The PathChecker is used to verify there is a sanitizer between the entry and the target nodes of a graph.
Yep, it's quite simple, I use JimpleBasedInterproceduralCFG and MHGDominatorsFinder to implement this tool. By using this tool, I want to solve the problem that in the path from a to c, b dominate c, that's it!
- Collect all entry nodes of an APK file (or a JAR file).
- Collect all resource nodes of an APK file (or a JAR file).
- Collect all sanitizers.
All these 3 steps can be done manually or automatically. I designed CGChecker for collecting entries, eg.
Remark 1:
When using the JimpleBasedInterproceduralCFG, pay special attention to the exception handler in the graph. It may violate the domination and you should check the exception handler deliberately to verify the integrity.
Remark 2:
Be cautious not to use dumpGraph all the time, or it will crash the application.
- There are quirks when dealing with the <cinit> method.
- Since I inflate the graph (inline but not context-sensitive), the b may not dominate c anymore.
- Deal with the exception in the CFG.
- Shrink nodes in the CFG, remove unrelated branch, etc.
https://arpith.xyz/2016/05/insertonedge-soot/
https://github.com/soot-oss/soot/wiki/Creating-a-class-from-scratch#write-to-class-file
https://github.com/secure-software-engineering/FlowDroid/releases
https://github.com/Sable/android-platforms
https://www.sable.mcgill.ca/soot/tutorial/phase/phase.html