Nothing Special   »   [go: up one dir, main page]
Skip to content

Answers

Jump to bottom
FoelliX edited this page Nov 25, 2021 · 6 revisions

AQL-Answers

The answer to an AQL-Question (ending with ?) always comes in form of an AQL-Answer. If a question ends with an ! the file (of any type) is used as answer. When . ends a question the content of the file represents the answer.
AQL-Answers are used to represent results of analysis tools in a generalized but accurate way. The following analysis information can currently be represented through AQL-Answers:

  • Flows (e.g. taint flows)
  • Intents
  • Intent-Filter
  • Intent-Sinks
  • Intent-Sources
  • Sources
  • Sinks
  • Permissions

The structure of AQL-Answers is precisely defined through an XML Schema Definition. Consequently, every answer is represented by an .xml document. Such an .xml document is structured as follows:

<answer>
	<intentsources>
		<intentsource>
			...
		</intentsource>
		...
	</intentsources>
	<flows>
		<flow>
			...
		</flow>
		...
	</flows>
	...
</answer>

Each flow, intent, intentfilter, intentsink, intentsource, source, sink and permission element can hold arbitrary many attribute elements consisting of name-value-pairs to represent additional information as shown in the following.

Example 1: Flows

One taint flow detected by a tool such as FlowDroid can be represented in the following way:

...
<flow>
	<!-- Flow starts from -->
	<reference type="from">
		<statement>
			<statementfull>$r4 = virtualinvoke $r3.&lt;android.telephony.TelephonyManager: java.lang.String getSimSerialNumber()&gt;()</statementfull>
			<statementgeneric>android.telephony.TelephonyManager: java.lang.String getSimSerialNumber()</statementgeneric>
			<linenumber>26</linenumber>
		</statement>
		<method>&lt;de.foellix.aql.aqlbench.api19.interappstart1.MainActivity: void source()&gt;</method>
		<classname>de.foellix.aql.aqlbench.api19.interappstart1.MainActivity</classname>
		<app>
			<file>/media/sf_share/fix/InterAppStart1.apk</file>
			<hashes>
				<hash type="MD5">2aafeb4bd6e436f66fc06083fda3beb1</hash>
				<hash type="SHA-1">a4619c4448047436e96ec4397dff343e6702c532</hash>
				<hash type="SHA-256">627af4963cbd3b31a0e9c3ef4a029cfb62534689c2dd620c97252ba55c72ac15</hash>
			</hashes>
		</app>
	</reference>

	<!-- Flow ends in -->
	<reference type="to">
		<statement>
			<statementfull>virtualinvoke $r3.&lt;android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)&gt;("123456789", null, $r2, null, null)</statementfull>
			<statementgeneric>android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)</statementgeneric>
			<linenumber>26</linenumber>
			<parameters>
				<parameter>
					<type>java.lang.String</type>
					<value>"123456789"</value>
				</parameter>
				<parameter>
					<type>java.lang.String</type>
					<value>null</value>
				</parameter>
				<parameter>
					<type>java.lang.String</type>
					<value>$r2</value>
				</parameter>
				<parameter>
					<type>android.app.PendingIntent</type>
					<value>null</value>
				</parameter>
				<parameter>
					<type>android.app.PendingIntent</type>
					<value>null</value>
				</parameter>
			</parameters>
		</statement>
		<method>&lt;de.foellix.aql.aqlbench.api19.interappend1.MainActivity: void sink()&gt;</method>
		<classname>de.foellix.aql.aqlbench.api19.interappend1.MainActivity</classname>
		<app>
			<file>/media/sf_share/fix/InterAppEnd1.apk</file>
			<hashes>
				<hash type="MD5">fc850d773145bbc65694c58213f6cb6f</hash>
				<hash type="SHA-1">edd9bf89ef2b01be8abf7f6616dd5867c96a79ac</hash>
				<hash type="SHA-256">79dd06fa366c4313f84913b73ce8fe157dd6dab8b0946d1a54ef60b604f2a26d</hash>
			</hashes>
		</app>
	</reference>

	<!-- Attribute showing this is a complete flow -->
	<attributes>
		<attribute>
			<name>complete</name>
			<value>true</value>
		</attribute>
	</attributes>
</flow>
...

The statement where the flow starts is described by a reference. Reference elements are used to describe certain program locations inside an app. This reference's type attribute is set to from to reflect that the flow starts at the referenced program location. The program location is described by four inner elements, namely statement, method, classname and app. For any statement two String representations can be provided. In this example the statementfull element refers to the full Jimple statement, whereas the statementgeneric element only refers to the program independent part of it. Additionally, each statement has a list of name-value-pairs attached to it in order to represent the parameters of e.g. a function call. method refers to the signature of the method which holds the previously described statement. classname again refers to the class containing the beforehand described method. Lastly, the app element references the app where this class can be found. To do so, the app's .apk file can be specified along with arbitrary hashes to recognize the app on other systems.

The second reference element's type attribute is set to to, thereby we know that the flow ends in this program location. Its structure is the same. Finally, the flow is fully described.

The attributes list at the end of the flow description holds one attribute. The name-value-pair (complete = true) representing this attribute refers to the fact, that this flow is complete - It leads from a tainted source to a sink.

Example 2: Connected answer

The following figure shows an AQL-Answer in a graphical way. Such graphs can be generated with the AQL-System on the basis of an AQL-Answer .xml file.

Example overview

The blue nodes and edges represent the different flows. The green and red ones represent the intentsinks and -sources. Lastly, the purple nodes on top represent permissions.
To produce this answer four different analysis tools where asked by means of the AQL:

  • FlowDroid for Flows inside the SIMApp and SMSApp
    Thereby, among others a flow
    • from getSimSerialNumber() to startActivity(..) and a flow
    • from getStringExtra(..) to sendTestMessage(..) could be found.
      In particular, the complete flow
    • from getSimSerialNumber() to sendTextMessage(..) could not be found, yet!
  • Amandroid for IntentFilters and IntentSinks in these apps
    Its result especially holds one IntentSink and one IntentFilter described by the action string de.upb.fpauck.CALLSINK.
  • DefaultIntentInformationFinder (default tool that comes with the AQL-System) for IntentSources which are combined with IntentFilters found by Amandroid through the CONNECT operator
  • and PAndA² for Permission uses. The result shows that, on the one hand, the READ_PHONE_STATE permission is required by the getSimSerialNumber() statement and, on the other hand, the sendTextMessage(..) statement required the SEND_SMS and WRITE_SMS permission.

The AQL-Operator CONNECT has to be applied to connect the answers. While doing so, the IntentSink is matched to the combined IntentSource, resulting in a new flow from startActivity(..) to getStringExtra(..) which is the missing piece to finish the puzzle. Now the three flows found can be used to construct the complete flow (from getSimSerialNumber() to sendTextMessage(..)) in a transitive manner.

Menu

Clone this wiki locally