<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>You might also be interested in the work we have done for de-obfuscating Android apps. There are quite a number of apps that use reflective calls with encrypted targets that only get decrypted at runtime right before the call to hinder analysis tools and make it harder for human analysts. We have found a way to remove such obfuscation in most cases. You can get the Technical Report here: <a href="http://www.bodden.de/pubs/TUD-CS-2015-0031.pdf">www.bodden.de/pubs/TUD-CS-2015-0031.pdf</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'> Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> soot-list-bounces@CS.McGill.CA [mailto:soot-list-bounces@CS.McGill.CA] <b>Im Auftrag von </b>Andrew Bedford<br><b>Gesendet:</b> Montag, 7. September 2015 01:21<br><b>An:</b> Ben Holland<br><b>Cc:</b> soot-list@cs.mcgill.ca<br><b>Betreff:</b> Re: [Soot-list] String propagation in points-to analyses<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p><span lang=EN-CA>Thank you! I’ll check it out right away.<o:p></o:p></span></p><p><span lang=EN-CA><o:p> </o:p></span></p><p><span lang=EN-CA><o:p> </o:p></span></p><p><span lang=EN-CA><o:p> </o:p></span></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p><span lang=EN-CA><br><b>From: </b>Ben Holland<br><b>Sent: </b>September 6, 2015 2:08 PM<br><b>To: </b>Andrew Bedford<br><b>Cc: </b><a href="mailto:soot-list@cs.mcgill.ca">soot-list@cs.mcgill.ca</a><br><b>Subject: </b>Re: [Soot-list] String propagation in points-to analyses<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-CA style='font-family:"Times New Roman","serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-family:"Times New Roman","serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:12.0pt;font-family:"Times New Roman","serif"'>You might want to check out the Java String Analysis (JSA) work. It's been used to some cases if reflective invocation.<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-CA style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-CA style='font-size:12.0pt;font-family:"Times New Roman","serif"'><a href="http://www.brics.dk/JSA/" target="_BLANK">http://www.brics.dk/JSA/</a><br><br>~Benjamin Holland<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-CA style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br>On Sep 5, 2015, at 5:35 PM, Andrew Bedford <<a href="mailto:andrew.bedford.1@ulaval.ca">andrew.bedford.1@ulaval.ca</a>> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p><span lang=EN-CA>Hi!<o:p></o:p></span></p><p><span lang=EN-CA> <o:p></o:p></span></p><p><span lang=EN-CA>I am trying to use the points-to analysis of Soot (spark) to statically resolve reflection calls in Android applications. I have a question regarding the string propagation. Let’s suppose that we have the following code:<o:p></o:p></span></p><p><span lang=EN-CA> <o:p></o:p></span></p><p><span lang=EN-CA> String a = “hello”<o:p></o:p></span></p><p><span lang=EN-CA> String b = “world”<o:p></o:p></span></p><p><span lang=EN-CA> String c = a<o:p></o:p></span></p><p><span lang=EN-CA> c = b<o:p></o:p></span></p><p><span lang=EN-CA> String d = a + c<o:p></o:p></span></p><p><span lang=EN-CA> <o:p></o:p></span></p><p><span lang=EN-CA>The points-to analysis (with the “string-constants” and “simulate-natives” options turned on) returns something like this:<o:p></o:p></span></p><p><span lang=EN-CA>PointsTo(a) = {“hello”}<o:p></o:p></span></p><p><span lang=EN-CA>PointsTo(b) = {“world”)<o:p></o:p></span></p><p><span lang=EN-CA>PointsTo(c) = {“hello”, “world”}<o:p></o:p></span></p><p><span lang=EN-CA>PointsTo(d) = {new Alloc of String}<o:p></o:p></span></p><p><span lang=EN-CA> <o:p></o:p></span></p><p><span lang=EN-CA>Is there a way to set it up so that the PointsTo(d) returns instead {“hellohello”, “helloworld”}? Or is another type of analysis required?<o:p></o:p></span></p><p><span lang=EN-CA> <o:p></o:p></span></p><p><span lang=EN-CA>Thanks!<o:p></o:p></span></p><p><span lang=EN-CA> <o:p></o:p></span></p></div></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:5.0pt;margin-right:36.0pt;margin-bottom:5.0pt;margin-left:36.0pt'><span lang=EN-CA style='font-size:12.0pt;font-family:"Times New Roman","serif"'>_______________________________________________<br>Soot-list mailing list<br><a href="mailto:Soot-list@CS.McGill.CA">Soot-list@CS.McGill.CA</a><br><a href="https://mailman.CS.McGill.CA/mailman/listinfo/soot-list" target="_BLANK">https://mailman.CS.McGill.CA/mailman/listinfo/soot-list</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-CA><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-CA><o:p> </o:p></span></p></div></body></html>