horndroid's Introduction

Dependency Resolution: Z3

Build Z3 to %Z3Home%: https://github.com/Z3Prover/z3.git

MAC OS

Copy libz3java.dylib from %Z3Home% to src/main/resources

WINDOWS

Copy libz3.dll && z3.java.dll from %Z3Home% to src/main/resources Note: These are included by default currently

Other OS

Copy relevant library file from %Z3Home% to src/main/resources

Note: DYLD_LIBRARY_PATH (MAC OS) or LD_LIBRARY_PATH (Linux, FreeBSD) should include build target directory (see %Z3Home%../examples/java/README).

Dependency Resolution: apktool

Build apktool.jar to %apktool%: http://ibotpeaches.github.io/Apktool/

Note: included by default in src/main/resources

Build fsHD

mvn clean package

Run fsHD

java -jar fshorndroid-version.jar [options] '/' '%apktool%/' '<apk-file>' options:

-q precise query results;

-w sensitive array indexes;

-n bitvector size (default 64);

-i flow insensitive heap;

-r number of queries;

-d print debugging information (argument: integer 1 - taint information, 2 - localheap, or 3 - global heap);

-l stop after the first leak is found;

-s flow sensitive heap only for the objects created in the method that contains a call to a sink.

Note: files Callbacks.txt, EntryPoints.txt and SourcesAndSinks.txt

(SourcesAndSinksDroidSafe.txt) should be in src/main/resources/bin

You can specify a path to an *.apk file or a folder (all apps in sub-folders will be also analysed).

Example execution: java -jar fshorndroid-0.0.1.jar / ./ %home%/apksToTest

For all *.apk files in the folder HornDroid will report (in logs/app.log):

Horn clauses generation time;
Analysis time;
Taint tracking result: POSSIBLE LEAK if register might leak the sensitive data or NO LEAK if it does not. In addition it specifies the register number, the exact place where leakage happens and the sink.

Publications:

Sound Flow-Sensitive Heap Abstraction for the Static Analysis of Android Applications Stefano Calzavara, Ilya Grishchenko, Adrien Koutsos, and Matteo Maffei In Proceedings of 30th Computer Security Foundations Symposium (IEEE CSF 2017). PDF Technical Report

HornDroid: Practical and Sound Security Static Analysis of Android Applications by SMT Solving Stefano Calzavara, Ilya Grishchenko, and Matteo Maffei In Proceedings of 1st IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2016). PDF Technical Report

horndroid's People

Contributors

Stargazers

Watchers

horndroid's Issues

[OT] - Ethertrust source code

Hi,

I am wondering if it is planned to make the ethertrust code available on GitHub or an equivalent platform (I found the source code on netidee.at), but it would be better to make the ethertrust code available so that one can add PR or issue to improve the tool.

--
Cheers from Italy,
Mirko

Different results for similar tests in .log file

Hi,
I have run Horndroid against a sample apk from droidbench and get some confusing results. I see some tests, that first declare NO LEAK and then in a following similar test with the prefix [REF] report that it is a POTENTIAL LEAK. What is the difference between those two test cases and why does it report a different result?

3 Test if register 3 leaks at line 48 in method onClick(Landroid/view/View;)V of the class Lorg/cert/sendsms/Button1Listener; to the sink i(Ljava/lang/String;Ljava/lang/String;)I:NO LEAK

4 [REF] Test if register 3 leaks at line 48 in method onClick(Landroid/view/View;)V of the class Lorg/cert/sendsms/Button1Listener; to the sink i(Ljava/lang/String;Ljava/lang/String;)I:POTENTIAL LEAK

Furthermore, to what file is the line number referencing? In the src code there is no line 48 and in the decompiled .smali file (using apktool) line 48 is empty.
Thanks for the support!

Website is down

Hi!

unfortunately the website that is linked in the project description is no longer available: https://secpriv.tuwien.ac.at/tools/horndroid .

Additionally the links to the papers in the README don't function anymore.

Recommend Projects

ylya / horndroid Goto Github PK