[Soot-list] Empty PointsToSets using Spark
Steven Arzt
Steven.Arzt at cased.de
Fri Jul 4 12:28:47 EDT 2014
Hi Florian,
Generating a dummy main method is the usual way to handle this situation.
Before writing your own dummy main method generator, you might however want
to look at the DefaultEntryPointCreatorClass in FlowDroid
(https://github.com/secure-software-engineering/soot-infoflow) which already
provides this functionality. We use it in FlowDroid when analyzing Java
code, and we have a separate entry point creator class for Android
applications.
If the PointsToSets generated by SPARK are empty at some point, you should
double-check which methods are marked as reachable by SPARK
(Scene.v().getReachableMethods()). If the call happens inside a method
deemed unreachable by SPARK, the PointsToSet will always be empty. Also
make sure that SPARK sees all constructor calls on the respective base
object. If it misses the assignments that initialize a and b for some
reason, you will get an empty PointsToSet as well.
What I do not understand is your statement that SPARK produces the same
outputs with CHA enabled and without it. The rest of your description seems
to contradict this: if you get the PointsToSet for CHA, but not for full
SPARK, they cannot be identical. Did I miss anything here?
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA]
Im Auftrag von Florian Kübler
Gesendet: Dienstag, 24. Juni 2014 15:14
An: soot-list at CS.McGill.CA
Betreff: [Soot-list] Empty PointsToSets using Spark
Hi,
We are currently working on an IFDS based taint analysis regarding the use
of native methods in the JCL. In short, the analysis takes every direct
caller of an native method as an initialSeed and run backwards until a taint
reaches a public method.
Since spark simplifies the call graph by removing the non static public
methods, which were not called in the rt.jar, our first approach was to
generate the call graph using CHA and use Spark for the alias checks. We
discovered, that CHA scales so bad, that we can’t use it for the JCL.
So our current approach aims to write a main method generator, which adds
all the public methods of the transitive hull of native methods.
In general, is there a better way to handle this scenario?
Before we started the work on the main method generator, we’ve run our
(fairly simple) tests without the CHA and discovered a strange behavior of
the PointsToAnalysis. Lets consider the following example:
public class Aliasing {
public static void test1(int x) {
Foo a = new Foo(1);
Foo b = a;
a.a = x;
foo(b.a);
}
private static native void foo(int x);
}
public class Foo {
int a;
public Foo(int x) {
a = x;
}
}
Running the analysis without CHA, the PointsToSets of a and b are always
empty. With CHA enabled they intersect and the taint is propagated to x. The
test case works with default call graph settings and without Spark as well.
As we know Spark for a very precise PAG construction, this seems to be a
very strange behavior.
Furthermore we dumped sparks html output, with and without CHA, and realized
that they are identical.
Currently we have no clue of what we are doing wrong.
Here are our settings:
args.add("-p");
args.add("cg.spark");
args.add("on");
args.add("-p");
args.add("cg.spark");
args.add("string-constants:true");
args.add("-p");
args.add("cg.spark");
args.add("simulate-natives:false");
args.add("-p");
args.add("cg");
args.add("all-reachable:true");
args.add("-p");
args.add("jb");
args.add("use-original-names:true");
// args.add("-p");
// args.add("cg.cha");
// args.add("enabled");
args.add("-w");
args.add("-allow-phantom-refs");
args.add("-no-bodies-for-excluded");
args.add("-keep-line-number");
args.add("-include-all“);
I hope anyone can help me.
Thanks a lot!
Florian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140704/60fde96f/attachment-0001.html
More information about the Soot-list
mailing list