[Soot-list] Incomplete Call Graph for Web Application
Eric Bodden
eric.bodden at ec-spride.de
Tue Dec 11 07:34:30 EST 2012
Hi Zhiyuan.
The problem is that Spark is more clever than you might think.
You pass "null" as arguments to doPost, which means that the "missing"
calls are not actually missing - they would never occur in that
program. If you get your main method right then Spark should do the
right thing.
Eric
On 11 December 2012 08:27, <wanzhiyuan at zju.edu.cn> wrote:
> Hi there.
> I have encountered some problems when generating call graph of web
> applications using Soot. The interface edge has not been added to the call
> graph, that makes the call graph incomplete.
>
> Here is a sample code snippet under analysis (a simple servlet) (method
> "main" presented as a stub):
> ------------------------------------------------------------------------------------------------------------------------------------------------------
> import java.io.IOException;
> import java.sql.Connection;
> import java.sql.DriverManager;
> import java.sql.SQLException;
> import java.sql.Statement;
>
> import javax.servlet.ServletException;
> import javax.servlet.http.HttpServlet;
> import javax.servlet.http.HttpServletRequest;
> import javax.servlet.http.HttpServletResponse;
>
>
> public class TestServlet extends HttpServlet {
> public static void main(String[] args) {
> try {
> &nbs p; new TestServlet().doPost(null, null);
> } catch (Exception e) {
> e.printStackTrace();
> }
> }
> public void doPost(HttpServletRequest request, HttpServletResponse
> response)
> throws ServletException, IOException {
> String tainted = request.getParameter("name");
> try {
> Connection conn = DriverManager.getConnection(
> "localhost", "test", "test");
> Statement statement = conn.createStateme nt();
> //statement.execute("select * from student where name = '" +
> tainted + "'");
> statement.execute(tainted);
> } catch (SQLException e) {
> e.printStackTrace();
> }
> }
> }
> ------------------------------------------------------------------------------------------------------------------------------------------------------
> The command line I used is:
> C:\soot>java -cp soot-2.5.0.jar soot.Main -w -app -p cg.spark on -cp
> "C:/Program Files/Java/jdk6/lib/jce.jar;C:/Program
> Files/Java/jdk6/lib/rt.jar;C:/classes/;C:/lib/servlet.jar" -p cg
> verbose:true TestServlet
>
> -------------------------------------------------------------------------------------------------------------------
> -----------------------------------
> And I extracted the part in call graph of method "TestServlet.doPost":
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.sql.DriverManager: void <clinit>()>
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.lang.Throwable: void printStackTrace()>
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.lang.Object: void <clinit>()>
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.sql.DriverManager: java.sql.Connection
> getConnection(java.lang.String,java.lang.String,java.lang.String)>
>
> As the details above illustrate, I found that all the interface edges (e.g.
> request.getParamter, c onn.createStatement, statement.execute) are ignored
> by Spark.
> However servlets are dominating compoments in web applications, is there any
> suggestion to make the call graph of web app complete?
>
> Thanks,
>
> Zhiyuan
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>
--
Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering Group at EC SPRIDE
Tel: +49 6151 16-75422 Fax: +49 6151 16-72051
Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
More information about the Soot-list
mailing list