { + private static final String DEX = "ZGV4CjAzNQCl4EprGS2pXI/v3OwlBrlfRnX5rmkKVdN0CwAAcA ... AoAAA=="; + private static final String TAG = "Reflection"; + + private static native int unsealNative(int i); + + public static int unseal(Context context) { + return (Build.VERSION.SDK_INT < 28 || BootstrapClass.exemptAll() || unsealByDexFile(context)) ? 0 : -1; + } + + private static boolean unsealByDexFile(Context context) { + // Decode DEX from base64 and load it as bytecode. + // ... + } + // ... + } + ```, + caption: [Implementation of Reflection executed by ART (shadowed by @lst:cl-refl2], +) + +The last column of @tab:cl-shadow shows the proportion of applications considered as malware because we arbitrarily fixed a threshold of 3 positive detections from VirusTotal reports. +For the whole dataset, we have 0.53% of applications considered as malware. +We can see that an application that uses self-shadowing is 10 times more likely to be a malware, when the proportion of malware among application shadowing #platc is the same as in the rest of the dataset. +Thus, we manually reversed self-shadowing malware, and found that the self-shadowing does not look to be voluntary. +The colliding classes are often the same implementation, occasionally with minor differences, like different versions of a library. +Additionally, we noticed multiple times internal classes from `com.google.android.gms.ads` colliding with each other, but we believe that it is due to bad processing during the compilation of the application. + +// Nom de l'app: ShareCRM, mais ca a l'air d'exister sur le store donc on va eviter un process et pas la nommer +// https://play.google.com/store/apps/details?id=com.facishare.fsplay&hl=en + +The most notable case we found was an application that still exists on the Google Play Store with the same package name#footnote[SHA256: `C46A65EA1A797119CCC03C579B61C94FE8161308A3B6A8F55718D6ADAD112546`]. This application contains a self-shadow class `me.weishu.reflection.Reflection` that can be found in github, in the repository `tiann/FreeReflection`#footnote[https://github.com/tiann/FreeReflection]. This class is used to disable Android restrictions on hidden API. +At first glance, we believed the shadowing to be done voluntarily for obfuscation purposes. + The shadow class that would be seen by a reverser is given in @lst:cl-refl2: it contains some Java bytecode performing reflection and loading a native library named "free-reflection" (the associated `.so` is missing). + The shadowed class that is really executed is summarized in @lst:cl-refl1. + It contains a more obfuscated code: a `DEX` field storing base64 encoded DEX bytecode that is later used to load some new code. + When looking at this new code stored in the field, we found that it does almost the same thing as the code in the shadow class. + Thus, we believe that the developer has upgraded their obfuscation techniques, replacing a native library by inline base64 encoded bytecode. + The shadow attack could be unintentional, but it strengthens the masking of the new implementation. + + +As a conclusion, we observed that: +- SDK shadowing is performed by #shadowsdk of applications but are unintentional: these classes are embedded for retro-compatibility purpose or because the developer added a library already present in Android; +- Hidden shadowing rarely occurs and is mainly due to the usage of libraries that Android already contains; +- Malware perform more self-shadowing than goodware applications, and we found a sample where self-shadowing would clearly mislead the reverser. + diff --git a/4_class_loader/5_ttv.typ b/4_class_loader/5_ttv.typ new file mode 100644 index 0000000..eb4c6fe --- /dev/null +++ b/4_class_loader/5_ttv.typ @@ -0,0 +1,13 @@ +== Threat to validity + +During the analysis of the ART internals, we made the hypothesis that its different operating modes are equivalent: we analyzed the loading process for classes stored as non-optimized `.dex` format, and not for the pre-compiled `.oat`. +It is a reasonable hypothesis to suppose that the two implementations have been produced from the same algorithm using two compilation workflows. +Similarly, we assumed that the platform classes stored in `boot.art` are the same as the ones in `BOOTCLASSPATH`. +We confirm empirically our hypothesis on an Android Emulator, but we may have missed some edge cases. + +The comparison of Smali code can lead to underestimated values, for example, if the compilation process performs minor modifications such as instruction reordering. +The ratios reported in this study for the comparison of code are thus a lower bound and would be higher with a more precise comparison. +In addition, platform classes are stored differently in older versions of Android and could not be easily retrieved. +For this reason, we did not compared the classes found in applications to their versions older than SDK 32 to avoid producing unreliable statistics for those versions. + + diff --git a/4_class_loader/6_conclusion.typ b/4_class_loader/6_conclusion.typ new file mode 100644 index 0000000..363eb87 --- /dev/null +++ b/4_class_loader/6_conclusion.typ @@ -0,0 +1,16 @@ +#import "X_var.typ": * + +== Conclusion + +This paper has presented three shadow attacks that allow malware developers to fool static analysis tools when reversing an Android application. +By including multiple classes with the same name or by using the same name as a class of the #Asdk, the developer can mislead a reverser or impact the result of a flow analysis, such as the ones of Androguard or Flowdroid. + +We explored if such shadow attacks are present in as dataset of #nbapk applications . +We found that on average, #shadowsdk of applications are shadowing the SDK, mainly for retro-compatibility purposes and library embedding. +More suspiciously, #shadowhidden of applications are shadowing a hidden class, which could lead to unexpected execution as these classes can appear/disappear with the evolution of Android internals. +Investigations for applications that defined classes multiple times suggest that the compilation process or the inclusion of different versions of the same library is the main explanation. +Finally, when investigating malware samples, we found a specific sample containing a shadow attack that would hide a part of the critical code from a reverser studying the application. + +Future work concerns the correctness of bytecode analysis. +For now, we rely on the Smali representation of the bytecode but the compilation process makes this comparison difficult. +We intend to better parse the bytecode to summarize it and be able to have a more reliable comparison method. diff --git a/4_class_loader/X_var.typ b/4_class_loader/X_var.typ index 66d7f33..b825056 100644 --- a/4_class_loader/X_var.typ +++ b/4_class_loader/X_var.typ @@ -15,4 +15,29 @@ #let ok = sym.circle.filled #let warn = sym.circle.stroked.small +#let scan_50k = csv( + "data/results_50k.csv", + delimiter: ",", + row-type: dictionary, +) +#let scan_only_shadow = csv( + "data/results_only.csv", + delimiter: ",", + row-type: dictionary, +) +#let redef_sdk_7minus = csv( + "data/redef_sdk_7minus.csv", + delimiter: ",", + row-type: dictionary, +) +#let redef_sdk_8 = csv( + "data/redef_sdk_8.csv", + delimiter: ",", + row-type: dictionary, +) +#let redef_sdk_16 = csv( + "data/redef_sdk_16.csv", + delimiter: ",", + row-type: dictionary, +) diff --git a/4_class_loader/data/redef_sdk_16.csv b/4_class_loader/data/redef_sdk_16.csv new file mode 100644 index 0000000..470d177 --- /dev/null +++ b/4_class_loader/data/redef_sdk_16.csv @@ -0,0 +1,11 @@ +class,occ,id,idper +Landroid/annotation/SuppressLint;,2634,2594,98.48 +Landroid/annotation/TargetApi;,2634,2594,98.48 +Landroid/media/MediaCodec$CryptoException;,11,2,18.18 +Landroid/media/MediaCryptoException;,10,2,20.0 +Landroid/view/accessibility/AccessibilityNodeProvider;,9,0,0.0 +Landroid/view/ActionProvider$VisibilityListener;,8,1,12.5 +Landroid/app/Notification$BigTextStyle;,7,0,0.0 +Landroid/app/Notification$Style;,7,0,0.0 +Landroid/util/LongSparseArray;,7,0,0.0 +Landroid/media/MediaPlayer$TrackInfo;,7,0,0.0 diff --git a/4_class_loader/data/redef_sdk_7minus.csv b/4_class_loader/data/redef_sdk_7minus.csv new file mode 100644 index 0000000..cd8e28c --- /dev/null +++ b/4_class_loader/data/redef_sdk_7minus.csv @@ -0,0 +1,11 @@ +class,occ,id,idper +Lorg/apache/http/params/HttpParams;,1318,1292,98.03 +Lorg/apache/http/params/HttpConnectionParams;,1202,60,4.99 +Lorg/apache/http/conn/ConnectTimeoutException;,1200,420,35.0 +Lorg/apache/http/params/CoreConnectionPNames;,1190,1189,99.92 +Lorg/xmlpull/v1/XmlPullParser;,1111,584,52.57 +Lorg/apache/http/conn/scheme/SocketFactory;,1074,940,87.52 +Lorg/apache/http/conn/scheme/HostNameResolver;,1072,939,87.59 +Lorg/apache/http/conn/scheme/LayeredSocketFactory;,963,861,89.41 +Lorg/json/JSONException;,945,0,0.0 +Lorg/apache/http/conn/ssl/X509HostnameVerifier;,886,7,0.79 diff --git a/4_class_loader/data/redef_sdk_8.csv b/4_class_loader/data/redef_sdk_8.csv new file mode 100644 index 0000000..a4e1f3d --- /dev/null +++ b/4_class_loader/data/redef_sdk_8.csv @@ -0,0 +1,11 @@ +class,occ,id,idper +Ljavax/xml/namespace/QName;,297,0,0.0 +Ljavax/xml/namespace/NamespaceContext;,226,222,98.23 +Landroid/net/http/SslError;,221,70,31.67 +Lorg/w3c/dom/UserDataHandler;,82,76,92.68 +Ljavax/xml/transform/TransformerConfigurationException;,73,51,69.86 +Ljavax/xml/transform/TransformerException;,73,0,0.0 +Lorg/w3c/dom/ls/LSException;,61,39,63.93 +Lorg/w3c/dom/TypeInfo;,54,48,88.89 +Lorg/w3c/dom/DOMConfiguration;,54,25,46.3 +Ljavax/xml/transform/TransformerFactoryConfigurationError;,52,0,0.0 diff --git a/4_class_loader/data/results_50k.csv b/4_class_loader/data/results_50k.csv new file mode 100644 index 0000000..8aa2949 --- /dev/null +++ b/4_class_loader/data/results_50k.csv @@ -0,0 +1,5 @@ +method,nbapp,avgshadow,median,id,avgtargetsdk,avgminsdk,ratioapp,ratiomal +Self,49975,2.1,0,74.8,32.1,21.7,100.0,0.53 +Sdk,49975,6.5,0,8.04,32.1,21.7,100.0,0.53 +Hidden,49975,0.5,0,17.42,32.1,21.7,100.0,0.53 +Total,49975,9.0,0,23.76,32.1,21.7,100.0,0.53 diff --git a/4_class_loader/data/results_only.csv b/4_class_loader/data/results_only.csv new file mode 100644 index 0000000..e675a69 --- /dev/null +++ b/4_class_loader/data/results_only.csv @@ -0,0 +1,5 @@ +method,nbapp,avgshadow,median,id,avgtargetsdk,avgminsdk,ratioapp,ratiomal +Self,234,438.1,18,74.8,31.4,22.4,0.47,5.98 +Sdk,11755,27.6,5,8.04,32.4,22.0,23.52,0.38 +Hidden,1556,16.1,1,17.42,32.1,22.2,3.11,0.71 +Total,12301,36.7,6,23.76,32.4,22.0,24.61,0.42 diff --git a/4_class_loader/figs/redef_sdk_relative_min_sdk.svg b/4_class_loader/figs/redef_sdk_relative_min_sdk.svg new file mode 100644 index 0000000..f3d32dd --- /dev/null +++ b/4_class_loader/figs/redef_sdk_relative_min_sdk.svg @@ -0,0 +1,1281 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/4_class_loader/main.typ b/4_class_loader/main.typ index 34c522d..fc656d5 100644 --- a/4_class_loader/main.typ +++ b/4_class_loader/main.typ @@ -6,3 +6,6 @@ #include("1_related_work.typ") #include("2_classloading.typ") #include("3_obfuscation.typ") +#include("4_in_the_wild.typ") +#include("5_ttv.typ") +#include("6_conclusion.typ")