these-android-re/rasta
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
rasta/README.md
Jean-Marie Mineau cd1e91bb99
first commit
2023-11-16 14:30:24 +01:00

243 lines
8.6 KiB
Markdown
Raw Blame History

# RASTA
Reproducibility of the Rasta experiment.
## Data
Some data are needed to reproduce the experiment (at the very least, the androzoo indexes we used to sample our dataset). Those data are too heavy to be stored in a git, so they need to be download from zenodo to the root of this repository:
```
curl https://zenodo.org/records/10137905/files/rasta_data_v1.0.tgz?download=1 | tar -xz
```
## Dependencies
To run the Rasta experiment, some tools are required:
- Docker (e.g. version 24.0.6),
- Singularity (e.g version 3.11.1)
- a modern version of Python (e.g. Python 3.10 or 3.11).
- gzip
- sqlite3
One way to install those tools is to use Nixpkgs (`nix-shell -p docker singularity python310 python310Packages.numpy python310Packages.matplotlib sqlite3`), another way is to follow the instructions of the different tools (<https://docs.sylabs.io/guides/3.11/user-guide/>, <https://docs.docker.com/>).
They are also some python dependencies that need to be installed in a virtual env:
```
python3 -m venv venv
source venv/bin/activate
pip install rasta_data_manipulation/
pip install -r rasta_exp/requirements.txt
```
From now end, all commands are run from inside the venv.
## Dataset
The datasets we used (Drebin and Rasta, split in 10 balanced sets) are in `data/dataset`.
To reproduce the generation of the dataset, `latest.csv.gz` and `year_and_sdk.csv.gz` are required: `rasta-gen-dataset data/androzoo/latest.csv.gz data/androzoo/year_and_sdk.csv.gz -o data/dataset` (this will no generate the drebin dataset)
## Container Images
The containers are stored in `data/imgs`. They can be regenerated with
```
cd rasta_exp
./build_docker_images.sh ../data/imgs
cd ..
```
(The container images will be released with the final release)
The container and binary of Perfchecker is not provided as this tool is only available on demand.
## Experiment
The results of the experiment are stored in `data/results/archives/`. They can be extracted with:
```
mkdir -p data/results/reports/rasta
mkdir -p data/results/reports/drebin
for archive in $(ls data/results/archives/status_set*.tgz); do tar -xzf ${archive} --directory data/results/reports/rasta; done
tar -xzf data/results/archives/status_drebin.tgz --directory data/results/reports/drebin
```
They can also be regenerated by running the experiment.
To run the experiment local, first you must set the `settings.ini` file in `rasta_exp`. Replacing it by this is enough (don't forget to replace `<KEY>` by your AndroZoo key):
```
[AndroZoo]
apikey = <KEY>
base_url = https://androzoo.uni.lu
```
Then, you can run the experiment with:
```
./rasta_exp/run_exp_local.sh ./data/imgs ./data/dataset/drebin ./data/results/reports/drebin/status_drebin
for i in {0..9}; do
./rasta_exp/run_exp_local.sh ./data/imgs "./data/dataset/set${i}" "./data/results/reports/rasta/status_set${i}"
done;
```
(This takes a lot of times)
## Database
The reports are parsed into databases to help analyzing them. The database can be extracted from their dumps or generated from the reports and dataset.
To extract the dumps:
```
zcat data/results/drebin.sql.gz | sqlite3 data/results/drebin.db
zcat data/results/rasta.sql.gz | sqlite3 data/results/rasta.db
```
To generate the databases:
```
./rasta_data_manipulation/make_db.sh ./data
```
Generating the database require an androzoo API key and a lot of times because we download the apks to get there total dex size (the value indicated in latest.csv only take into account the size of `classes.dex` and not the sum of the size of all dex file when they are more than one).
## Database Usage
Most of the results used in the paper can be extracted with:
```
./rasta_data_manipulation/extract_result.sh ./data
```
They are 4 tables in the database, `apk`, `tool`, `exec` and `error`.
### Apk table
The data related to the apks of the dataset are in the `apk` table.
The entry of the `apk` table have the columns:
- `sha256`: The hash of the apk
- `first_seen_year`: The first year the apk has been seen
- `apk_size`: The total size of the apk
- `vt_detection`: The number of detections by Virus Total
- `min_sdk`: The min SDK indicated by the apk
- `max_sdk`: The max SDK indicated by the apk
- `target_sdk`: The target SDK indicated by the apk
- `apk_size_decile`: The decile of size apk the apk belong to
- `dex_date`: The date indicated in the dex file
- `pkg_name`: The name of the apk
- `vt_scan_date`: The year when the apk was provided to Virus Total
- `dex_size`: The total size of the dex files
- `added`: The year the apk was added to AndrooZoo
- `markets`: Where the apk was collected
- `dex_size_decile`: The decile of dex size the apk belong to
- `dex_size_decile_by_year`: The decile of dex size for the first_seen_year of the apk
### Tool table
The data related to the tools used by the experiment are in the `tool` table.
Its columns are:
- `tool_name`: The name of the tool
- `use_python`: If the tool uses python
- `use_java`: If the tool uses java
- `use_scala`: If the tool uses scala
- `use_ocaml`: If the tool uses ocaml
- `use_ruby`: If the tool uses ruby
- `use_prolog`: If the tool uses prolog
- `use_soot`: If the tool uses soot
- `use_androguard`: If the tool uses androguard
- `use_apktool`: If the tool uses apktool
### Exec table
The data related to the execution of an analysis are in the `exec` table.
- `sha256`: The hash of the tested apk
- `tool_name`: The name of the tested tool
- `tool_status`: The status of the analysis: FAILED, FINISHED, TIMEOUT, OTHER
- `time`: The duration of the analysis
- `exit_status`: The exit status code return by the execution
- `timeout`: If the execution timedout
- `max_rss_mem`: The memory used by the analysis
They are other values collected by `time` during the analysis:
- `avg_rss_mem`
- `page_size`
- `kernel_cpu_time`
- `user_cpu_time`
- `nb_major_page_fault`
- `nb_minor_page_fault`
- `nb_fs_input`
- `nb_fs_output`
- `nb_socket_msg_received`
- `nb_socket_msg_sent`
- `nb_signal_delivered`
### Error table
The error collected during the analysis are stored in the `error` table.
All columns are not used, depending on the `error_type`.
- `tool_name`: The name of the tool that raised the error
- `sha256`: The hash of the apk analyzed when the error was raised
- `error_type`: The type of error (Log4j, Java, Python, Xsb, Ocaml, Log4jSimpleMsg, Ruby)
- `error`: The name of the error
- `msg`: The message of the error
- `cause`: Rough estimation of the cause of the error
- `first_line`: The line number of the first line of the error in the log
- `last_line`: The line number of the last line of the error in the log
- `logfile_name`: The file in which the error was collected (usually stdout and stderr)
- `file`: The file of the ruby script that raised the error
- `line`: The line number of the instruction that raised the error
- `function`: The function that raised the error
- `level`: The level of the log (eg FATAL, CRITICAL)
- `origin`: The origin of the error (java class referred by log4j)
- `raised_info`: 'Raised at' information (for Ocaml errors)
- `called_info`: 'Called from' information (for Ocaml errors)
### Usage
The data can be explored using SQL queries. `tool_name` and `sha256` are the usual foreign keys used for joins.
#### Exemple:
This SQL query gives the average time taken by an analysis made by tool using soot, associated with the average size of bytecode of the applications analysed, grouped by deciles of this size on the whole dataset:
```
$ sqlite3 data/results/rasta.db
sqlite> SELECT AVG(dex_size), AVG(time)
FROM exec
INNER JOIN apk ON exec.sha256=apk.sha256
INNER JOIN tool ON exec.tool_name=exec.tool_name
WHERE tool.use_soot = TRUE AND exec.tool_status = 'FAILED'
GROUP BY dex_size_decile
ORDER BY AVG(dex_size);
```
## Reusing a Specific Tool
The containers are not on docker hub yet, so they need to be built using `build_docker_images.sh`. The images are named `rasta-<tool-name>`, and the environment variables associated are in `rasta_exp/envs/<tool-name>_docker.env`.
To enter a container, run:
```
docker run --rm --env-file=rasta_exp/envs/mallodroid_docker.env -v /tmp/mnt:/mnt -it rasta-mallodroid bash
```
Here, `/tmp/mnt` is mounted to `/mnt` in the container. Put the `apk` to analyze in it.
To run the analysis, run `/run.sh <apk>` where `<apk>` is the name of the apk in `/mnt`, without the `/mnt` prefix. The artifact of the analysis are stored in `/mnt`, including the `stdout`, `stderr` and result of the `time` command.
```
root@e3c39c14e382:/# ls /mnt
E29CCE76464767F97DAE039DBA0A0AAE798DF1763AD02C6B4A45DE81762C23DA.apk
root@e3c39c14e382:/# /run.sh E29CCE76464767F97DAE039DBA0A0AAE798DF1763AD02C6B4A45DE81762C23DA.apk
root@e3c39c14e382:/# ls /mnt/
E29CCE76464767F97DAE039DBA0A0AAE798DF1763AD02C6B4A45DE81762C23DA.apk report stderr stdout
```
Reference in a new issue View git blame Copy permalink