[Soot-list] Data Flow Analysis Question
Henddher Pedroza
hpedro2 at uic.edu
Tue Mar 26 09:59:28 EDT 2013
Thank you Marc-Andre.
I will look into Heros.
So using Soot for inter-procedural analysis is discouraged because it would require significant amount of work (connecting intra-procedural and inter-procedural)?
I didn't mention this in my previous email but the taint analysis I am trying to pursue involves Android. Would that be an issue with Heros?
Thanks again.
- Henddher
On Mar 26, 2013, at 7:41 AM, Marc-André Laverdière <marc-andre.laverdiere-papineau at polymtl.ca> wrote:
> Hello,
>
> For this type of analysis, I suggest using the Heros IDE solver. Soot has intraprocedural analyses by default.
> --
> Marc-André Laverdière
> PhD Candidate - Doctorant
> Sent from a mobile device - please excuse the brevity
>
> Henddher Pedroza <hpedro2 at uic.edu> wrote:
>
>> Hello Soot people:
>>
>> I am trying to understand how to do a taint analysis with Soot 2.5.2. I
>> presume I would implement a data flow analysis of some kind. Right?
>>
>> I went over the examples (http://www.bodden.de/tag/soot-tutorial/) and
>> also looked at few of the existing flow analysis:
>> SimpleMethodInfoFlowAnalysis, SynchronizedRegionFinder.
>>
>> Here is my concern:
>>
>> Consider I have a class MyClass which uses a library class
>> LibraryClass. LibraryClass has methods that take an object reference as
>> parameter and as a "side-effect" they may modify the object because
>> they invoke methods on the object per se, and these may modify the
>> internals of the object. For example:
>>
>> interface Incrementable {
>> void incr();
>> }
>>
>> class MyClass implements Incrementable {
>> private int counter;
>> public void incr() { counter++; }
>>
>> // This is my entry point for Taint analysis
>> public void taintAnalysisEntryPoint() {
>> LibraryClass.doSomething(this);
>> LibraryClass.doSomethingNative(this);
>> }
>> }
>>
>> class LibraryClass {
>> public static void doSomething(Incrementable i) {
>> i.incr();
>> doSomethingNative(i);
>> }
>> public native void doSomethingNative(Incrementable i); // This also
>> calls i.incr() but from native code.
>> }
>>
>> As you can see, MyClass (also an Incrementable) is passed as param to
>> LibraryClass.doSomething() which calls 'incr()', which in turn modifies
>> the instance of MyClass as side-effect. Same thing is done in the
>> native method LibraryClass.doSomethingNative(). The entry point of the
>> taint analysis could be known up front:
>> MyClass.taintAnalysisEntryPoint()
>>
>> Though in this example I am using the concept of Incrementable, that
>> might not be the case in practice.
>>
>> My questions are these:
>> 1. Should the taint analysis perform the analysis of MyClass AND
>> LibraryClass so when the analysis of MyClass.taintAnalysisEntryPoint()
>> is done, the taint analysis of LibraryClass.doSomething(Incrementable)
>> is known and can be propagated correctly?
>> 2. What about doing taint analysis of
>> LibraryClass.doSomethingNative(Incrementable)? (this one cannot be
>> analyzed by Soot since the code is not available, true?).
>>
>> Any help, suggested reading, and/or examples are welcome.
>>
>> Thanks in advance.
>>
>> - Henddher
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at sable.mcgill.ca
>> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>
More information about the Soot-list
mailing list