[Soot-list] Empty PointsToSets using Spark

Florian Kübler florian-kuebler at web.de
Thu Jul 10 08:24:48 EDT 2014 

Hi Steven,

we are now using the soot-infoflow DefaultEntryPointCreator(in an extended version to handle methods where no constructor can be created, see pull request). Thank you for that advice. 

The actual problem with the empty PointsToSets was a small mistake by us, as we passed the „field“ as argument where we should not do that. The different behavior was caused by SPARK as it does not create aliases for fields of primitive types.

I think the identical output came from the execution order of the transformation packs and there shouldn’t be an error with that. It was just confusing at this moment.

Thanks
Florian

Am 04.07.2014 um 18:28 schrieb Steven Arzt <Steven.Arzt at cased.de>:

> Hi Florian,
>  
> Generating a dummy main method is the usual way to handle this situation. Before writing your own dummy main method generator, you might however want to look at the DefaultEntryPointCreatorClass in FlowDroid (https://github.com/secure-software-engineering/soot-infoflow) which already provides this functionality. We use it in FlowDroid when analyzing Java code, and we have a separate entry point creator class for Android applications.
>  
> If the PointsToSets generated by SPARK are empty at some point, you should double-check which methods are marked as reachable by SPARK (Scene.v().getReachableMethods()). If the call happens inside a method deemed unreachable by SPARK, the PointsToSet  will always be empty. Also make sure that SPARK sees all constructor calls on the respective base object. If it misses the assignments that initialize a and b for some reason, you will get an empty PointsToSet as well.
>  
> What I do not understand is your statement that SPARK produces the same outputs with CHA enabled and without it. The rest of your description seems to contradict this: if you get the PointsToSet for CHA, but not for full SPARK, they cannot be identical. Did I miss anything here?
>  
> Best regards,
>   Steven
>  
> Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Florian Kübler
> Gesendet: Dienstag, 24. Juni 2014 15:14
> An: soot-list at CS.McGill.CA
> Betreff: [Soot-list] Empty PointsToSets using Spark
>  
> Hi,
>  
> We are currently working on an IFDS based taint analysis regarding the use of native methods in the JCL. In short, the analysis takes every direct caller of an native method as an initialSeed and run backwards until a taint reaches a public method. 
> Since spark simplifies the call graph by removing the non static public methods, which were not called in the rt.jar, our first approach was to generate the call graph using CHA and use Spark for the alias checks. We discovered, that CHA scales so bad, that we can’t use it for the JCL.
> So our current approach aims to write a main method generator, which adds all the public methods of the transitive hull of native methods. 
> In general, is there a better way to handle this scenario?
>  
> Before we started the work on the main method generator, we’ve run our (fairly simple) tests without the CHA and discovered a strange behavior of the PointsToAnalysis. Lets consider the following example:
>  
> public class Aliasing {
>  
>        public static void test1(int x) {
>              Foo a = new Foo(1);
>              Foo b = a;
>              a.a = x;
>              foo(b.a);
>        }
>  
>        private static native void foo(int x);
> }
>  
> public class Foo {
>        int a;
>  
>        public Foo(int x) {
>              a = x;
>        }
> }
>  
> Running the analysis without CHA, the PointsToSets of a and b are always empty. With CHA enabled they intersect and the taint is propagated to x. The test case works with default call graph settings and without Spark as well.
> As we know Spark  for a very precise PAG construction, this seems to be a very strange behavior.
> Furthermore we dumped sparks html output, with and without CHA, and realized that they are identical.
> Currently we have no clue of what we are doing wrong.
>  
> Here are our settings:
>  
>        args.add("-p");
>        args.add("cg.spark");
>        args.add("on");
>  
>        args.add("-p");
>        args.add("cg.spark");
>        args.add("string-constants:true");
>  
>        args.add("-p");
>        args.add("cg.spark");
>        args.add("simulate-natives:false");
>  
>        args.add("-p");
>        args.add("cg");
>        args.add("all-reachable:true");
>  
>        args.add("-p");
>        args.add("jb");
>        args.add("use-original-names:true");
>  
> //     args.add("-p");
> //     args.add("cg.cha");
> //     args.add("enabled");
>             
>        args.add("-w");
>  
>        args.add("-allow-phantom-refs");
>  
>        args.add("-no-bodies-for-excluded");
>  
>        args.add("-keep-line-number");
>  
>        args.add("-include-all“);
>  
> I hope anyone can help me.
> Thanks a lot!
>  
> Florian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140710/8e799ee3/attachment-0001.html

More information about the Soot-list mailing list