[Soot-list] Identify virtual-call targets and library callee

Haipeng Cai hcai at nd.edu
Sat Jul 26 17:52:06 EDT 2014 

Hi all,

To follow up my previous questions, now I can see that getting all possible
virtual call targets could be done by a CHA if not using CallGraph builder
with conservative cg and spark options. However, Distinguishing application
callees from library callees with static analysis seem to be harder than
listing all possible targets, based on my experience with the following
example case:

*$i6 = interfaceinvoke r10.<org.w3c.dom.NodeList: int getLength()>(); // in
XML-security  *

For this call site, CHA gives an application method
*org.apache.xml.security.utils.HelperNodeList: int getLength();*
as the only possible target by searching 'subtypes' from class
'org.w3c.dom.NodeList'. Indeed, this is the only one in the application
code.

However, for a particular execution, r10 points to an object not of the
above application class , and the real callee is actually the 'getLength'
method implemented in the root class 'org.w3c.dom.NodeList', which is in a
library (xalan.jar) that I put on the Soot Classpath. Therefore, CHA got a
bad case telling mistakenly a library callee as an application callee.

I am wondering how to precisely identify application callee versus library
calee in static analysis. Does even the most precise static p2 analysis
solve this problem?

Thanks for your inputs in advance.




On Thu, Jul 24, 2014 at 8:14 PM, Haipeng Cai <hcai at nd.edu> wrote:

> Hi All,
>
> I am doing a static interprocedural dependence analysis with Soot for Java
> programs and having two difficulties:
>
> 1. How do I safely identify all possible callees at a call site,
> especially virtual call site?
>
> 2. How should I discern, among all the callees identified above, library
> callees from application callees?
>
> I have tried the CallGraph class, which seems to be quite incomplete; I
> also noticed that there is a method "IsJDKLibraryCall" in SootMethod class,
> which only tells JDK library calls from others, though.
>
> Any thoughts and advises are appreciated.
> Thanks,
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
> <https://mailman.cs.mcgill.ca/mailman/listinfo/soot-list>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140726/8f3f1eb6/attachment.html

More information about the Soot-list mailing list