Skip to content

Usage of IccTA

Jump to bottom Edit New page
Li Li edited this page Oct 13, 2015 · 27 revisions

IccTA is based on FlowDroid and Epicc to perform Inter-Component (and Inter-Application) Communication based Taint Analysis.

Prepare environment

More specifically, to launch IccTA, the following components are needed.

The easiest way (or best practice) of running IccTA is to import all the above projects into Eclipse. The next figure shows how it looks like after importing all necessary projects into eclipse.

Notice that users should explicitly set Java build path for soot-infoflow-android-iccta, the result should look like the next figure.

Besides, IccTA is also relied on database because it uses database to store all the intermediate information, e.g., the ICC links, the database needs to be configured before launching IccTA. We have provided a MYSQL scheme for quickly database setup. The scheme file is located in the res directory. Users can following the next two steps to ready the database.

1) create a database: mysql -uusername -ppassword -e 'create database db_name';
2) import the scheme: mysql -uusername -ppassword db_name < res/schema;

After configuring the database, users can check the database tables like the below figure.

Customise configurations.

When the preparation of IccTA's running environment is finishing, some configurations need to be customised before launch IccTA. In detail, the following modifications are needed.

For Epicc

  • iccProvider/epicc/runEpicc.sh, where you can customise the database's HOST, NAME, USERNAME and PASSWORD as well as the ANDROID_JARS.
  • Create a directory called "output_iccta" in your working directory. Otherwise, you will get a exception: java.io.FileNotFoundException: output_iccta/[filename].csv (No such file or directory), however, this will not influence the analysis results of Epicc.

I strongly recommend you to use IC3 to replace Epicc in your experiments.

For IccTA

  • res/jdbc.xml, where you need to customise the information of your database.

Launch IccTA

After you have downloaded and/or built all required components, you can run IccTA:

# First, launching Epicc to build ICC links for an Android application.
./runEpicc.sh $path_of_apk

# Then, running IccTA for the above application. 
# Note that IccTA is based on the ICC links extracted by Epicc to perform inter-component analysis.
# The entry-point (main method) of IccTA is implemented in class soot.jimple.infoflow.android.iccta.TestApps.Test
java -jar IccTA.jar ~/github/DroidBench/apk/InterCompCommunication_startActivity1/InterCompCommunication_startActivity1.apk  ~/github/android-platforms

The more details are listed below. Usage: java -jar IccTA.jar path_to_apk_file path_to_android_jar [all_params_of_FlowDroid]

  • -aliasflowins This option makes the alias search flow-insensitive and may generate more false positives, but on the other hand can greatly reduce runtime for large applications
  • -androidJars Spedivy the android jars, e.g., the dir of android-platforms usually used by Soot
  • -apkPath Specify the apk path that you want to analyze
  • -aplength Sets the maximum access path length to n. The default is 5. In general, larger values make the analysis more precise, but also more expensive
  • -enableDB Put the result to db
  • -help Print this message
  • -iccProvider Specify the icc provider, default is Epicc
  • -intentMatchLevel Specify the intent match level: 0 means only explicit Intents, 1 means 0+action/categories, 2 means 1+mimetype and the default 3 means everything;
  • -nocallbacks Disables the emulation of Android callbacks (button clicks, GPS location changes, etc.) This option reduces the runtime, but may miss some leaks
  • -nopaths Just shows which sources are connected to which sinks, but does not reconstruct exact propagation paths. Note that this option does not affect precision. It just disables the additional path processing
  • -nostatic Disables tracking static fields. Makes the analysis faster, but may also miss some leaks
  • -pathalgo Specifies the path reconstruction algorithm to be used. There are the following possibilities: 1) "sourcesonly" just shows which sources are connected to which sinks, but does not reconstruct exact propagation paths. This path algorithm is context-insensitive by construction, but also the fastest algorithm. 2) "contextinsensitive" shows the complete propagation path from source to sink and is context-insensitive. 3) "contextsensitive" shows the complete propagation path from source to sink and is fully context-sensitive. It is the most precise, but also the slowest and most memory-demanding algorithm.
Add a custom footer
Add a custom sidebar
Clone this wiki locally