[Soot-list] Incomplete Call Graph for Web Application

Wan, Zhiyuan wanzhiyuan at zju.edu.cn
Tue Dec 11 08:24:19 EST 2012 

Hi Eric,
I took a look at Sparks' source code,  and found Spark only adds "interface" edge to the call graph if the points-to set of base of "interface call"  is not empty. 
In most cases of web applications, the arguments of function is not available until runtime, so their points-to sets are empty.
My questions is,  is it possible to make the call graph complete without initializing the arguments of the methods like doPost?

I have removed "main" from the program under analysis. To make Soot work, I set "doPost" as the entry point.
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.sql.Statement;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


public class TestServlet extends HttpServlet {
     public void doPost(HttpServletRequest request, HttpServletResponse response)
               throws ServletException, IOException {
          String tainted = request.getParameter("name");
          try {
               Connection conn = DriverManager.getConnection(
                         "localhost", "test", "test");
               Statement statement = conn.createStatement();
               //statement.execute("select * from student where name = '" + tainted + "'");
               statement.execute(tainted);
          } catch (SQLException e) {
               e.printStackTrace();
          }
       }
}

But the results are the same - Spark generated an incomplete call graph.
<TestServlet: void doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)> may call <java.sql.DriverManager: void <clinit>()>
<TestServlet: void doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)> may call <java.lang.Throwable: void printStackTrace()>
<TestServlet: void doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)> may call <java.lang.Object: void <clinit>()>
<TestServlet: void doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)> may call <java.sql.DriverManager: java.sql.Connection getConnection(java.lang.String,java.lang.String,java.lang.String)>

As you can see, all the edges are of type STATIC INVOKE.

Wan, Zhiyuan

From: Eric Bodden
Date: 2012-12-11 20:34
To: wanzhiyuan
CC: soot-list
Subject: Re: [Soot-list] Incomplete Call Graph for Web Application
Hi Zhiyuan.

The problem is that Spark is more clever than you might think.

You pass "null" as arguments to doPost, which means that the "missing"
calls are not actually missing - they would never occur in that
program. If you get your main method right then Spark should do the
right thing.

Eric

On 11 December 2012 08:27,  <wanzhiyuan at zju.edu.cn> wrote:
> Hi there.
> I have encountered some problems when generating call graph of web
> applications using Soot. The interface edge has not been added to the call
> graph, that makes the call graph incomplete.
>
> Here is a sample code snippet under analysis (a simple servlet) (method
> "main" presented as a stub):
> ------------------------------------------------------------------------------------------------------------------------------------------------------
> import java.io.IOException;
> import java.sql.Connection;
> import java.sql.DriverManager;
> import java.sql.SQLException;
> import java.sql.Statement;
>
> import javax.servlet.ServletException;
> import javax.servlet.http.HttpServlet;
> import javax.servlet.http.HttpServletRequest;
> import javax.servlet.http.HttpServletResponse;
>
>
> public class TestServlet extends HttpServlet {
>     public static void main(String[] args) {
>         try {
> &nbs p;           new TestServlet().doPost(null, null);
>         } catch (Exception e) {
>             e.printStackTrace();
>         }
>     }
>     public void doPost(HttpServletRequest request, HttpServletResponse
> response)
>               throws ServletException, IOException {
>         String tainted = request.getParameter("name");
>         try {
>             Connection conn = DriverManager.getConnection(
>                     "localhost", "test", "test");
>             Statement statement = conn.createStateme nt();
>             //statement.execute("select * from student where name = '" +
> tainted + "'");
>             statement.execute(tainted);
>         } catch (SQLException e) {
>             e.printStackTrace();
>         }
>       }
> }
> ------------------------------------------------------------------------------------------------------------------------------------------------------
> The command line I used is:
> C:\soot>java -cp soot-2.5.0.jar soot.Main -w -app -p cg.spark on -cp
> "C:/Program Files/Java/jdk6/lib/jce.jar;C:/Program
> Files/Java/jdk6/lib/rt.jar;C:/classes/;C:/lib/servlet.jar" -p cg
> verbose:true TestServlet
>
> -------------------------------------------------------------------------------------------------------------------
> -----------------------------------
> And I extracted the part in call graph of method "TestServlet.doPost":
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.sql.DriverManager: void <clinit>()>
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.lang.Throwable: void printStackTrace()>
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.lang.Object: void <clinit>()>
> <TestServlet: void
> doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
> may call <java.sql.DriverManager: java.sql.Connection
> getConnection(java.lang.String,java.lang.String,java.lang.String)>
>
> As the details above illustrate, I found that all the interface edges (e.g.
> request.getParamter, c onn.createStatement, statement.execute) are ignored
> by Spark.
> However servlets are dominating compoments in web applications, is there any
> suggestion to make the call graph of web app complete?
>
> Thanks,
>
> Zhiyuan
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>



-- 
Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering Group at EC SPRIDE
Tel: +49 6151 16-75422    Fax: +49 6151 16-72051
Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20121211/471f54c7/attachment-0001.html

More information about the Soot-list mailing list