Skip to content

Mandoline is an accurate, low-overhead dynamic slicer for Android applicaions.

Notifications You must be signed in to change notification settings

resess/Mandoline

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

78 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Mandoline

Build Tests drawing

This repository hosts Mandoline, an accurate, low-overhead dynamic slicer for Android. Mandoline automatically generates a backward dynamic slice from a user selected executed statement and variables used in the statement. Mandoline first creates an Inter-Callback Dependency Graph (ICDG) from an execution trace. The user selects a node in the ICDG and used variables in the node to start slicing from (slicing criterion). Mandoline is the first dynamic slicer for Android apps that accounts for data flows through fields and framework methods.

This repository also hosts the ground truth that Mandoline is evaluated on. The ground truth consists of manually generated slices of 12 applications.

If you use this tool, please cite:

Khaled Ahmed, Mieszko Lis, and Julia Rubin. MANDOLINE: Dynamic Slicing of Android Applications with Trace-Based Alias Analysis. IEEE International Conference on Software Testing, Verification and Validation (ICST), Distinguished Paper Award, 2021

Table of Contents

  1. Pre-requisites
  2. Building The Tool
  3. Using The Tool
    1. Instrumenting
    2. Running apps
    3. Generating ICDG
    4. Slicing

Pre-requisites


Building The Tool

Build and install the dynamic slicing core, go to the core's repo: (https://github.com/resess/DynamicSlicingCore)

cd core/
mvn -Dmaven.test.skip=true clean install
cd -

Build Mandoline, go back to Mandoline's repo

cd Mandoline/
mvn -Dmaven.test.skip=true clean install
cd -

Using The Tool

Setup the environment.

export ANDROID_JARS=path/to/sdk/platforms

path/to/sdk/platforms: Android SDK platforms path. ex: /Users/khaledea/Library/Android/SDK/platforms

export PATH=$PATH:path/to/sdk/build-tools/

path/to/sdk/build-tools: Android SDK build-tools path. ex: /Users/khaledea/Library/Android/SDK/build-tools/28.0.3/

export PATH=$PATH:path/to/sdk/platform-tools/

path/to/sdk/platform-tools: Android SDK platform-tools path. ex: /Users/khaledea/Library/Android/SDK/platform-tools/

Display the command line options using:

java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -h

Instrumenting

java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m i -a path/to/apk -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o path/to/output/directory -lc path/to/logger/jar

path/to/apk: path to the apk file to instrument

The instrumentation also generates the jimple code, placed in the output directory under "jimple_code".

path/to/output/directory: path to directory to store instrumentation output

ath/to/logger/classes: path to logger JAR from the dynamic slicing core repository.

Example on the anki app:

java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m i -a Dataset/1.anki/1.anki.apk -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o outDir -lc ../DynamicSlicingCore/DynamicSlicingLoggingClasses/DynamicSlicingLogger.jar

Sign the instrumented apk using the sign_apk.py script

python3 scripts/sign_apk.py path/to/instrumented/apk

Example:

python3 scripts/sign_apk.py outDir/1.anki_m.apk

Running apps

Clean up the logcat, remove old installations of the app, and install the instrumented app using the command

python3 scripts/clean_install.py device_id path/to/instrumented/apk 

device_id: Id of Android device to install the app on (obtainable using adb devices)

Example:

python3 scripts/clean_install.py 712KPWQ104XXX outDir/1.anki_m.apk

play with the app, then extract the trace using the extract_trace.py script

python3 scripts/extract_trace.py device_id trace_file

trace_file: trace file name to save (with path)

python3 scripts/extract_trace.py 712KPWQ104XXX outDir/trace.log

Generating ICDG

java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m g -a path/to/apk -t path/to/trace -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o path/to/output/directory -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt

path/to/apk: path to the original apk (not the instrumented one)

path/to/trace: path to the trace file saved by the extract_trace.py script

path/to/output/directory: same output directory where the instrumentation outputs are places

The ICDG is placed in outDir with the name path/to/trace_icdg.log

Example on the anki app:

java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m g -a Dataset/1.anki/1.anki.apk -t outDir/trace.log -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o outDir/ -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt

Slicing

Select a statement to slice from in the ICDG, the statements numbers are on the left of each line in the ICDG file, before the ", " delimiter.

java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m s -a path/to/apk -t path/to/trace -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o path/to/output/directory -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt -sp statement_number -sv used-variables-to-slice-from

path/to/apk: path to the original apk (not the instrumented one)

path/to/trace: path to the trace file saved by the extract_trace.py script

path/to/output/directory: same output directory where the instrumentation outputs are places

statement_number: the statement to slice from

used-variables-to-slice-from list of variables used at the statement specified by -sp. The list is "-" separated. Do not include the "$" in the variable name

The slices are placed as a csv file in the output directory with the name result_s_{date}.csv

Example:

java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m s -a Dataset/1.anki/1.anki.apk -t outDir/trace.log -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o outDir/ -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt -sp 450275 -sv r1-r2

You can also run the script scripts/run_app.sh to run all the steps. Just modify the first few lines: the environment variables, the output directory, full path to the APK, APK package name, and tool mode. Run the script for the project's base directory.


Publication

Khaled Ahmed, Mieszko Lis, and Julia Rubin. MANDOLINE: Dynamic Slicing of Android Applications with Trace-Based Alias Analysis. IEEE International Conference on Software Testing, Verification and Validation (ICST), 2021

Contact

If you experience any issues, please submit an issue or contact us at khaledea@ece.ubc.ca