https://github.com/dweinstein/pscout
Mirror of PScout (http://pscout.csl.toronto.edu/).
https://github.com/dweinstein/pscout
Last synced: 9 months ago
JSON representation
Mirror of PScout (http://pscout.csl.toronto.edu/).
- Host: GitHub
- URL: https://github.com/dweinstein/pscout
- Owner: dweinstein
- License: other
- Created: 2012-11-05T18:00:41.000Z (over 13 years ago)
- Default Branch: master
- Last Pushed: 2014-08-25T22:07:08.000Z (almost 12 years ago)
- Last Synced: 2025-05-03T14:40:41.440Z (about 1 year ago)
- Language: Perl
- Size: 6.37 MB
- Stars: 23
- Watchers: 4
- Forks: 12
- Open Issues: 2
-
Metadata Files:
- Readme: README
- License: COPYING
Awesome Lists containing this project
README
------------------------------------------------------------
Preparation
------------------------------------------------------------
tar -xvzf PScout.tar.gz in
source bin/setup_env
Install XML::Simple (if not installed already)
sudo perl -MCPAN -e shell
install XML::Simple
PScout directory contents:
/bin - various scripts used in the analysis
/soot - soot analysis programs of java class files
/results
- _allmappings: API calls (both documented and undocumented) to permission mapping
- _publishedapimapping: documented API calls to permission mapping
- _intentpermissions: intents with permission
- _contentproviderpermission: content provider (URI string "content://") with permission
- _contentproviderfieldpermission: content provider (URI field) with permission
------------------------------------------------------------
How to Run PScout:
------------------------------------------------------------
mkdir # create new directory under
cd
../bin/setupanalysis.sh # is the root directory of the Android source code (should be already complied with lunch full-eng)
# performs steps 1-3 described in the following "Detailed Analysis Steps Section"
testsetup # step 4 (a few seconds)
../bin/dumpclass.sh # step 5 (~half a day)
../bin/postprocess_1.sh # steps 6-11 (a few minutes)
../bin/intentpermissioncheck.sh # step 12 (~half a day)
../bin/postprocess_2.sh # step 12-16 (a few minutes)
------------------------------------------------------------
Detailed Analysis Step Descriptions
------------------------------------------------------------
1: Get the relevant class files from the android build root directory
Put all classes in a new directory under
../bin/getclasses.pl
../bin/extractjar.sh
rm -f *.jar
Create a list of class name
../bin/createclasslist.sh under
----------
2: Parse all AndroidManifest.xml files (in ANDROID_DIR) for permission information
Under run the following:
find -name AndroidManifest.xml > manifestlist
/bin/parseandroidmanifest.pl > manifestpermission
grep ^contents:// manifestpermission | grep -v grantUriPermissions | sort -u > contentproviderpermission
sed -i 's/^contents/content/' contentproviderpermission
mv contentproviderpermission
grep ^PROVIDER: manifestpermission | sort -u > providerauth
mv providerauth
grep ^Intent: manifestpermission | sort -u > intentpermission
sed -i 's/^Intent://' intentpermission
mv intentpermission
Note: At this point, unless otherwise specified, all commands in future steps should be executed under
----------
3: Generate list of permissions to be analyzed by PScout
Create list of permissions available to 3rd party applications
../bin/parsepermission.pl /frameworks/base/core/res/AndroidManifest.xml > permissions
Output files:
- permissions
----------
4: Testing setup
runsoot dump.DumpClass com.android.internal.telephony.gsm.GSMPhone under
If you see Exception in thread "main" java.lang.RuntimeException: couldn't find class: com.android.internal.telephony.gsm.GSMPhone$1 (is your soot-class-path set properly?) do the following:
../bin/compileemptyclass.pl com.android.internal.telephony.gsm.GSMPhone\$1
If setting is correct, there should be no errors.
----------
5: SOOT dump class information (this step should take ~day to finish)
../bin/dumpclass.sh
Output files:i
- classhierarchy
- rawcallgraph
- permissionstringusage
- message
- handlemessageswitch
- rpcmethod
- clearrestoreuid
- urifield
Note:
- modify the classlist file to change the list of class files to be processed (useful if computer died(?) in the middle of an analysis)
- the file 'processed' stores the list of classes examined so far
- run 'wc processed' to get an idea on the progress (# of lines = # classes processed)
----------
6: Build basic call graph
../bin/buildcallgraph.pl | sort -u > callgraph
Output files:
- callgraph
----------
7: Create message sending edges
../bin/analyzemessages.pl > sendmessagecallgraphedges
Output files
- sendmessagecallgraphedges
----------
8: AIDL RPC
../bin/createrpcedge.pl > aidlcallgraphedges
../bin/removerpcedge.pl > callgraphnorpc
----------
9: String permission checks
../bin/analyzepermissionusage.pl > pchk
../bin/formatpermissioncheck.pl
Output files:
- stringpermissioncheck
- sendreceivepermissioncheck
----------
10: Uri permission checks
../bin/analyzeurifield.pl > contentprovidercheck
Outputfiles:
- contentprovidercheck
- contentproviderfieldpermission
----------
11: SOOT Intents with "dynamic" send/receive permission
../bin/intentwithpermission.sh
../bin/analyzeintent.pl > intentwithdynamicpermission
cat intentpermission intentwithdynamicpermission > intentpermissions
Outputfiles:
- intentwithdynamicpermission
- intentpermissions
----------
12: SOOT Intent permission check (~day)
../bin/intentpermissioncheck.sh
../bin/analyzeintentcheck.pl > intentpermissioncheck
Outputfiles:
- intentpermissioncheck
----------
13: API mapping
cp /frameworks/base/api/current.xml
Note: when analyzing android 4.0, copy current.txt instead
../bin/broadcaststickycheck.pl > broadcaststickycheck
../bin/apimapping.pl > API
Output files:
- permissionreachedprovider
----------
14: New content permission requirement found from first apimapping.pl pass
../bin/analyzereachedprovider.pl > reachedcontentproviderpermission
../bin/analyzeurifield.pl > contentproviderdynamiccheck
----------
15: Second (final) API mapping
../bin/apimapping.pl > API
grep -e ^Permission -e Callers: -e ^\< API > allmappings
Output files:
- allmappings
- publishedapimapping
----------
16: Generate some basic stats
../bin/generatestats.pl > stats
Output files:
- stats