[Soot-list] Help with NPE PointsToAnalysis.reachingObjects(Context, Local) using Heros/Spark+Geom
Bodden, Eric
eric.bodden at sit.fraunhofer.de
Tue May 21 13:32:08 EDT 2013
Hi Henddher.
> Thank you very much Xiao,
>
> I am working on a static taint-analysis using Heros, and I need to record taint information for fields when they are assigned a tainted value.
You should look at the taint analysis we have just published, maybe this answers some of your questions…
http://sseblog.ec-spride.de/android/flowdroid/
> Consider this case:
>
> doSomething() { ...
> $r2 = virtualinvoke r0.<MyClass: java.lang.String doSomethingElse()>();
> r0.<MyClass: java.lang.String dummy> = $r2;
>
> In my analysis, I record $r2 as being tainted because doSomethingElse() always returns tainted values. Once the scope of the current method doSomething() ends, I lose the tainted attribute of $r2 since the local is out of scope. Thus, I need to preserve the tainted attribute when $r2 gets assigned to r0.dummy, iow taint r0.dummy. I could record that r0.dummy is tainted assuming that r0 has only 1 instance but that might not be the case each time. Thus, if I understand correctly, to augment the precision of the solution, I would require to have field and object "sensitivity" on top of flow and context sensitivity already present in IFDS.
>
> Eric, what would you suggest?
In the analysis mentioned above, we used a special on-demand backwards analysis inspired by the work on Andromeda by Omer Tripp and colleagues. Details are in the paper, please let me know if the description there is unclear.
In general this is not a simple problem to solve. As an alternative to our approach one could also use a single global object graph which, as you propose, would taint r0.dummy, but this would lose object sensitivity for r0, which can lead to imprecision. The on-demnd analysis we apply runs within the IFDS solver, making it object, and context sensitive. It's quite expensive but since we apply it only to few variables it does pay off in practice. Having said that, I think there is still more research to be done in this area and we are also currently thinking on how our analysis could still be improved further in this respect. Suggestions from the community would be highly welcome.
Cheers,
Eric
More information about the Soot-list
mailing list