diff --git a/5_theseus/4_results.typ b/5_theseus/4_results.typ index 4286bb3..62ce5e2 100644 --- a/5_theseus/4_results.typ +++ b/5_theseus/4_results.typ @@ -141,17 +141,21 @@ We run the tools on the #APK before and after patching, and compared the finishi let nb_col = 3 table( columns: (2fr, 2fr, 1fr), + align: center+horizon, + stroke: none, table.header( //[SHA 256], [Original CG edges], [New CG edges], [Edges added], [Reflection edges added], [SHA 256], [CG Edges added], [Reflection edges added], ), + table.hline(), ..compared_callgraph.map( //(e) => ([#lower(e.sha256).slice(0, 10)...], num(e.edges_before), num(e.edges_after), num(e.added), num(e.added_ref_only)) (e) => ([#lower(e.sha256).slice(0, 10)...], [#num(e.added) #h(.5em) #text(fill: luma(75))[(#num(e.edges_after) - #num(e.edges_before))]], num(e.added_ref_only)) ).flatten(), - [#lower("5D2CD1D10ABE9B1E8D93C4C339A6B4E3D75895DE1FC49E248248B5F0B05EF1CE").slice(0, 10)...], table.cell(colspan: nb_col - 1)[Instrumentation Crached] + [#lower("5D2CD1D10ABE9B1E8D93C4C339A6B4E3D75895DE1FC49E248248B5F0B05EF1CE").slice(0, 10)...], table.cell(colspan: nb_col - 1)[_Instrumentation Crached_], + table.hline(), )}, - caption: [] + caption: [Edges added to the call graphes computed by Androguard by instrumenting the applications] ) === Example diff --git a/5_theseus/figs/patched_main_main.dot b/5_theseus/figs/patched_main_main.dot index a4bef73..3fd96ea 100644 --- a/5_theseus/figs/patched_main_main.dot +++ b/5_theseus/figs/patched_main_main.dot @@ -10,7 +10,6 @@ strict digraph "" { # entrypoint=False, # external=True, # methodname=""]; - #"MainActivity->()V" -> "Activity->()V"; #"MainActivity->onCreate(Bundle)V" [accessflags=protected, # classname="MainActivity", # descriptor="(Bundle)V", @@ -23,78 +22,32 @@ strict digraph "" { entrypoint=False, external=False, methodname=main]; - #"MainActivity->onCreate(Bundle)V" -> "Main->main()V"; #"Activity->onCreate(Bundle)V" [classname="Activity", # descriptor="(Bundle)V", # entrypoint=False, # external=True, # methodname=onCreate]; - #"MainActivity->onCreate(Bundle)V" -> "Activity->onCreate(Bundle)V"; #"Main->(Activity)V" [accessflags="public constructor", # classname="Main", # descriptor="(Activity)V", # entrypoint=False, # external=False, # methodname=""]; - #"MainActivity->onCreate(Bundle)V" -> #"Main->(Activity)V"; #"Log->i(String String Throwable)I" [classname="Log", # descriptor="(String String Throwable)I", # entrypoint=False, # external=True, # methodname=i]; - #"MainActivity->onCreate(Bundle)V" -> "Log->i(String String Throwable)I"; - "Main->decrypt(String)String" [accessflags=public, - classname="Main", - descriptor="(String)String", - entrypoint=False, - external=False, - methodname=decrypt]; - "Main->main()V" -> "Main->decrypt(String)String"; - "ClassLoader->loadClass(String)Class" [classname="ClassLoader", - descriptor="(String)Class", - entrypoint=False, - external=True, - methodname=loadClass]; - "Main->main()V" -> "ClassLoader->loadClass(String)Class"; - "Malicious->get_data(String Activity)String" [accessflags="public static", - classname="Malicious", - descriptor="(String Activity)String", - entrypoint=False, - external=False, - methodname=get_data, - style=filled, - fillcolor=salmon]; - "Main->main()V" -> "Malicious->get_data(String Activity)String"; "Method->invoke(Object [Object)Object" [classname="Method", descriptor="(Object [Object)Object", entrypoint=False, external=True, methodname=invoke]; - "Main->main()V" -> "Method->invoke(Object [Object)Object"; - "Malicious->send_data(String Activity)String" [accessflags="public static", - classname="Malicious", - descriptor="(String Activity)String", - entrypoint=False, - external=False, - methodname=send_data, - style=filled, - fillcolor=salmon]; - "Main->main()V" -> "Malicious->send_data(String Activity)String"; - "T->check_is_Malicious_get_data(Method)Z" [accessflags="public static final", - classname="T", - descriptor="(Method)Z", - entrypoint=False, - external=False, - methodname=check_is_Malicious_get_data, - style=filled, - fillcolor=lightgrey]; - "Main->main()V" -> "T->check_is_Malicious_get_data(Method)Z"; - "Class->getMethod(String [Class)Method" [classname="Class", - descriptor="(String [Class)Method", + "ClassLoader->loadClass(String)Class" [classname="ClassLoader", + descriptor="(String)Class", entrypoint=False, external=True, - methodname=getMethod]; - "Main->main()V" -> "Class->getMethod(String [Class)Method"; + methodname=loadClass]; "T->check_is_Malicious_send_data(Method)Z" [accessflags="public static final", classname="T", descriptor="(Method)Z", @@ -103,56 +56,82 @@ strict digraph "" { methodname=check_is_Malicious_send_data, style=filled, fillcolor=lightgrey]; - "Main->main()V" -> "T->check_is_Malicious_send_data(Method)Z"; + "T->check_is_Malicious_get_data(Method)Z" [accessflags="public static final", + classname="T", + descriptor="(Method)Z", + entrypoint=False, + external=False, + methodname=check_is_Malicious_get_data, + style=filled, + fillcolor=lightgrey]; + "Class->getMethod(String [Class)Method" [classname="Class", + descriptor="(String [Class)Method", + entrypoint=False, + external=True, + methodname=getMethod]; + "Main->decrypt(String)String" [accessflags=public, + classname="Main", + descriptor="(String)String", + entrypoint=False, + external=False, + methodname=decrypt]; + "Malicious->send_data(String Activity)String" [accessflags="public static", + classname="Malicious", + descriptor="(String Activity)String", + entrypoint=False, + external=False, + methodname=send_data, + style=filled, + fillcolor=salmon]; + "Malicious->get_data(String Activity)String" [accessflags="public static", + classname="Malicious", + descriptor="(String Activity)String", + entrypoint=False, + external=False, + methodname=get_data, + style=filled, + fillcolor=salmon]; #"Object->()V" [classname="Object", # descriptor="()V", # entrypoint=False, # external=True, # methodname=""]; - #"Main->(Activity)V" -> "Object->()V"; #"ByteBuffer->wrap([B)ByteBuffer" [classname="ByteBuffer", # descriptor="([B)ByteBuffer", # entrypoint=False, # external=True, # methodname=wrap]; - #"Main->(Activity)V" -> "ByteBuffer->wrap([B)ByteBuffer"; #"Class->getClassLoader()ClassLoader" [classname="Class", # descriptor="()ClassLoader", # entrypoint=False, # external=True, # methodname=getClassLoader]; - #"Main->(Activity)V" -> "Class->getClassLoader()ClassLoader"; #"SecretKeySpec->([B String)V" [classname="SecretKeySpec", # descriptor="([B String)V", # entrypoint=False, # external=True, # methodname=""]; - #"Main->(Activity)V" -> "SecretKeySpec->([B String)V"; "Base64->decode(String I)[B" [classname="Base64", descriptor="(String I)[B", entrypoint=False, external=True, methodname=decode]; - #"Main->(Activity)V" -> "Base64->decode(String I)[B"; #"InMemoryDexClassLoader->(ByteBuffer ClassLoader)V" [classname="InMemoryDexClassLoader", # descriptor="(ByteBuffer ClassLoader)V", # entrypoint=False, # external=True, # methodname=""]; - #"Main->(Activity)V" -> "InMemoryDexClassLoader->(ByteBuffer ClassLoader)V"; #"String->getBytes()[B" [classname="String", # descriptor="()[B", # entrypoint=False, # external=True, # methodname=getBytes]; - #"Main->(Activity)V" -> "String->getBytes()[B"; #"Utils->()V" [accessflags="public constructor", # classname="Utils", # descriptor="()V", # entrypoint=False, # external=False, # methodname=""]; - #"Utils->()V" -> "Object->()V"; #"Utils->popup(Activity String String)V" [accessflags="public static", # classname="Utils", # descriptor="(Activity String String)V", @@ -164,38 +143,32 @@ strict digraph "" { # entrypoint=False, # external=True, # methodname=setMessage]; - #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->setMessage(CharSequence)AlertDialog$Builder"; #"AlertDialog$Builder->setTitle(CharSequence)AlertDialog$Builder" [classname="AlertDialog$Builder", # descriptor="(CharSequence)AlertDialog$Builder", # entrypoint=False, # external=True, # methodname=setTitle]; - #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->setTitle(CharSequence)AlertDialog$Builder"; #"AlertDialog$Builder->create()AlertDialog;" [classname="AlertDialog$Builder", # descriptor="()AlertDialog;", # entrypoint=False, # external=True, # methodname=create]; - #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->create()AlertDialog;"; #"AlertDialog$Builder->(Landroid/content/Context;)V" [classname="AlertDialog$Builder", # descriptor="(Landroid/content/Context;)V", # entrypoint=False, # external=True, # methodname=""]; - #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->(Landroid/content/Context;)V"; #"AlertDialog;->show()V" [classname="AlertDialog;", # descriptor="()V", # entrypoint=False, # external=True, # methodname=show]; - #"Utils->popup(Activity String String)V" -> "AlertDialog;->show()V"; "Utils->sink(Activity String)V" [accessflags="public static", classname="Utils", descriptor="(Activity String)V", entrypoint=False, external=False, methodname=sink]; - #"Utils->sink(Activity String)V" -> "Utils->popup(Activity String String)V"; "Utils->source(String)String" [accessflags="public static", classname="Utils", descriptor="(String)String", @@ -207,97 +180,135 @@ strict digraph "" { # entrypoint=False, # external=True, # methodname=append]; - #"Utils->source(String)String" -> "StringBuilder->append(String)StringBuilder"; #"StringBuilder->()V" [classname="StringBuilder", # descriptor="()V", # entrypoint=False, # external=True, # methodname=""]; - #"Utils->source(String)String" -> "StringBuilder->()V"; #"StringBuilder->toString()String" [classname="StringBuilder", # descriptor="()String", # entrypoint=False, # external=True, # methodname=toString]; - #"Utils->source(String)String" -> "StringBuilder->toString()String"; - "Main->decrypt(String)String" -> "Base64->decode(String I)[B"; "String->([B)V" [classname="String", descriptor="([B)V", entrypoint=False, external=True, methodname=""]; - "Main->decrypt(String)String" -> "String->([B)V"; "Cipher->doFinal([B)[B" [classname="Cipher", descriptor="([B)[B", entrypoint=False, external=True, methodname=doFinal]; - "Main->decrypt(String)String" -> "Cipher->doFinal([B)[B"; "Cipher->init(I Key)V" [classname="Cipher", descriptor="(I Key)V", entrypoint=False, external=True, methodname=init]; - "Main->decrypt(String)String" -> "Cipher->init(I Key)V"; "Cipher->getInstance(String)Cipher" [classname="Cipher", descriptor="(String)Cipher", entrypoint=False, external=True, methodname=getInstance]; - "Main->decrypt(String)String" -> "Cipher->getInstance(String)Cipher"; #"Main->encrypt(String)String" [accessflags=public, # classname="Main", # descriptor="(String)String", # entrypoint=False, # external=False, # methodname=encrypt]; - #"Main->encrypt(String)String" -> "String->getBytes()[B"; - #"Main->encrypt(String)String" -> "Cipher->doFinal([B)[B"; - #"Main->encrypt(String)String" -> "Cipher->init(I Key)V"; - #"Main->encrypt(String)String" -> "Cipher->getInstance(String)Cipher"; #"Base64->encodeToString([B I)String" [classname="Base64", # descriptor="([B I)String", # entrypoint=False, # external=True, # methodname=encodeToString]; - #"Main->encrypt(String)String" -> "Base64->encodeToString([B I)String"; - "Malicious->get_data(String Activity)String" -> "Utils->source(String)String"; - "Malicious->send_data(String Activity)String" -> "Utils->sink(Activity String)V"; #"Class->descriptorString()String" [classname="Class", # descriptor="()String", # entrypoint=False, # external=True, # methodname=descriptorString]; - #"T->check_is_Malicious_get_data(Method)Z" -> "Class->descriptorString()String"; #"Method->getName()String" [classname="Method", # descriptor="()String", # entrypoint=False, # external=True, # methodname=getName]; - #"T->check_is_Malicious_get_data(Method)Z" -> "Method->getName()String"; #"String->equals(Object)Z" [classname="String", # descriptor="(Object)Z", # entrypoint=False, # external=True, # methodname=equals]; - #"T->check_is_Malicious_get_data(Method)Z" -> "String->equals(Object)Z"; #"Method->getDeclaringClass()Class" [classname="Method", # descriptor="()Class", # entrypoint=False, # external=True, # methodname=getDeclaringClass]; - #"T->check_is_Malicious_get_data(Method)Z" -> "Method->getDeclaringClass()Class"; #"Method->getParameterTypes()[Class" [classname="Method", # descriptor="()[Class", # entrypoint=False, # external=True, # methodname=getParameterTypes]; - #"T->check_is_Malicious_get_data(Method)Z" -> "Method->getParameterTypes()[Class"; #"Method->getReturnType()Class" [classname="Method", # descriptor="()Class", # entrypoint=False, # external=True, # methodname=getReturnType]; + #"Malicious->()V" [accessflags="public constructor", + # classname="Malicious", + # descriptor="()V", + # entrypoint=False, + # external=False, + # methodname=""]; + + {rank = same; "Main->main()V"} + {rank = same; "ClassLoader->loadClass(String)Class"; "Class->getMethod(String [Class)Method"; "Method->invoke(Object [Object)Object"; "Malicious->get_data(String Activity)String"} + {rank = same; "Main->decrypt(String)String"; "T->check_is_Malicious_get_data(Method)Z"; "T->check_is_Malicious_send_data(Method)Z"; "Utils->source(String)String"; "Utils->sink(Activity String)V"} + + #"MainActivity->()V" -> "Activity->()V"; + #"MainActivity->onCreate(Bundle)V" -> "Main->main()V"; + #"MainActivity->onCreate(Bundle)V" -> "Activity->onCreate(Bundle)V"; + #"MainActivity->onCreate(Bundle)V" -> "Main->(Activity)V"; + #"MainActivity->onCreate(Bundle)V" -> "Log->i(String String Throwable)I"; + "Main->main()V" -> "Main->decrypt(String)String"; + "Main->main()V" -> "ClassLoader->loadClass(String)Class"; + "Main->main()V" -> "Malicious->get_data(String Activity)String"; + "Main->main()V" -> "Method->invoke(Object [Object)Object"; + "Main->main()V" -> "Malicious->send_data(String Activity)String"; + "Main->main()V" -> "T->check_is_Malicious_get_data(Method)Z"; + "Main->main()V" -> "Class->getMethod(String [Class)Method"; + "Main->main()V" -> "T->check_is_Malicious_send_data(Method)Z"; + #"Main->(Activity)V" -> "Object->()V"; + #"Main->(Activity)V" -> "ByteBuffer->wrap([B)ByteBuffer"; + #"Main->(Activity)V" -> "Class->getClassLoader()ClassLoader"; + #"Main->(Activity)V" -> "SecretKeySpec->([B String)V"; + #"Main->(Activity)V" -> "Base64->decode(String I)[B"; + #"Main->(Activity)V" -> "InMemoryDexClassLoader->(ByteBuffer ClassLoader)V"; + #"Main->(Activity)V" -> "String->getBytes()[B"; + #"Utils->()V" -> "Object->()V"; + #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->setMessage(CharSequence)AlertDialog$Builder"; + #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->setTitle(CharSequence)AlertDialog$Builder"; + #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->create()AlertDialog;"; + #"Utils->popup(Activity String String)V" -> "AlertDialog$Builder->(Landroid/content/Context;)V"; + #"Utils->popup(Activity String String)V" -> "AlertDialog;->show()V"; + #"Utils->sink(Activity String)V" -> "Utils->popup(Activity String String)V"; + #"Utils->source(String)String" -> "StringBuilder->append(String)StringBuilder"; + #"Utils->source(String)String" -> "StringBuilder->()V"; + #"Utils->source(String)String" -> "StringBuilder->toString()String"; + "Main->decrypt(String)String" -> "Base64->decode(String I)[B"; + "Main->decrypt(String)String" -> "String->([B)V"; + "Main->decrypt(String)String" -> "Cipher->doFinal([B)[B"; + "Main->decrypt(String)String" -> "Cipher->init(I Key)V"; + "Main->decrypt(String)String" -> "Cipher->getInstance(String)Cipher"; + #"Main->encrypt(String)String" -> "String->getBytes()[B"; + #"Main->encrypt(String)String" -> "Cipher->doFinal([B)[B"; + #"Main->encrypt(String)String" -> "Cipher->init(I Key)V"; + #"Main->encrypt(String)String" -> "Cipher->getInstance(String)Cipher"; + #"Main->encrypt(String)String" -> "Base64->encodeToString([B I)String"; + "Malicious->get_data(String Activity)String" -> "Utils->source(String)String"; + "Malicious->send_data(String Activity)String" -> "Utils->sink(Activity String)V"; + #"T->check_is_Malicious_get_data(Method)Z" -> "Class->descriptorString()String"; + #"T->check_is_Malicious_get_data(Method)Z" -> "Method->getName()String"; + #"T->check_is_Malicious_get_data(Method)Z" -> "String->equals(Object)Z"; + #"T->check_is_Malicious_get_data(Method)Z" -> "Method->getDeclaringClass()Class"; + #"T->check_is_Malicious_get_data(Method)Z" -> "Method->getParameterTypes()[Class"; #"T->check_is_Malicious_get_data(Method)Z" -> "Method->getReturnType()Class"; #"T->check_is_Malicious_send_data(Method)Z" -> "Class->descriptorString()String"; #"T->check_is_Malicious_send_data(Method)Z" -> "Method->getName()String"; @@ -305,11 +316,5 @@ strict digraph "" { #"T->check_is_Malicious_send_data(Method)Z" -> "Method->getDeclaringClass()Class"; #"T->check_is_Malicious_send_data(Method)Z" -> "Method->getParameterTypes()[Class"; #"T->check_is_Malicious_send_data(Method)Z" -> "Method->getReturnType()Class"; - #"Malicious->()V" [accessflags="public constructor", - # classname="Malicious", - # descriptor="()V", - # entrypoint=False, - # external=False, - # methodname=""]; #"Malicious->()V" -> "Object->()V"; }