This repository hosts Mandoline, an accurate, low-overhead dynamic slicer for Android. Mandoline automatically generates a backward dynamic slice from a user selected executed statement and variables used in the statement. Mandoline first creates an Inter-Callback Dependency Graph (ICDG) from an execution trace. The user selects a node in the ICDG and used variables in the node to start slicing from (slicing criterion). Mandoline is the first dynamic slicer for Android apps that accounts for data flows through fields and framework methods.
This repository also hosts the ground truth that Mandoline is evaluated on. The ground truth consists of manually generated slices of 12 applications.
If you use this tool, please cite:
Khaled Ahmed, Mieszko Lis, and Julia Rubin. MANDOLINE: Dynamic Slicing of Android Applications with Trace-Based Alias Analysis. IEEE International Conference on Software Testing, Verification and Validation (ICST), Distinguished Paper Award, 2021
-
Install the Android SDK and build tools: https://developer.android.com/studio/intro/update
-
Install python3
-
Enable developer options and usb debugging on the Android device: https://developer.android.com/studio/debug/dev-options#enable
-
Clone the dynamic slicing core: https://github.com/resess/DynamicSlicingCore
Build and install the dynamic slicing core, go to the core's repo: (https://github.com/resess/DynamicSlicingCore)
cd core/
mvn -Dmaven.test.skip=true clean install
cd -
Build Mandoline, go back to Mandoline's repo
cd Mandoline/
mvn -Dmaven.test.skip=true clean install
cd -
Setup the environment.
export ANDROID_JARS=path/to/sdk/platforms
path/to/sdk/platforms: Android SDK platforms path. ex: /Users/khaledea/Library/Android/SDK/platforms
export PATH=$PATH:path/to/sdk/build-tools/
path/to/sdk/build-tools: Android SDK build-tools path. ex: /Users/khaledea/Library/Android/SDK/build-tools/28.0.3/
export PATH=$PATH:path/to/sdk/platform-tools/
path/to/sdk/platform-tools: Android SDK platform-tools path. ex: /Users/khaledea/Library/Android/SDK/platform-tools/
Display the command line options using:
java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -h
java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m i -a path/to/apk -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o path/to/output/directory -lc path/to/logger/jar
path/to/apk: path to the apk file to instrument
The instrumentation also generates the jimple code, placed in the output directory under "jimple_code".
path/to/output/directory: path to directory to store instrumentation output
ath/to/logger/classes: path to logger JAR from the dynamic slicing core repository.
Example on the anki app:
java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m i -a Dataset/1.anki/1.anki.apk -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o outDir -lc ../DynamicSlicingCore/DynamicSlicingLoggingClasses/DynamicSlicingLogger.jar
Sign the instrumented apk using the sign_apk.py script
python3 scripts/sign_apk.py path/to/instrumented/apk
Example:
python3 scripts/sign_apk.py outDir/1.anki_m.apk
Clean up the logcat, remove old installations of the app, and install the instrumented app using the command
python3 scripts/clean_install.py device_id path/to/instrumented/apk
device_id: Id of Android device to install the app on (obtainable using adb devices
)
Example:
python3 scripts/clean_install.py 712KPWQ104XXX outDir/1.anki_m.apk
play with the app, then extract the trace using the extract_trace.py script
python3 scripts/extract_trace.py device_id trace_file
trace_file: trace file name to save (with path)
python3 scripts/extract_trace.py 712KPWQ104XXX outDir/trace.log
java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m g -a path/to/apk -t path/to/trace -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o path/to/output/directory -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt
path/to/apk: path to the original apk (not the instrumented one)
path/to/trace: path to the trace file saved by the extract_trace.py script
path/to/output/directory: same output directory where the instrumentation outputs are places
The ICDG is placed in outDir with the name path/to/trace_icdg.log
Example on the anki app:
java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m g -a Dataset/1.anki/1.anki.apk -t outDir/trace.log -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o outDir/ -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt
Select a statement to slice from in the ICDG, the statements numbers are on the left of each line in the ICDG file, before the ", " delimiter.
java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m s -a path/to/apk -t path/to/trace -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o path/to/output/directory -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt -sp statement_number -sv used-variables-to-slice-from
path/to/apk: path to the original apk (not the instrumented one)
path/to/trace: path to the trace file saved by the extract_trace.py script
path/to/output/directory: same output directory where the instrumentation outputs are places
statement_number: the statement to slice from
used-variables-to-slice-from list of variables used at the statement specified by -sp. The list is "-" separated. Do not include the "$" in the variable name
The slices are placed as a csv file in the output directory with the name result_s_{date}.csv
Example:
java -cp "Mandoline/target/mandoline-jar-with-dependencies.jar:Mandoline/target/lib/*" ca.ubc.ece.resess.slicer.dynamic.mandoline.Slicer -m s -a Dataset/1.anki/1.anki.apk -t outDir/trace.log -p $ANDROID_JARS -c FlowDroid/soot-infoflow-android/AndroidCallbacks.txt -o outDir/ -sd FlowDroid/soot-infoflow-summaries/summariesManual -tw FlowDroid/soot-infoflow/EasyTaintWrapperSource.txt -sp 450275 -sv r1-r2
You can also run the script scripts/run_app.sh
to run all the steps. Just modify the first few lines: the environment variables, the output directory, full path to the APK, APK package name, and tool mode. Run the script for the project's base directory.
Khaled Ahmed, Mieszko Lis, and Julia Rubin. MANDOLINE: Dynamic Slicing of Android Applications with Trace-Based Alias Analysis. IEEE International Conference on Software Testing, Verification and Validation (ICST), 2021
If you experience any issues, please submit an issue or contact us at [email protected]