[Soot-list] Can FlowDroid recognize source and sink in a worker thread?

Jin Li lijin1988 at gmail.com
Wed Aug 27 02:34:32 EDT 2014 

Hi Eric,

Yes, It contains an edge from onCreate() to run() and an edge from
onCreate() to start(). But it does not contain an node that represent the
doPost()

Best Regards,
Jin


2014-08-27 14:04 GMT+08:00 Bodden, Eric <eric.bodden at sit.fraunhofer.de>:

>  Hello.
>
> Does the cg contain the call to Thread.start()? Normally this should then
> have special call edges to the right run method.
>
> Eric
>
> --
> Sent from my mobile
> On Aug 26, 2014 3:59 PM, Jin Li <lijin1988 at gmail.com> wrote:
>    Hi Eric,
>
>  I printed the call-graph. However, It does not containted a call to
> doPost.
>  My code snippets as follows:
>
> SetupApplication app = new
> SetupApplication("D:\\Android\\adt-bundle-windows-x86_64-20131030\\sdk\\platforms",
> "D:\\Android\\TestApk\\schgg.apk");
>         try {
>
> app.calculateSourcesSinksEntrypoints("D:\\Android\\Soot\\FlowDroid\\SourcesAndSinks.txt");
>         } catch (IOException e) {
>             // TODO Auto-generated catch block
>             e.printStackTrace();
>         } catch (XmlPullParserException e) {
>             // TODO Auto-generated catch block
>             e.printStackTrace();
>         }
>
>         soot.G.reset();
>         Options.v().set_src_prec(Options.src_prec_apk);
>
> Options.v().set_process_dir(Collections.singletonList("D:\\Android\\TestApk\\schgg.apk"));
>
> Options.v().set_android_jars("D:\\Android\\adt-bundle-windows-x86_64-20131030\\sdk\\platforms");
>         Options.v().setPhaseOption("cg.spark", "on");
>
>         Options.v().set_allow_phantom_refs(true);
>         Options.v().set_whole_program(true);
>
>         Options.v().set_output_format(Options.output_format_none);
>
>         Scene.v().loadNecessaryClasses();
>         SootMethod entryPoint =
> app.getEntryPointCreator().createDummyMain();
>         Options.v().set_main_class(entryPoint.getSignature());
>         Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
>
>         PackManager.v().runPacks();
>
>         System.out.println(Scene.v().getCallGraph().size());
>
>         CallGraph cg = Scene.v().getCallGraph();
>
>  Best Regards,
>  Jin
>
>
>
> 2014-08-26 17:02 GMT+08:00 Bodden, Eric <eric.bodden at sit.fraunhofer.de>:
>
>> Hi Jin.
>>
>> Hmm, this looks odd.  Normally, appropriate call-graph edges should be
>> present. Did you have a look to see if the call graph is complete, i.e.,
>> whether it contains a call to doPost?
>>
>> Cheers,
>> Eric
>>
>> On 26.08.2014, at 09:37, Jin Li <lijin1988 at gmail.com> wrote:
>>
>> > Hi Eric,
>> >
>> > A worker thread, I mean, a thread which is created in the UI thread and
>> do the time-consuming work.
>> >
>> > A code snippet:
>> >
>> > public void onCreate(Bundle paramBundle)
>> >   {
>> >     super.onCreate(paramBundle);
>> >     setContentView(2130903040);
>> >     this.dummyBtn = ((Button)findViewById(2131034120));
>> >     this.dummyBtn.setOnClickListener(this);
>> >
>> >     this.myid = getMyNumber(); //sources
>> >     this.frdata = getContacts();  // sources
>> >
>> >
>> >     this.dialog = new ProgressDialog(this);
>> >     this.dialog.setMessage("しばらくお待ちください...");
>> >     this.dialog.setProgressStyle(0);
>> >     this.dialog.show();
>> >     if ((this.myid != null) && (this.frdata != ""))
>> >     {
>> >       new Thread(new Progress(null)).start();
>> >       return;
>> >     }
>> >     this.dialog.dismiss();
>> >     IntentFilter localIntentFilter = new IntentFilter();
>> >
>>  localIntentFilter.addAction("android.intent.action.BATTERY_CHANGED");
>> >     registerReceiver(this.mBroadcastReceiver, localIntentFilter);
>> >   }
>> >
>> > private class Progress implements Runnable
>> >   {
>> >     private Progress() {}
>> >     public void run()
>> >     {
>> >       AppActivity.this.doPost();
>> >
>> >     }
>> >   }
>> > void doPost(){
>> > //sinks malicious actions
>> > }
>> >
>> > The new Thread would call doPost() which contains the sinks that send
>> sensitive data out of the device.
>> >
>> > The results produced by FlowDroid omit these sinks. However, it regards
>> the registerReceiver as a sink and produces a path from the source to this
>> sink.
>> >
>> > I am confused by that results.
>> >
>> > Thanks
>> >
>> > Best Regards,
>> > Jin
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > 2014-08-26 14:51 GMT+08:00 Bodden, Eric <eric.bodden at sit.fraunhofer.de
>> >:
>> > Hi Jin.
>> >
>> > What exactly do you mean by a worker thread?
>> >
>> > Eric
>> >
>> > --
>> > Sent from my mobile
>> >
>> > On Aug 25, 2014 2:46 PM, Jin Li <lijin1988 at gmail.com> wrote:
>> > Hi All,
>> >
>> > I use FlowDroid to analysis my apk files and then manually check the
>> results it produced.
>> >
>> > It seemed when the source or sink appeared in a worker thread,
>> FlowDroid would omit this source or sink. The paths reported by FlowDroid
>> would be less than it supposed.
>> >
>> > I attached the apk.
>> >
>> > Can anybody shed light on the reason? or  Did I use a wrong
>> configuration?
>> >
>> > I really need your help, Thanks
>> >
>> > Best Regards,
>> > Jin
>> >
>>
>>  --
>> Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
>> Head of Secure Software Engineering  at Fraunhofer SIT, TU Darmstadt and
>> EC SPRIDE
>> Tel: +49 6151 16-75422    Fax: +49 6151 16-72051
>> Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140827/6caab108/attachment-0001.html

More information about the Soot-list mailing list