[Soot-list] Finding Flows between same sinks and same sourcs / Conneting the flows using FlowDroid

Steven Arzt Steven.Arzt at cased.de
Wed Jun 18 04:32:29 EDT 2014 

Hi Sarah,

 

If you have explicit data flows, i.e., a value obtained from a source
reaches a sink through a sequence of assignments, flows can be nested an
FlowDroid will take care of it automatically. Take the following example:

 

s = source();

t = leak(s);

leak(t);

 

In this case, the value is read from the source only once, then passed to a
sink, and from there on to a second sink. FlowDroid will find both leaks
automatically.

 

For implicit flows, this holds in a similar fashion. The example you have
sent me earlier on is not that easy, though, since there is no real
connection. If I remember it correctly, you displayed an alert dialog
depending on a condition on a secret value. FlowDroid can find this leak
when the implicit flow option is enabled. Then, you were however looking for
the implicit dependency of the callback handlers inside the alert dialog on
this secret. So the dialog only appears if the secret has a specific value,
and only then the callbacks inside the dialog are registered. This means if
an attacker can observe a callback being executed (since it for instance
sends out a constant value), he can derive that the conditional on the
secret holds. There is no support in FlowDroid for such connections between
two disconnected implicit flows. You can try to add it, but this is nothing
that can be done in a minute.

 

Best regards,

  Steven

 

Von: H S [mailto:aras_h1988 at yahoo.com] 
Gesendet: Dienstag, 17. Juni 2014 22:05
An: Steven Arzt; Siegfried Rasthofer; soot-list at sable.mcgill.ca;
soot-list at CS.McGill.CA
Betreff: Finding Flows between same sinks and same sourcs / Conneting the
flows using FlowDroid 

 

Hi:

I am using FlowDroid to get the different paths between the same sources and
the same sinks

(like source1--flow1-->sink1, and source1--flow2-->sink1),

which in one flow you may have an user interaction( for example by popping
up an alert dialog on the device screen) and in the other flow you do not
have any user interaction. 

 

To catch these flows I simply added the signature of alert.dialog.show() to
the default list of sources and sinks of FlowDroid. 

 

Now my question is how can I understand that the sink of some flow is the
source of the other flow.

 

Meaning e.g.: if I set alertdialog1 as a sink, and also as a source, I will
get two flows. 

Like: (1)source1--flow1-->alertdialog1, (2)alertdialog1--flow2-->sink1.

 

And I have also this possible flow: source1--flow3-->sink1. 

 

So now how can I connect (1) and (2)? And say that between source1 and sink1
we have two flows:

(flow1+flow2) and flow3. Based on which tags of the xml file of flowDroid
one can get the required information to connect these two flows?

 

>From the output xml file of flowDroid, by XML parser,until now I simply
extracted the <signature> for each <ethodEntry> of each <path>.

 

Here is the sample result file which is resulted by parsing the output xml
file of flowDroid:

 

"Number of of MethodEntries in Path.No   3  is   6:
Signature of Method Entry No.  1   is <android.widget.EditText:
android.text.Editable getText()>
Signature of Method Entry No.  2   is <java.lang.Object: java.lang.String
toString()>
Signature of Method Entry No.  3   is <java.lang.Integer: int
parseInt(java.lang.String)>
Signature of Method Entry No.  4   is <java.lang.Integer: java.lang.Integer
valueOf(int)>
Signature of Method Entry No.  5   is
<com.example.myapplication4.app.MainActivity$1: void
<init>(com.example.myapplication4.app.MainActivity)>
Signature of Method Entry No.  6   is
<com.example.myapplication4.app.MainActivity: void
onCreate(android.os.Bundle)>

Number of of MethodEntries in Path.No   4  is   7:
Signature of Method Entry No.  1   is <android.widget.EditText:
android.text.Editable getText()>
Signature of Method Entry No.  2   is <java.lang.Object: java.lang.String
toString()>
Signature of Method Entry No.  3   is <java.lang.Integer: int
parseInt(java.lang.String)>
Signature of Method Entry No.  4   is <java.lang.Integer: java.lang.Integer
valueOf(int)>
Signature of Method Entry No.  5   is <java.lang.Integer: int intValue()>
Signature of Method Entry No.  6   is
<com.example.myapplication4.app.MainActivity: void
openAlert(android.view.View)>
Signature of Method Entry No.  7   is <android.app.AlertDialog$Builder:
android.app.AlertDialog show()>

Number of total Signatures:26
User interactions occurs  1 times.

In these paths there exist User Interaction, No.   4"  

 

 

Looking forward for your answer,

Sarah

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140618/ffe58d25/attachment-0003.html

More information about the Soot-list mailing list