[Soot-list] Data Flow Analysis Question

Marc-André Laverdière marc-andre.laverdiere-papineau at polymtl.ca
Tue Mar 26 08:41:05 EDT 2013 

Hello,

For this type of analysis, I suggest using the Heros IDE solver. Soot has intraprocedural analyses by default.
-- 
Marc-André Laverdière
PhD Candidate - Doctorant
Sent from a mobile device - please excuse the brevity

Henddher Pedroza <hpedro2 at uic.edu> wrote:

>Hello Soot people:
>
>I am trying to understand how to do a taint analysis with Soot 2.5.2. I
>presume I would implement a data flow analysis of some kind. Right?
>
>I went over the examples (http://www.bodden.de/tag/soot-tutorial/) and
>also looked at few of the existing flow analysis:
>SimpleMethodInfoFlowAnalysis, SynchronizedRegionFinder.
>
>Here is my concern:
>
>Consider I have a class MyClass which uses a library class
>LibraryClass. LibraryClass has methods that take an object reference as
>parameter and as a "side-effect" they may modify the object because
>they invoke methods on the object per se, and these may modify the
>internals of the object. For example:
>
>interface Incrementable {
>  void incr();
>}
>
>class MyClass implements Incrementable {
>  private int counter;
>  public void incr() { counter++; }
>
>  // This is my entry point for Taint analysis
>  public void taintAnalysisEntryPoint() {
>    LibraryClass.doSomething(this);
>    LibraryClass.doSomethingNative(this);
>  }
>}
>
>class LibraryClass {
>  public static void doSomething(Incrementable i) {
>    i.incr();
>    doSomethingNative(i);
>  }
>public native void doSomethingNative(Incrementable i); // This also
>calls i.incr() but from native code.
>}
>
>As you can see, MyClass (also an Incrementable) is passed as param to
>LibraryClass.doSomething() which calls 'incr()', which in turn modifies
>the instance of MyClass as side-effect. Same thing is done in the
>native method LibraryClass.doSomethingNative(). The entry point of the
>taint analysis could be known up front:
>MyClass.taintAnalysisEntryPoint()
>
>Though in this example I am using the concept of Incrementable, that
>might not be the case in practice.
>
>My questions are these:
>1. Should the taint analysis perform the analysis of MyClass AND
>LibraryClass so when the analysis of MyClass.taintAnalysisEntryPoint()
>is done, the taint analysis of LibraryClass.doSomething(Incrementable)
>is known and can be propagated correctly?
>2. What about doing taint analysis of
>LibraryClass.doSomethingNative(Incrementable)? (this one cannot be
>analyzed by Soot since the code is not available, true?).
>
>Any help, suggested reading, and/or examples are welcome.
>
>Thanks in advance.
>
>- Henddher
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Soot-list mailing list
>Soot-list at sable.mcgill.ca
>http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list

More information about the Soot-list mailing list