[Soot-list] How to track a String variable backward in Jimple?

Steven Arzt Steven.Arzt at cased.de
Mon Apr 21 07:10:15 EDT 2014 

Hi Steven,

Soot is not based on a String analyzer and there is no special semantics for Strings in Jimple either, since such constructs do not exist in Java or Dalvik bytecode. String operations are just normal calls to library methods that operate on regular objects. For static analysis, this however makes it a harder to figure out the concrete values String variables can have at runtime (which may be ambiguous when conditionals are present). There are some purely static approaches like the one Dacong has mentioned, but they all have their limitations and most of them are not very fast either. In the end, it depends on what you need: If you only want to analyze simple examples, you might be able to create something on top of IFDS/IDE that performs backward tracking on String variables and manually models the effect of String/StringBuilder/StringBuffer/etc. methods. If you are dealing with highly-obfuscated malware applications, that lead you very far, though.

We are working on something cool for String analysis in our group at the moment btw., but it's still work in progress.

Best regards,
  Steven

-----Ursprüngliche Nachricht-----
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Steven Lee
Gesendet: Montag, 21. April 2014 09:16
An: 'Dacong Yan'
Cc: soot-list at sable.mcgill.ca
Betreff: Re: [Soot-list] How to track a String variable backward in Jimple?

Is Soot based on the Java String Analyzer you mentioned? I do want to do something on top of RD Analysis, but as long as I still track on the wrong line, I can't locate those calls precisely, that is what I'm worrying now.

Thanks anyway,
Steven

-----Original Message-----
From: Dacong Yan [mailto:tonywinslow1986 at gmail.com]
Sent: Monday, April 21, 2014 12:09
To: Steven Lee
Cc: Soot list
Subject: Re: [Soot-list] How to track a String variable backward in Jimple?

Hi Steven Lee,

For a complete, full-blown solution, you may want to look at the Java String Analyzer <http://www.brics.dk/JSA/>. If you need an easy hack to track a few simple cases, you can, on top of the Reaching-Definition Analysis, record calls like StringBuilder.append(), StringBuffer.append(), etc and see if you can figure out what the result strings should be.

Thanks,
Tony

On Sun, Apr 20, 2014 at 10:01 PM, Steven Lee <Elderry at outlook.com> wrote:
> Hello everyone,
>
>
>
> I’m trying to estimate a variable’s value in Java, here are my Java 
> code and corresponding Jimple code:
>
>
>
> Java:
>
>     public static void main(String[] args) {
>
>         String x, y;
>
>         x = "hello, ";
>
>         y = x + "world";
>
>         x = y;
>
> }
>
>
>
> Jimple:
>
> 01> public static void main(java.lang.String[]){
>
> 02>     java.lang.String[] args;
>
> 03>     java.lang.String x, y, $r1;
>
> 04>     java.lang.StringBuilder $r0;
>
> 05>     args := @parameter0: java.lang.String[];
>
> 06>     x = "hello, ";
>
> 07>     $r0 = new java.lang.StringBuilder;
>
> 08>     $r1 = staticinvoke <java.lang.String: java.lang.String
> valueOf(java.lang.Object)>(x);
>
> 09>     specialinvoke $r0.<java.lang.StringBuilder: void
> <init>(java.lang.String)>($r1);
>
> 10>     $r0 = virtualinvoke $r0.<java.lang.StringBuilder:
> java.lang.StringBuilder append(java.lang.String)>("world");
>
> 11>     y = virtualinvoke $r0.<java.lang.StringBuilder: 
> 11> java.lang.String
> toString()>();
>
> 12>     x = y;
>
> 13>     return;
>
> 14> }
>
>
>
> I want to use static analysis to find what is the value of variable 
> “y”  at line 12, so I used SimpleLocalDefs.getDefsOfAt() to find where 
> “y” was assigned, then I came to line 11 and found that I need to know 
> the value of $r0. The same way I arrived at line 10, however this time 
> I called SimpleLocalDefs.getDefsOfAt(), it returns line 07, where $r0 
> was initialized, instead of line 09, where I thought the nearest place 
> where $r0 was defined or changed.
>
>
>
> I know this is because of Reaching-Definition Analysis’s scheme. Then 
> what can I do to continue my work? I’m considering re-implement my own 
> Reaching-Definition Analysis with my demand, is that an acceptable approach?
> And I want to know more about Jimple’s String manipulation but failed 
> to find some complete and systematic document, do they exist?
>
>
>
> Thanks in advance.
>
>
>
> Steven Lee
>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>



--
Dacong (Tony) Yan
Ph.D. Student
Computer Science and Engineering
The Ohio State University, Columbus
http://www.cse.ohio-state.edu/~yan
_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

More information about the Soot-list mailing list