Java Symbolic Execution

angr also supports symbolically executing Java code and Android apps! This also includes Android apps using a combination of compiled Java and native (C/C++) code.

Java support is experimental! Contribution from the community is highly encouraged! Pull requests are very welcomed!

We implemented Java support by lifting the compiled Java code, both Java and DEX bytecode, leveraging our Soot python wrapper: pysoot. pysoot extracts a fully serializable interface from Android apps and Java code (unfortunately, as of now, it only works on Linux). For every class of the generated IR (for instance, SootMethod), you can nicely print its instructions (in a format similar to Soot shimple) using print() or str().

We then leverage the generated IR in a new angr engine able to run code in Soot IR: angr/engines/soot/engine.py. This engine is also able to automatically switch to executing native code if the Java code calls any native method using the JNI interface.

Together with the symbolic execution, we also implemented some basic static analysis, specifically a basic CFG reconstruction analysis. Moreover, we added support for string constraint solving, modifying claripy and using the CVC4 solver.

How to install

Enabling Java support requires few more steps than typical angr installation. Assuming you installed angr-dev, activate the virtualenv and run:

# CVC4 and pysoot should be already installed (if you used angr-dev to install angr)
# install cvc4, needed for String solving
pip install cvc4-solver
# install pysoot, needed to lift code from JARs and APKs
git clone git@github.com:angr/pysoot.git
cd pysoot
pip install -e .
cd ..
# install a specific version of pysmt (the one currently available on pip is buggy)
pip uninstall pysmt
git clone https://github.com/pysmt/pysmt.git
cd pysmt
git checkout 6d792db47be5f8734db15848faca9bc6b770085e
pip install -e .
cd ..

Analyzing Android apps.

Analyzing Android apps (.APK files, containing Java code compiled to the DEX format) requires the Android SDK. Typically, it is installed in <HOME>/Android/SDK/platforms/platform-XX/android.jar, where XX is the Android SDK version used by the app you want to analyze (you may want to install all the platforms required by the Android apps you want to analyze).

Examples

There are multiple examples available: