Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dweinstein/pscout

Mirror of PScout (http://pscout.csl.toronto.edu/).
https://github.com/dweinstein/pscout

Last synced: 6 months ago
JSON representation

Mirror of PScout (http://pscout.csl.toronto.edu/).

Awesome Lists containing this project

README 

        
------------------------------------------------------------

Preparation

------------------------------------------------------------

tar -xvzf PScout.tar.gz in 

source bin/setup_env



Install XML::Simple (if not installed already)

sudo perl -MCPAN -e shell

install XML::Simple



PScout directory contents:

/bin - various scripts used in the analysis

/soot - soot analysis programs of java class files



/results

- _allmappings: API calls (both documented and undocumented) to permission mapping

- _publishedapimapping: documented API calls to permission mapping

- _intentpermissions: intents with permission

- _contentproviderpermission: content provider (URI string "content://") with permission

- _contentproviderfieldpermission: content provider (URI field) with permission



------------------------------------------------------------

How to Run PScout:

------------------------------------------------------------

mkdir 		# create new directory under 

cd 

../bin/setupanalysis.sh 	#  is the root directory of the Android source code (should be already complied with lunch full-eng)

					# performs steps 1-3 described in the following "Detailed Analysis Steps Section"

testsetup				# step 4 (a few seconds)

../bin/dumpclass.sh			# step 5 (~half a day)

../bin/postprocess_1.sh 		# steps 6-11 (a few minutes)

../bin/intentpermissioncheck.sh		# step 12 (~half a day)

../bin/postprocess_2.sh			# step 12-16 (a few minutes)



------------------------------------------------------------

Detailed Analysis Step Descriptions

------------------------------------------------------------

1: Get the relevant class files from the android build  root directory



Put all classes in a new directory  under 

../bin/getclasses.pl 

../bin/extractjar.sh

rm -f *.jar



Create a list of class name

../bin/createclasslist.sh under 



----------

2: Parse all AndroidManifest.xml files (in ANDROID_DIR) for permission information



Under  run the following:

find -name AndroidManifest.xml > manifestlist

/bin/parseandroidmanifest.pl > manifestpermission



grep ^contents:// manifestpermission | grep -v grantUriPermissions | sort -u > contentproviderpermission

sed -i 's/^contents/content/' contentproviderpermission

mv contentproviderpermission 



grep ^PROVIDER: manifestpermission | sort -u > providerauth

mv providerauth 



grep ^Intent: manifestpermission | sort -u > intentpermission

sed -i 's/^Intent://' intentpermission

mv intentpermission 



Note: At this point, unless otherwise specified, all commands in future steps should be executed under 



----------

3: Generate list of permissions to be analyzed by PScout



Create list of permissions available to 3rd party applications

../bin/parsepermission.pl /frameworks/base/core/res/AndroidManifest.xml > permissions



Output files:

- permissions



----------

4: Testing setup



runsoot dump.DumpClass com.android.internal.telephony.gsm.GSMPhone under 



If you see Exception in thread "main" java.lang.RuntimeException: couldn't find class: com.android.internal.telephony.gsm.GSMPhone$1 (is your soot-class-path set properly?) do the following:

../bin/compileemptyclass.pl com.android.internal.telephony.gsm.GSMPhone\$1



If setting is correct, there should be no errors.



----------

5: SOOT dump class information (this step should take ~day to finish)



../bin/dumpclass.sh



Output files:i

- classhierarchy

- rawcallgraph

- permissionstringusage

- message

- handlemessageswitch

- rpcmethod

- clearrestoreuid

- urifield



Note:

- modify the classlist file to change the list of class files to be processed (useful if computer died(?) in the middle of an analysis)

- the file 'processed' stores the list of classes examined so far

- run 'wc processed' to get an idea on the progress (# of lines = # classes processed)



----------

6: Build basic call graph



../bin/buildcallgraph.pl | sort -u > callgraph



Output files:

- callgraph



----------

7: Create message sending edges

../bin/analyzemessages.pl > sendmessagecallgraphedges



Output files

- sendmessagecallgraphedges



----------

8: AIDL RPC

../bin/createrpcedge.pl > aidlcallgraphedges

../bin/removerpcedge.pl > callgraphnorpc



----------

9: String permission checks

../bin/analyzepermissionusage.pl > pchk

../bin/formatpermissioncheck.pl



Output files:

- stringpermissioncheck

- sendreceivepermissioncheck



----------

10: Uri permission checks

../bin/analyzeurifield.pl > contentprovidercheck



Outputfiles:

- contentprovidercheck

- contentproviderfieldpermission



----------

11: SOOT Intents with "dynamic" send/receive permission

../bin/intentwithpermission.sh

../bin/analyzeintent.pl > intentwithdynamicpermission

cat intentpermission intentwithdynamicpermission > intentpermissions



Outputfiles:

- intentwithdynamicpermission

- intentpermissions



----------

12: SOOT Intent permission check (~day)

../bin/intentpermissioncheck.sh

../bin/analyzeintentcheck.pl > intentpermissioncheck



Outputfiles:

- intentpermissioncheck



----------

13: API mapping



cp /frameworks/base/api/current.xml 

Note: when analyzing android 4.0, copy current.txt instead



../bin/broadcaststickycheck.pl > broadcaststickycheck

../bin/apimapping.pl > API



Output files:

- permissionreachedprovider



----------

14: New content permission requirement found from first apimapping.pl pass



../bin/analyzereachedprovider.pl > reachedcontentproviderpermission

../bin/analyzeurifield.pl > contentproviderdynamiccheck



----------

15: Second (final) API mapping



../bin/apimapping.pl > API

grep -e ^Permission -e Callers: -e ^\< API > allmappings



Output files:

- allmappings

- publishedapimapping



----------

16: Generate some basic stats



../bin/generatestats.pl > stats



Output files:

- stats