Difference between revisions of "Tracking Variables"

From AtlasWiki
Jump to: navigation, search
Line 3: Line 3:
 
1. Identify variable of interest.  The variable we are concerned with is the <code>PrivateKey</code> variable <code>priv</code> used in the method <code>changePassword</code>.
 
1. Identify variable of interest.  The variable we are concerned with is the <code>PrivateKey</code> variable <code>priv</code> used in the method <code>changePassword</code>.
  
[[File:ChangePassword.png|500px]]
+
[[File:ChangePassword.png|550px|border]]
  
 
2. The variable is set by a call to the <code>decodePrivate</code> method in <code>PubkeyUtils</code>.  Let's have a look at this method.
 
2. The variable is set by a call to the <code>decodePrivate</code> method in <code>PubkeyUtils</code>.  Let's have a look at this method.
  
[[File:DecodePrivate.png|500px]]
+
[[File:DecodePrivate.png|550px|border]]
  
 
3. The implementation here is simple; the parameters are passed along to another method of the same name.  In the event that a <code>secret</code> is provided, the encoded parameter is decrypted first.
 
3. The implementation here is simple; the parameters are passed along to another method of the same name.  In the event that a <code>secret</code> is provided, the encoded parameter is decrypted first.
Line 13: Line 13:
 
We can use the Smart View to inspect this method more easily.  The Forward Call script will show us all methods called when generating our <code>PrivateKey</code>.  Through the course of evaluating this method, eighteen library methods are called from <code>android.jar</code>.  For easy viewing, we can click the minimize button in the upper left corner of the graph element to collapse it.
 
We can use the Smart View to inspect this method more easily.  The Forward Call script will show us all methods called when generating our <code>PrivateKey</code>.  Through the course of evaluating this method, eighteen library methods are called from <code>android.jar</code>.  For easy viewing, we can click the minimize button in the upper left corner of the graph element to collapse it.
  
[[File:DecodePrivate_ForwardCall.png|300px]]
+
[[File:DecodePrivate_ForwardCall.png|350px|border]]
 +
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 +
[[File:DecodePrivate_LibraryAccess.png|400px|border]]
  
4. This graph provides insight into a few points of interest.  The conditional call to <code>decrypt</code> represents the bulk of the calls required for this operation.  After <code>encoded</code> is decrypted, the rest of the work is handled in the overloaded method <code>decodePrivate</code>.
+
4. This graph provides insight into a few points of interest.  The conditional call to <code>decrypt</code> represents the bulk of the calls required for this operation.  After <code>encoded</code> is decrypted, the rest of the work is handled in the overloaded method <code>decodePrivate</code>.  Clicking on this method shows what library calls it makes in decoding.
  
 
Now we know that a data flow analysis extending as far as this method will show us information that is exchanged in generating our <code>PrivateKey</code>.  The Connection view can build this dataflow graph for us.  Enter <code>changePassword</code> in the Roots pane and <code>decodePrivate</code> into the Leaves pane of the view.
 
Now we know that a data flow analysis extending as far as this method will show us information that is exchanged in generating our <code>PrivateKey</code>.  The Connection view can build this dataflow graph for us.  Enter <code>changePassword</code> in the Roots pane and <code>decodePrivate</code> into the Leaves pane of the view.
  
[[File:Dataflow_in.png|500px]]
+
[[File:Dataflow_in.png|500px|border]]
  
The Connection View shows the two parameters being passed into the method, across packages.  The provided type parameter is used to acquire the appropriate <code>KeyFactory</code> from the library.
+
5. The Connection View shows the two parameters being passed into the method, across packages, and declared as local variablesOne informative feature of this graph is the absence of dataflow within the method.  This shows that <code>decodePrivate</code> performs no logical operation on either parameter before using them in library calls.  We can expose all dataflow within this method by adding it to the Roots pane as well as Leaves.
  
[[File:Dataflow_out.png|400px]]
+
[[File:DataflowWithinMethod.png|500px|border]]
 +
 
 +
6. (Now show dataflow back)
 +
 
 +
[[File:Dataflow_out.png|400px|border]]

Revision as of 14:59, 27 April 2015

"Where does this variable come from?"

1. Identify variable of interest. The variable we are concerned with is the PrivateKey variable priv used in the method changePassword.

ChangePassword.png

2. The variable is set by a call to the decodePrivate method in PubkeyUtils. Let's have a look at this method.

DecodePrivate.png

3. The implementation here is simple; the parameters are passed along to another method of the same name. In the event that a secret is provided, the encoded parameter is decrypted first.

We can use the Smart View to inspect this method more easily. The Forward Call script will show us all methods called when generating our PrivateKey. Through the course of evaluating this method, eighteen library methods are called from android.jar. For easy viewing, we can click the minimize button in the upper left corner of the graph element to collapse it.

DecodePrivate ForwardCall.png        DecodePrivate LibraryAccess.png

4. This graph provides insight into a few points of interest. The conditional call to decrypt represents the bulk of the calls required for this operation. After encoded is decrypted, the rest of the work is handled in the overloaded method decodePrivate. Clicking on this method shows what library calls it makes in decoding.

Now we know that a data flow analysis extending as far as this method will show us information that is exchanged in generating our PrivateKey. The Connection view can build this dataflow graph for us. Enter changePassword in the Roots pane and decodePrivate into the Leaves pane of the view.

Dataflow in.png

5. The Connection View shows the two parameters being passed into the method, across packages, and declared as local variables. One informative feature of this graph is the absence of dataflow within the method. This shows that decodePrivate performs no logical operation on either parameter before using them in library calls. We can expose all dataflow within this method by adding it to the Roots pane as well as Leaves.

DataflowWithinMethod.png

6. (Now show dataflow back)

Dataflow out.png