View on GitHub

AQL-System

System using the Analysis Query Language

Download this project as a .zip file Download this project as a tar.gz file

AQL

The Android App Analysis Query Language (AQL) consists of two main parts, namely AQL-Queries and AQL-Answers. AQL-Queries enable us to ask for Android specific analysis subjects in a general, tool independent way. The grammar defining AQL-Queries can be found here.

Example 1: AQL-Queries

The following exemplary query can be used to get all Flows (e.g. taint flows) inside one app:

Flows IN App(’/path/to/example.apk’) ?

it is also possible to ask more specifically (or to filter the result):

Flows FROM 
	Statement(’getDeviceId()’)
	->Method(’onCreate(...)’)
	->Class(’MainActivity’)
	->App(’/path/to/example1.apk’) 
TO 
	Statement(’sendTextMessage(...)’)
	->Method(’onCreate(...)’)
	->Class(’MainActivity’)
	->App(’/path/to/example2.apk’)
?

Different operators are available to merge and further filter queries as well as methods to match intents and intent-filters.
More information about AQL-Queries can be found here.

Similarly, AQL-Answers are used to represent analysis results in a standardized form.
The syntax of AQL-Answers is defined via an XML schema definition (XSD).

Example 2: AQL-Answers

An AQL-Answer to the query from above could be (shortened):

<answer>
	<flows>
		<flow>
			<reference type="from">
				<statement>... getDeviceId() ...</statement>
				<method>... onCreate(...) ...</method>
				<classname>... MainActivity</classname>
				<app>
					<file>.../DirectLeak1.apk</file>
					<hashes>...</hashes>
				</app>
			</reference>
			<reference type="to">
				...
				sendTextMessage(...)
				...
			</reference>
		</flow>
	</flows>
</answer>

It shows a taint flow from a getDeviceId() statement to a sendTextMessage(...) statement.

AQL-System

The associated AQL-System takes AQL-Queries as input and outputs AQL-Answers.
To do so, it requires a configuration in form of an .xml file that describes

which tools are avaliable in a certain instance of the AQL-System and how to execute these,
which queries can be answered by which tool and
how to convert a tool’s result into an AQLAnswer.

Example 3

For instance, an AQL-System can be configured to execute FlowDroid in case of intra-app flow questions and IccTA in case of inter-app questions, since FlowDroid does not support such questions. Considering the example from above the AQL-System recognizes that FlowDroid is available and able to answer the query regarding flows inside one app only. Consequently, FlowDroid is launched and its result is converted into an AQL-Answer.

Usage

Our wiki contains tutorials how to use/extend the AQL-System: here
(Along with version 2.0.0 we added video tutorials)

Execution

One tutorial deals with a simple run-through. It guides the user how to install, configure and execute an AQL-System, which is setup to use Amandroid. In general the AQL-System can be started with the following command (Launch parameters):

java -jar AQL-System-2.0.0.jar

Development

Library
The AQL-System or only its internal datastructure (AQL-Lib) can be used by or in other tools. We offer to options for integration:

Maven

<dependency>
	<groupId>de.foellix</groupId>
	<artifactId>AQL-System</artifactId>
	<version>2.0.0</version>
</dependency>

.jar Import
All releases can be found here.

Building from source code (Terminal)

Clone repository
Navigate to repository cd AQL-System
Use Maven to build: mvn
- Build is stored inside the project’s directory: AQL-System/target/build

Run the build (Launch parameters):

  cd AQL-System/target/build
  java -jar AQL-System-2.0.0.jar

Building from source code (Eclipse)

Import Maven project to Eclipse
Build pom.xml as Maven project
- Build is stored inside the project’s directory: projectDirectory/target/build
Run de.foellix.aql.ui.cli.CommandLineInterface as Java Application (Launch parameters)

Publications

Do Android Taint Analysis Tools Keep Their Promises? (Felix Pauck, Eric Bodden, Heike Wehrheim)
ESEC/FSE 2018 https://dl.acm.org/citation.cfm?id=3236029
Together Strong: Cooperative Android App Analysis (Felix Pauck, Heike Wehrheim)
ESEC/FSE 2019 https://dl.acm.org/citation.cfm?id=3338915
TaintBench: Automatic real-world malware benchmarking of Android taint analyses (Linghui Luo, Felix Pauck, …) EMSE 2022 https://link.springer.com/article/10.1007%2Fs10664-021-10013-5

License

The AQL-System is licensed under the GNU General Public License v3 (see LICENSE).

Contact

Felix Pauck (FoelliX)
Paderborn University
fpauck@mail.uni-paderborn.de
http://www.FelixPauck.de

Links

The AQL-System is part of BREW: https://github.com/FoelliX/BREW
which is used in the ReproDroid toolchain: https://github.com/FoelliX/ReproDroid
and in the CoDiDroid framework: https://github.com/FoelliX/CoDiDroid