[Soot-list] Data Flow Analysis Question

Henddher Pedroza hpedro2 at uic.edu
Mon Mar 25 12:53:52 EDT 2013 

Hello Soot people:

I am trying to understand how to do a taint analysis with Soot 2.5.2. I presume I would implement a data flow analysis of some kind. Right?

I went over the examples (http://www.bodden.de/tag/soot-tutorial/) and also looked at few of the existing flow analysis: SimpleMethodInfoFlowAnalysis, SynchronizedRegionFinder.

Here is my concern:

Consider I have a class MyClass which uses a library class LibraryClass. LibraryClass has methods that take an object reference as parameter and as a "side-effect" they may modify the object because they invoke methods on the object per se, and these may modify the internals of the object. For example:

interface Incrementable {
  void incr();
}

class MyClass implements Incrementable {
  private int counter;
  public void incr() { counter++; }

  // This is my entry point for Taint analysis
  public void taintAnalysisEntryPoint() {
    LibraryClass.doSomething(this);
    LibraryClass.doSomethingNative(this);
  }
}

class LibraryClass {
  public static void doSomething(Incrementable i) {
    i.incr();
    doSomethingNative(i);
  }
  public native void doSomethingNative(Incrementable i); // This also calls i.incr() but from native code.
}

As you can see, MyClass (also an Incrementable) is passed as param to LibraryClass.doSomething() which calls 'incr()', which in turn modifies the instance of MyClass as side-effect. Same thing is done in the native method LibraryClass.doSomethingNative(). The entry point of the taint analysis could be known up front: MyClass.taintAnalysisEntryPoint()

Though in this example I am using the concept of Incrementable, that might not be the case in practice.

My questions are these:
1. Should the taint analysis perform the analysis of MyClass AND LibraryClass so when the analysis of MyClass.taintAnalysisEntryPoint() is done, the taint analysis of LibraryClass.doSomething(Incrementable) is known and can be propagated correctly?
2. What about doing taint analysis of LibraryClass.doSomethingNative(Incrementable)? (this one cannot be analyzed by Soot since the code is not available, true?).

Any help, suggested reading, and/or examples are welcome.

Thanks in advance.

- Henddher


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20130325/0d84f767/attachment.html

More information about the Soot-list mailing list