[Soot-list] Clarification on the Behavior of HEROS
Marc-Andre Laverdiere-Papineau
marc-andre.laverdiere-papineau at polymtl.ca
Fri Jan 25 07:54:56 EST 2013
Hi Eric,
I have transformed the local info flow example to use fields too, so
this part is more or less working (minus the deadlock).
I think I have a more twisted example for you.
class myServlet ...{
private String a;
doGet(...){
response.getWriter().println(a);
}
doPost(...){
a = request.getParameter("meh")
}
...
}
Assuming that the Heros solver handles the call to doGet first, and
doPost second, what is going to happen? Is the field a going to be
considered as untainted in doGet, then marked as tainted in doPost, and
then doGet be reprocessed? Because a naive exploration of the exploded
graph would simply consider a as untainted in doGet.
And no, I can't force the generated entry point to give them a specific
order to try to relieve the problem - because we can have a more twisted
mess like this:
class myServlet ...{
private String a;
private String b;
doGet(...){
response.getWriter().println(a);
b = request.getParameter("meh");
}
doPost(...){
a = request.getParameter("meh");
response.getWriter.println(b);
}
...
}
I can think of a few ideas for solving this problem - but I would like
to know if you've already fixed it ;)
Marc-André Laverdière-Papineau
Doctorant - PhD Candidate
On 13-01-25 03:10 AM, Eric Bodden wrote:
> Hello.
>
>> Is the Heros solver working by defining some constraints and then
>> propagating them, or is it traversing the exploded graph on the fly?
>
> It's doing the latter.
>
>> class Foo{
>>
>> String a = "meh";
>>
>> void setA(String b){
>> a = new String(b);
>> //new String to avoid a simple case where they're plainly aliased
>> }
>>
>> String getA(){return a;}
>>
>> }
>>
>> If I am to use this as follows:
>>
>> Foo f = new Foo();
>> String t = f.getA(); //gets meh
>> f.setA(taintedString);
>>
>> String s = f.getA(); //gets tainted string
>> sink(s);
>>
>> What happens in this case? Is the taint fact going to go from
>> taintedString to Foo.a to s? If so, would t be considered possibly
>> tainted too (as it dereferences the same field)? Will Heros request a
>> re-analysis of that call after I set the fact in f.setA(taintedString)?
>
> Ah, now I see what you mean. What you are actually asking is whether
> the solver is context sensitive - and yes, it is! Calls like getA are
> going to be re-evaluated anew at every call site. I suggest you read
> the original IFDS paper by Reps, Horwitz and Sagiv...
>
> Having said that, let me make clear that Heros is a *framework* for
> defining data-flow analyses, and that it's generally up to the user to
> decide how precisely fields, etc., will be handled. The example taint
> analysis I included with Heros won't track such fields. So that's
> something you as a user will have to code appropriately in the flow
> functions. We are currently working on a taint analysis that treats
> such issues precisely but are still struggling with finding the right
> performance/precision tradeoff.
>
> Eric
>
More information about the Soot-list
mailing list