Android Provenance Log Parser

This Python project provides utilities to parse and visualizes provenance graphs generated by the Camflow Android Provenance system. The project includes four utilities that allow users to interact with provenance graphs in various ways.

Utility 1: provLogParser.py

provLogParser.py parses log files and generates a provenance graph. It accepts optional arguments for the type of graph to draw and a flag to collapse the provenance graph by version_activity.

Usage:

python3 provLogParser.py [-h] [--graph_type GRAPH_TYPE] --log_file LOG_FILE --collapse COLLAPSE

• -h, --help: Show the help message and exit
• --graph_type GRAPH_TYPE: Optional. Specify the type of graph to draw. Options: 'digraph' or 'multigraph' or '3d'
• --log_file LOG_FILE: Required. Specify the path to the log file
• --collapse COLLAPSE: Required. Collapse provenance graph (provG) by version_activity

# Example Usage - you can copy this directly to your command line to get the graph
python3 provLogParser.py --graph_type digraph --log_file ./ProvG-Executable/example-write-file.log --collapse true
python3 provLogParser.py --graph_type 3d --log_file ./ProvG-Executable/example-cp.log --collapse true

Utility 2: provGraphDiff.py

provGraphDiff.py compares two provenance graphs and outputs the path nodes' pathnames differences to a file named pathname-diff.txt. It accepts arguments for the paths of two log files and an optional argument for relation types if you want to also check the differences in relation types and corresponding counts.

Usage:

python3 provGraphDiff.py [-h] --path1 PATH1 --path2 PATH2 [--relation RELATION]

• -h, --help: Show the help message and exit
• --path1 PATH1: Required. Specify the path to the first log file
• --path2 PATH2: Required. Specify the path to the second log file
• --relation RELATION: Optional. Get diffs in relation types and counts

# Example Usage - you can copy this directly to your command line to get the graph
python3 provGraphDiff.py --path1 ./logs/audit7.log --path2 ./logs/audit1.log --relation true

Utility 3: provSubgraphBFS.py

provSubgraphBFS.py performs a breadth-first search (BFS) on a provenance graph. It accepts arguments for the path of a log file, the start node id, and the depth of the BFS.

Usage:

python3 provSubgraphBFS.py [-h] --path PATH --start START --depth DEPTH

• -h, --help: Show the help message and exit
• --path PATH: Required. Specify the path to the log file
• --start START: Required. Enter the start node id of the BFS
• --depth DEPTH: Required. Specify the depth of the BFS

# Example Usage - you can copy this directly to your command line to get the graph
python3 provSubgraphBFS.py --path ./logs/audit8.log --start AABAAAAAACRM20QdYilYJwEAAAB5kZYJAAAAAAAAAAA= --depth 3

Utility 4: provSubgraphDFS.py

provSubgraphDFS.py performs a depth-first search (DFS) on a provenance graph. It accepts arguments for the path of a log file, the start node id, and the end node id of the DFS.

Usage:

python3 provSubgraphDFS.py [-h] --path PATH --start START --end END

• -h, --help: Show the help message and exit
• --path PATH: Required. Specify the path to the log file
• --start START: Required. Enter the start node id of the DFS
• --end END: Required. Enter the end node id of the DFS

# Example Usage - you can copy this directly to your command line to get the graph
python3 provSubgraphDFS.py --path ./logs/audit8.log --start AABAAAAAACR5YRbQPVi6jQEAAAB5kZYJAAAAAAAAAAA= --end AABAAAAAACRM20QdYilYJwEAAAB5kZYJAAAAAAAAAAA=

Acknowledgments

This project was created as a part of the research and development of the Camflow Android Provenance system. For more details on the system, please visit Camflow's Official Website and Camflow Android Provenance system GitHub page.