[Soot-list] Data Flow Analysis Question

Henddher Pedroza hpedro2 at uic.edu
Tue Mar 26 09:59:28 EDT 2013 

Thank you Marc-Andre.

I will look into Heros.

So using Soot for inter-procedural analysis is discouraged because it would require significant amount of work (connecting intra-procedural and inter-procedural)?

I didn't mention this in my previous email but the taint analysis I am trying to pursue involves Android. Would that be an issue with Heros?

Thanks again.

- Henddher

On Mar 26, 2013, at 7:41 AM, Marc-André Laverdière <marc-andre.laverdiere-papineau at polymtl.ca> wrote:

> Hello,
> 
> For this type of analysis, I suggest using the Heros IDE solver. Soot has intraprocedural analyses by default.
> -- 
> Marc-André Laverdière
> PhD Candidate - Doctorant
> Sent from a mobile device - please excuse the brevity
> 
> Henddher Pedroza <hpedro2 at uic.edu> wrote:
> 
>> Hello Soot people:
>> 
>> I am trying to understand how to do a taint analysis with Soot 2.5.2. I
>> presume I would implement a data flow analysis of some kind. Right?
>> 
>> I went over the examples (http://www.bodden.de/tag/soot-tutorial/) and
>> also looked at few of the existing flow analysis:
>> SimpleMethodInfoFlowAnalysis, SynchronizedRegionFinder.
>> 
>> Here is my concern:
>> 
>> Consider I have a class MyClass which uses a library class
>> LibraryClass. LibraryClass has methods that take an object reference as
>> parameter and as a "side-effect" they may modify the object because
>> they invoke methods on the object per se, and these may modify the
>> internals of the object. For example:
>> 
>> interface Incrementable {
>> void incr();
>> }
>> 
>> class MyClass implements Incrementable {
>> private int counter;
>> public void incr() { counter++; }
>> 
>> // This is my entry point for Taint analysis
>> public void taintAnalysisEntryPoint() {
>>   LibraryClass.doSomething(this);
>>   LibraryClass.doSomethingNative(this);
>> }
>> }
>> 
>> class LibraryClass {
>> public static void doSomething(Incrementable i) {
>>   i.incr();
>>   doSomethingNative(i);
>> }
>> public native void doSomethingNative(Incrementable i); // This also
>> calls i.incr() but from native code.
>> }
>> 
>> As you can see, MyClass (also an Incrementable) is passed as param to
>> LibraryClass.doSomething() which calls 'incr()', which in turn modifies
>> the instance of MyClass as side-effect. Same thing is done in the
>> native method LibraryClass.doSomethingNative(). The entry point of the
>> taint analysis could be known up front:
>> MyClass.taintAnalysisEntryPoint()
>> 
>> Though in this example I am using the concept of Incrementable, that
>> might not be the case in practice.
>> 
>> My questions are these:
>> 1. Should the taint analysis perform the analysis of MyClass AND
>> LibraryClass so when the analysis of MyClass.taintAnalysisEntryPoint()
>> is done, the taint analysis of LibraryClass.doSomething(Incrementable)
>> is known and can be propagated correctly?
>> 2. What about doing taint analysis of
>> LibraryClass.doSomethingNative(Incrementable)? (this one cannot be
>> analyzed by Soot since the code is not available, true?).
>> 
>> Any help, suggested reading, and/or examples are welcome.
>> 
>> Thanks in advance.
>> 
>> - Henddher
>> 
>> 
>> 
>> 
>> ------------------------------------------------------------------------
>> 
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at sable.mcgill.ca
>> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>

More information about the Soot-list mailing list