[Soot-list] Can FlowDroid recognize source and sink in a worker thread?
Steven Arzt
Steven.Arzt at cased.de
Tue Aug 26 03:15:04 EDT 2014
Hi Jin,
The analysis which callback belongs to which component is a conservative over-approximation: We will never miss an association, but we might have some spurious ones. The latter can especially happen when code registering callbacks is shared between multiple components. Ideas to make this more precise are always welcome.
Where is the user-defined callback registered? If I understand you correctly, FlowDroid misses a callback. To look into this issue, I need the place in the code where the registration happens plus the information how this is reached (e.g. MyActivity.onStart() calls foo() which registers the callback using the given code).
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Jin Li
Gesendet: Dienstag, 26. August 2014 03:45
An: Stefan Gommer; soot-list at CS.McGill.CA
Betreff: Re: [Soot-list] Can FlowDroid recognize source and sink in a worker thread?
Hi Stefan & All,
Thanks for your reply.
After read your email, I checked the dummyMainMethod. I found some points that I can't understand.
1, In the FlowDroid paper, it says FlowDroid would associate components(activities, services, etc.) with the callbacks they register.
However, In my example, I found callbacks of a service appeared between the onResume() and onPause events of a activity.
2, It seemed that user defined callback didn't be recongnized. But, I think it should have runtime type infomation of the user defined class.
Can you give me some explanations?
dummyMainMethod code snippets:
public static void dummyMainMethod()
{
int $i0, $i1;
org.traccar.client.TraccarActivity $r0;
android.os.Bundle $r1, $r6, $r13, $r15, $r23, $r34;
org.traccar.client.PositionProvider $r2, $r3, $r7, $r19, $r20, $r24, $r30, $r31, $r35;
org.traccar.client.PositionProvider$1 $r4, $r21, $r32;
org.traccar.client.PositionProvider$InternalLocationListener $r5, $r22, $r33;
org.traccar.client.PositionProvider$2 $r8, $r25, $r36;
org.traccar.client.TraccarService $r9, $r16;
org.traccar.client.TraccarService$2 $r10, $r26, $r37;
boolean $z0, $z1, $z2, $z3;
org.traccar.client.TraccarActivity$1 $r11, $r27, $r38;
org.traccar.client.AboutActivity $r12;
org.traccar.client.StatusActivity $r14;
android.content.Intent $r17, $r18, $r28, $r40;
android.os.IBinder $r29;
org.traccar.client.AutostartReceiver $r39;
$i0 = 0;
label01:
if $i0 == 0 goto label04;
$r0 = new org.traccar.client.TraccarActivity;
specialinvoke $r0.<org.traccar.client.TraccarActivity: void <init>()>();
if $i0 == 1 goto label04;
$r1 = new android.os.Bundle;
specialinvoke $r1.<android.os.Bundle: void <init>()>();
virtualinvoke $r0.<org.traccar.client.TraccarActivity: void onCreate(android.os.Bundle)>($r1);
$r1 = null;
label02:
virtualinvoke $r0.<org.traccar.client.TraccarActivity: void onResume()>();
label03:
$r2 = new org.traccar.client.PositionProvider;
specialinvoke $r2.<org.traccar.client.PositionProvider: void <init>(android.content.Context,java.lang.String,long,org.traccar.client.PositionProvider$PositionListener)>($r0, "", 0L, null);
$r3 = null;
$r4 = new org.traccar.client.PositionProvider$1;
specialinvoke $r4.<org.traccar.client.PositionProvider$1: void <init>(org.traccar.client.PositionProvider)>($r3);
$r5 = new org.traccar.client.PositionProvider$InternalLocationListener;
specialinvoke $r5.<org.traccar.client.PositionProvider$InternalLocationListener: void <init>(org.traccar.client.PositionProvider,org.traccar.client.PositionProvider$1)>($r2, $r4);
$r6 = new android.os.Bundle;
specialinvoke $r6.<android.os.Bundle: void <init>()>();
virtualinvoke $r5.<org.traccar.client.PositionProvider$InternalLocationListener: void onStatusChanged(java.lang.String,int,android.os.Bundle)>("", 0, $r6);
$r6 = null;
$r7 = new org.traccar.client.PositionProvider;
specialinvoke $r7.<org.traccar.client.PositionProvider: void <init>(android.content.Context,java.lang.String,long,org.traccar.client.PositionProvider$PositionListener)>($r0, "", 0L, null);
$r8 = new org.traccar.client.PositionProvider$2;
specialinvoke $r8.<org.traccar.client.PositionProvider$2: void <init>(org.traccar.client.PositionProvider)>($r7);
virtualinvoke $r8.<org.traccar.client.PositionProvider$2: void onGpsStatusChanged(int)>(0);
$r9 = new org.traccar.client.TraccarService;
specialinvoke $r9.<org.traccar.client.TraccarService: void <init>()>();
$r10 = new org.traccar.client.TraccarService$2;
specialinvoke $r10.<org.traccar.client.TraccarService$2: void <init>(org.traccar.client.TraccarService)>($r9);
virtualinvoke $r10.<org.traccar.client.TraccarService$2: void onSharedPreferenceChanged(android.content.SharedPreferences,java.lang.String)>(null, "");
$z0 = virtualinvoke $r0.<org.traccar.client.TraccarActivity: boolean onCreateOptionsMenu(android.view.Menu)>(null);
$z1 = virtualinvoke $r0.<org.traccar.client.TraccarActivity: boolean onOptionsItemSelected(android.view.MenuItem)>(null);
$r11 = new org.traccar.client.TraccarActivity$1;
specialinvoke $r11.<org.traccar.client.TraccarActivity$1: void <init>(org.traccar.client.TraccarActivity)>($r0);
virtualinvoke $r11.<org.traccar.client.TraccarActivity$1: void onSharedPreferenceChanged(android.content.SharedPreferences,java.lang.String)>(null, "");
if $i0 == 8 goto label03;
if $i0 == 9 goto label03;
virtualinvoke $r0.<org.traccar.client.TraccarActivity: void onPause()>();
if $i0 == 10 goto label02;
if $i0 == 11 goto label04;
if $i0 == 12 goto label02;
label04:
if $i0 == 14 goto label06;
$r12 = new org.traccar.client.AboutActivity;
specialinvoke $r12.<org.traccar.client.AboutActivity: void <init>()>();
if $i0 == 15 goto label06;
$r13 = new android.os.Bundle;
specialinvoke $r13.<android.os.Bundle: void <init>()>();
virtualinvoke $r12.<org.traccar.client.AboutActivity: void onCreate(android.os.Bundle)>($r13);
$r13 = null;
label05:
if $i0 == 18 goto label06;
if $i0 == 19 goto label05;
label06:
if $i0 == 21 goto label09;
$r14 = new org.traccar.client.StatusActivity;
specialinvoke $r14.<org.traccar.client.StatusActivity: void <init>()>();
if $i0 == 22 goto label09;
$r15 = new android.os.Bundle;
specialinvoke $r15.<android.os.Bundle: void <init>()>();
virtualinvoke $r14.<org.traccar.client.StatusActivity: void onCreate(android.os.Bundle)>($r15);
$r15 = null;
label07:
staticinvoke <org.traccar.client.StatusActivity: void <clinit>()>();
$z2 = virtualinvoke $r14.<org.traccar.client.StatusActivity: boolean onOptionsItemSelected(android.view.MenuItem)>(null);
$z3 = virtualinvoke $r14.<org.traccar.client.StatusActivity: boolean onCreateOptionsMenu(android.view.Menu)>(null);
if $i0 == 26 goto label07;
if $i0 == 27 goto label07;
if $i0 == 28 goto label07;
if $i0 == 29 goto label08;
if $i0 == 30 goto label07;
label08:
virtualinvoke $r14.<org.traccar.client.StatusActivity: void onDestroy()>();
label09:
if $i0 == 32 goto label13;
$r16 = new org.traccar.client.TraccarService;
specialinvoke $r16.<org.traccar.client.TraccarService: void <init>()>();
virtualinvoke $r16.<org.traccar.client.TraccarService: void onCreate()>();
$r17 = new android.content.Intent;
specialinvoke $r17.<android.content.Intent: void <init>()>();
virtualinvoke $r16.<org.traccar.client.TraccarService: void onStart(android.content.Intent,int)>($r17, 0);
$r17 = null;
$r18 = new android.content.Intent;
specialinvoke $r18.<android.content.Intent: void <init>()>();
$i1 = virtualinvoke $r16.<org.traccar.client.TraccarService: int onStartCommand(android.content.Intent,int,int)>($r18, 0, 0);
$r18 = null;
label10:
$r19 = new org.traccar.client.PositionProvider;
specialinvoke $r19.<org.traccar.client.PositionProvider: void <init>(android.content.Context,java.lang.String,long,org.traccar.client.PositionProvider$PositionListener)>($r16, "", 0L, null);
$r20 = null;
$r21 = new org.traccar.client.PositionProvider$1;
specialinvoke $r21.<org.traccar.client.PositionProvider$1: void <init>(org.traccar.client.PositionProvider)>($r20);
$r22 = new org.traccar.client.PositionProvider$InternalLocationListener;
specialinvoke $r22.<org.traccar.client.PositionProvider$InternalLocationListener: void <init>(org.traccar.client.PositionProvider,org.traccar.client.PositionProvider$1)>($r19, $r21);
$r23 = new android.os.Bundle;
specialinvoke $r23.<android.os.Bundle: void <init>()>();
virtualinvoke $r22.<org.traccar.client.PositionProvider$InternalLocationListener: void onStatusChanged(java.lang.String,int,android.os.Bundle)>("", 0, $r23);
$r23 = null;
$r24 = new org.traccar.client.PositionProvider;
specialinvoke $r24.<org.traccar.client.PositionProvider: void <init>(android.content.Context,java.lang.String,long,org.traccar.client.PositionProvider$PositionListener)>($r16, "", 0L, null);
$r25 = new org.traccar.client.PositionProvider$2;
specialinvoke $r25.<org.traccar.client.PositionProvider$2: void <init>(org.traccar.client.PositionProvider)>($r24);
virtualinvoke $r25.<org.traccar.client.PositionProvider$2: void onGpsStatusChanged(int)>(0);
$r26 = new org.traccar.client.TraccarService$2;
specialinvoke $r26.<org.traccar.client.TraccarService$2: void <init>(org.traccar.client.TraccarService)>($r16);
virtualinvoke $r26.<org.traccar.client.TraccarService$2: void onSharedPreferenceChanged(android.content.SharedPreferences,java.lang.String)>(null, "");
$r27 = new org.traccar.client.TraccarActivity$1;
specialinvoke $r27.<org.traccar.client.TraccarActivity$1: void <init>(org.traccar.client.TraccarActivity)>($r0);
virtualinvoke $r27.<org.traccar.client.TraccarActivity$1: void onSharedPreferenceChanged(android.content.SharedPreferences,java.lang.String)>(null, "");
if $i0 == 37 goto label10;
$r28 = new android.content.Intent;
specialinvoke $r28.<android.content.Intent: void <init>()>();
$r29 = virtualinvoke $r16.<org.traccar.client.TraccarService: android.os.IBinder onBind(android.content.Intent)>($r28);
$r28 = null;
label11:
$r30 = new org.traccar.client.PositionProvider;
specialinvoke $r30.<org.traccar.client.PositionProvider: void <init>(android.content.Context,java.lang.String,long,org.traccar.client.PositionProvider$PositionListener)>($r16, "", 0L, null);
$r31 = null;
$r32 = new org.traccar.client.PositionProvider$1;
specialinvoke $r32.<org.traccar.client.PositionProvider$1: void <init>(org.traccar.client.PositionProvider)>($r31);
$r33 = new org.traccar.client.PositionProvider$InternalLocationListener;
specialinvoke $r33.<org.traccar.client.PositionProvider$InternalLocationListener: void <init>(org.traccar.client.PositionProvider,org.traccar.client.PositionProvider$1)>($r30, $r32);
$r34 = new android.os.Bundle;
specialinvoke $r34.<android.os.Bundle: void <init>()>();
virtualinvoke $r33.<org.traccar.client.PositionProvider$InternalLocationListener: void onStatusChanged(java.lang.String,int,android.os.Bundle)>("", 0, $r34);
$r34 = null;
$r35 = new org.traccar.client.PositionProvider;
specialinvoke $r35.<org.traccar.client.PositionProvider: void <init>(android.content.Context,java.lang.String,long,org.traccar.client.PositionProvider$PositionListener)>($r16, "", 0L, null);
$r36 = new org.traccar.client.PositionProvider$2;
specialinvoke $r36.<org.traccar.client.PositionProvider$2: void <init>(org.traccar.client.PositionProvider)>($r35);
virtualinvoke $r36.<org.traccar.client.PositionProvider$2: void onGpsStatusChanged(int)>(0);
$r37 = new org.traccar.client.TraccarService$2;
specialinvoke $r37.<org.traccar.client.TraccarService$2: void <init>(org.traccar.client.TraccarService)>($r16);
virtualinvoke $r37.<org.traccar.client.TraccarService$2: void onSharedPreferenceChanged(android.content.SharedPreferences,java.lang.String)>(null, "");
$r38 = new org.traccar.client.TraccarActivity$1;
specialinvoke $r38.<org.traccar.client.TraccarActivity$1: void <init>(org.traccar.client.TraccarActivity)>($r0);
virtualinvoke $r38.<org.traccar.client.TraccarActivity$1: void onSharedPreferenceChanged(android.content.SharedPreferences,java.lang.String)>(null, "");
if $i0 == 42 goto label11;
if $i0 == 43 goto label12;
if $i0 == 44 goto label11;
label12:
virtualinvoke $r16.<org.traccar.client.TraccarService: void onDestroy()>();
label13:
if $i0 == 45 goto label15;
$r39 = new org.traccar.client.AutostartReceiver;
specialinvoke $r39.<org.traccar.client.AutostartReceiver: void <init>()>();
if $i0 == 46 goto label15;
$r40 = new android.content.Intent;
specialinvoke $r40.<android.content.Intent: void <init>()>();
label14:
virtualinvoke $r39.<org.traccar.client.AutostartReceiver: void onReceive(android.content.Context,android.content.Intent)>(null, $r40);
$r40 = null;
if $i0 == 47 goto label14;
label15:
if $i0 == 48 goto label01;
return;
}
Best Regards,
Jin
2014-08-25 22:02 GMT+08:00 Stefan Gommer <gommeriphone at googlemail.com>:
Hi Jin,
this is an answer I got from Steven on a similar topic a short time ago. Maybe this is also the answer to your question.
Cheers,
Stefan
Message from Steven:
Callgraph edges are never transitive, so there is only an edge from the direct caller to the direct callee. Additionally, note that the SPARK callgraph algorithm only finds an edge for a virtual method call if it has only seen a constructor call for the respective base object. Take the following code:
A a = new A();
a.foo();
There will be an edge to foo(). On the other hand, take this code:
A a = Factory.getA();
a.foo();
Assume that “Factory” is an Android framework class. In this case, the constructor call for the A class is buried somewhere in the framework and not visible to SPARK. Consequently, SPARK has no runtime type information for variable “a” and will not produce a call graph edge for foo(). This is a known problem. Adaptive callgraph algorithms that dynamically scale between precision and approximations for unavailable information are an open research problems and, in fact, we are currently looking for a Master student to work on this topic as a thesis. In FlowDroid, we simply use the direct target of the call (and ignore the call graph) for library calls handled through a taint wrapper (see the paper for more information on taint wrappers).
Am 25.08.2014 um 14:45 schrieb Jin Li <lijin1988 at gmail.com>:
Hi All,
I use FlowDroid to analysis my apk files and then manually check the results it produced.
It seemed when the source or sink appeared in a worker thread, FlowDroid would omit this source or sink. The paths reported by FlowDroid would be less than it supposed.
I attached the apk.
Can anybody shed light on the reason? or Did I use a wrong configuration?
I really need your help, Thanks
Best Regards,
Jin
<traccar-client-debug-unaligned.rar>_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140826/d9cd8cd9/attachment-0001.html
More information about the Soot-list
mailing list