Skip to content

wspr-ncsu/fred

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
config
config
 
 
samples
samples
 
 
scripts
scripts
 
 
src/main/java/org/sag/fred
src/main/java/org/sag/fred
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 

Repository files navigation

FReD - Identifying File Re-Delegation in Android System Services

Build ACMiner

Fred was built on top of ACMiner and is essentially just an extension of ACMiner's code. So to build fred you must first pull both the ACMiner (https://github.com/wspr-ncsu/acminer) code and the Fred (https://github.com/wspr-ncsu/fred) code. They you copy the Fred code into the ACMiner code:

  • fred/config -> acminer/config
  • fred/scripts -> acminer/scripts
  • fred/src -> acminer/src

Then from the ACMiner directory, build according to the acminer build instructions.

Running Fred

The running of Fred is separated into several phases: running ACMiner, the identification of file paths in code, the identification of file paths and permission structures on the system, and the analysis of data.

Run ACMiner

Fred relies on the output of ACMiner. So the first step for running Fred is to run ACMiner. There are instruction in the Git repo for running ACMiner, sample required files, and instructions for modifying those files. They should all be put in a working directory which you can specify with the -i "work" option. Missing from the ACMiner instructions is where to source the required system_img.zip file. This is because how it is created has varied widely across Android versions. For Android 10 a description of how to create the file is described (here)[https://github.com/wspr-ncsu/acminer/blob/main/samples/android_info.xml]. This also describes the location of where several other required files can be found. Be aware, running ACMiner requires a lot of memory, in the 100GB or more range because of Soot memory usage and the size of the code base.

Run Fred Phase 1

Once you have successfully run ACMiner, you can run the first phase of Fred. The purpose of the first phase is to identify methods related to file operations and their use throughout the code. These occurrences of file methods are then used to extract the file paths of the files being accessed.

Fred requires the creation of several additional files before this phase can be run. The Fred repo supplies samples of these files for Andorid 10. Most of these files will likely need to be updated for new Android versions. The required input files for the first phase of Fred are:

  • work/fred/android_api_in.jar - See https://github.com/wspr-ncsu/acminer/blob/main/samples/android_info.xml for where I got this file
  • work/AndroidManifest.xml - See https://github.com/wspr-ncsu/acminer/blob/main/samples/android_info.xml for where I got this file
  • work/fred/file_methods_excluded_elements_in.txt - A list of classes and packages that are not to be considered to contain file methods. These help reduce call graph bloat.
  • work/fred/file_methods_java_api_indicator_in.txt - A list of java packages we want to search through. Essentially, the methods in these packages become sources for the file method identification process
  • work/fred/file_methods_native_in.txt - A known list of native file methods. These are sinks for the file method identifcation process.
  • work/fred/file_actions_excluded_elements_in.txt - A list of classes and packages that are not to be considered to contain file actions. These help reduce call graph bloat.
  • work/fred/special_caller_context_queries_temp.txt - This is a file copied over from Arf used in the analysis phase. It likely does not need to be modified.

The first phase requires you supply the same working directory as what was supplied to ACMiner as it uses some of the same files. Note, like ACMiner this can require quite a bit of memory. You can run this phase using the following command:

java -Xms100g -Xmx100g -jar ACMiner-All.jar -i "work" --Fred

Replace the file paths as needed. After the first phase of fred has run, you should have a xml file work/fred/file_paths_db.xml containing the extracted file paths called from binder entry points. The binder entry points are sourced from ACMiner.

Run Fred Phase 2

For the next phase of Fred, you need to run ls -laRZ on the root directory of an android device to get a complete list of the files on the device and their permissions, user, and group. Capture this in some text file like file_tree_root.txt. Next extract from the system_img.zip file the /etc/permissions folder (i.e. the folder that contains the platform.xml file mapping permissions to users/groups). Then run the python script from scripts/dac_db.py with the arguments:

python dac_db.py -f work/fred/parts/file_tree_root.txt -d work/fred/parts --json -p permissions --findusersandgroups

Change the file paths as needed depending on where you put the file tree dump and permissions directory. This should create a platform-permissions_db.json file and file_tree_root_db.json file. Copy these files into work/fred and make sure they are named platform-permissions_db.json and file_tree_db.json respectively.

Run Fred Phase 3

Finally, the jar needs to be run again but with a different main method:

java -Xms10g -Xmx10g -cp ACMiner-All.jar org.sag.fred.phases.fred.FredAnalysis -i work

This will run the last analysis of Fred and output to the folder work/fred/fred the findings.

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity
Custom properties

Stars

3 stars

Watchers

7 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages