Amandroid - Argus static analysis framework

Omni-Space發表於2017-07-15
AndroidFramework
Argus is a static analysis framework designed to help through a security vetting for Android applications. Previously also known as Amandroid, its core functionality is to catch data flow of inter-component communication and represent it with inter-procedural control graphs (ICFG) and inter-component data flow graphs (IDFG). Argus builds upon Jawa language, it serves as an intermediate representation for Java-like byte code (eg., Java, Dalvik byte code). Jawa is a subset of Pilar language which is highly flexible, annotation based intermediate representation language. Android is an event and component-based system. The control flow is driven by events from an application’s environment that can trigger various method calls and component can send an intent to another component. Android is very reactive environment and this framework helps catch control flow paths.

Argus provides an range of abilities from parsing Jawa codes, loading information from jar and class files, resolving virtual method invocation to creating call graphs, ICFG, IDFG, Data dependence analysis and taint analysis. Argus is available as a library and as a tool. As a tool it comes as a ".jar" file with few features such as decompilation of apk files, detector of API misuse and taint analysis of apks. Argus can also be used as library for Scala and Java projects which will require to load jawa-core library, to access API for analyzing Jawa language, and amandroid-core library to access API and tools related to Android decompiling and analysis. Its important to note that Argus - Amandroid does not analyze native code.

Lets look for an example a simple Android application and analyze it with Argus in Scala.

public class MainActivity extends AppCompActivity {

  public void say(String msg1, String msg2) {
    TextView textView = (TextView) findViewById(R.id.textView)
    textView.setText(msg1+msg2) 
  }

  @Override
  protected void onCreate(Bundle savedInstance) {
    String a = "Hello";
    String b = " world!";
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    say(a,b); 
  } 

}
First thing to do is load and decompile apk files. To do that only few properties needs to be configured in the settings object and call loader with apk-s URI:
val apk = yard.loadApk(fileUri, settings)
After that control flow graphs and ICFG and IDFG are easily created by defining entry points and passing the apk. For instance to get control flow graph of the MainActivity it can be called by name and then method should be picked which is wished to be analyzed.
var clazz = apk.getClazz(new JawaType("package.name.MainActivity")).get
var method: JawaMethod = clazz.getDeclaredMethodByName("onCreate").get
var cfg = JawaAlirInfoProvider.getCfg(method) println(cfg)
This code produces the following output:
L169418 -> L16941c
L16941c -> L169420
L169420 -> L169426
L169426 -> L16942c
L16942c -> L169432
L169432 -> L169438
L169438 -> Exit
Entry -> L169418
The notation here prescribed is that every statement in frameworks intermediate representation is denoted by Ln, n being the number of the statement also entry and exit nodes are marked. There are 2 set of facts associated with each statement, the entry set and the exit set. If reaching definition analysis is conducted over this control flow graph it can be concluded where are these facts defined.

For the code:
var rda = JawaAlirInfoProvider.getRda(method,cfg) 
println(rda)
It results in the following output: 
L169418=Set((MainActivity_v3,*),(int_v2,?),(String_v0,?),(String_v1,?),(Bundle_v4,*))
L16941c=Set((MainActivity_v3,*),(int_v2,?),(String_v0,L169418),(String_v1,?),(Bundle_v4,*))
L169420=Set((MainActivity_v3,*),(int_v2,?),(String_v0,L169418),(String_v1,L16941c),(Bundle_v4,*))
L169426=Set((MainActivity_v3,*),(int_v2,?),(String_v0,L169418),(String_v1,L16941c),(Bundle_v4,*)) 
L16942c=Set((MainActivity_v3,*),(String_v0,L169418),(int_v2,L169426),(String_v1,L16941c),(Bundle_v4,*)) 
L169432=Set((MainActivity_v3,*),(String_v0,L169418),(int_v2,L169426),(String_v1,L16941c),(Bundle_v4,*))
L169438=Set((MainActivity_v3,*),(String_v0,L169418),(int_v2,L169426),(String_v1,L16941c),(Bundle_v4,*) 
Exit=Set((MainActivity_v3,*),(String_v0,L169418),(int_v2,L169426),(String_v1,L16941c),(Bundle_v4,*)) 
Entry=Set((MainActivity_v3,*),(int_v2,?),(String_v0,?),(String_v1,?),(Bundle_v4,*))
For each statement it is given a set of tuples which represent a fact and a statement of its definition, if it cannot be concluded where the fact is pointed to, it is marked with "*" or if its still undefined with "?". First 2 statements represents definition of variable a,b following super.onCreate(savedInstanceState) command and call for R.layout.activity_main. After each call the appropriate fields are pointed to the statement which defines them. If IDFG is created it can be seen how "say" method is called in the statement L169432. To do that all what is needed is to call an appropriate function with loaded apk and map of entry points:
val iss = InterproceduralSuperSpark(apk,
            clazz.getDeclaredMethods.map(_.getSignature))
println(iss)
Jumping to node L169432:
Call@(apk-name.apk:onCreate,L169432) -> 
  Entry@Lpackage/name/MainActivity;.say: (Ljava/lang/String;Ljava/lang/String;)V
The new entry point is function say() with 2 string arguments which were defined on the start of the onCreate() method as it can be seen by querying appropriate node in ICFG.
invNode:Call@(apk-name.apk:onCreate,L169432)
args:List(MainActivity_v3, String_v0, String_v1)
Argus is a useful tool which enables to build control and data flow graphs so one could follow how objects and variables are changed, and most importantly it follows the data through components which would otherwise be very restrictive. The key idea here is to query the usage of known crytographic APIs through the graphs to check for misuses which is demonstrated by authors. Since most CryptoLint rules mentioned before rely on checking the properties of arguments these type of analyzes seems appropriate to handle such tasks.


Source: https://sgros-students.blogspot.com/2017/06/amandroid-argus-static-analysis.html

相關文章