Skip to content

Artifacts of our SecDev 2023 paper "An In-Depth Analysis of Android’s Java Class Library: its Evolution and Security Impact"

Notifications You must be signed in to change notification settings

software-engineering-and-security/AndroidsJCL-SecDev23

Repository files navigation

AndroidsJCL-SecDev23

In this repository, we provide the artifacts related to our paper analysing the Java Class Library in Android:

Timothée Riom, Alexandre Bartel An In-Depth Analysis of Android’s Java Class Library: its Evolution and Security Impact., IEEE Secure Development Conference (SecDev), 2023. [bib] [secdev]

# clone this repository
git clone https://github.com/software-engineering-and-security/AndroidsJCL-SecDev23.git
cd AndroidsJCL-SecDev23
tar xzvf timdb-openjdk_classes_tables.tar.gz

Buidling the database

Mariadb has been used all alog the process.

DB can be rebuild auromatically by:

  1. Updating the RQ1-OriginalVersion/toolsDir/db_tools file
  2. Create mariadb user accordingly
  3. cd in RQ1-OriginalVersion/toolsDir/
  4. Execute build_mariadb_db.sh

RQ1-Origin of Libcore Java classes:

Reproduce Figure 3- Evolution of Java Classes:

cd RQ1-OriinalVersion
bash toolsDir/one_tables_nb_ojclass_figure.sf
cd ..

Reproduce Figure 4- OpenJDK profile of each Android version:

For each version X

cd RQ1-OriginalVersion
bash toolsDir/compare_one_tables_sh_X.sh
cd ..

Reproduce figure 5- Proximity of Android Java Classes to Original OpenJDK :

cd RQ1-OriginalVersion/ONE_TABLES/PROXIMITY
bash toolsDir/stats.sh

RQ2-Management of OpenJDK CVEs and Potential Over-Exposures :

cd RQ2-OverExposure
bash run_analysis.sh
cd ..

RQ3- Exploit of CVE-2022-21340, both on OpenJDK and Android-13:

Video demonstrating available at ./RQ3-Exploit/cve-2022-21340/tim_android_app/device-2023-05-24-101133.mp4

App available at ./RQ3-Exploit/cve-2022-21340/tim_android_app/CVE20221340

Device fingerprint: google/sdk_gphone_x86_64/emu64xa:13/TE1A.220922.025/9795748:userdebug/dev-keys

OpenJDK

cd RQ3-Exploit/openjdk-vulnerable
#Download Vulnerable version of OpenJDK
wget https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz
#untar openjdk vulnerable version
tar xzvf openjdk-11.0.1.tar.gz
#Generate the tar file
cd source_jar
bash create_jar.sh
cd ..

Android-13

Paper figures

Ref Location (relative to $DOCKER_CONTAINER_BASE/home/{user_name}/)
Figure 3 RQ1-OriginalVersion/ONE_TABLES/GRAPHDIR/nb_ojluni_classes.pdf
Figure 4 RQ1-OriginalVersion/ONE_TABLES/GRAPHDIR/*
Figure 5 RQ1-OriginalVersion/ONE_TABLES/PROXIMITY/graphDir/distances_area.pdf

About

Artifacts of our SecDev 2023 paper "An In-Depth Analysis of Android’s Java Class Library: its Evolution and Security Impact"

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages