[Soot-list] Empty PointsToSets using Spark

Florian Kübler florian-kuebler at web.de
Tue Jun 24 09:14:15 EDT 2014 

Hi,

We are currently working on an IFDS based taint analysis regarding the use of native methods in the JCL. In short, the analysis takes every direct caller of an native method as an initialSeed and run backwards until a taint reaches a public method. 
Since spark simplifies the call graph by removing the non static public methods, which were not called in the rt.jar, our first approach was to generate the call graph using CHA and use Spark for the alias checks. We discovered, that CHA scales so bad, that we can’t use it for the JCL.
So our current approach aims to write a main method generator, which adds all the public methods of the transitive hull of native methods. 
In general, is there a better way to handle this scenario?

Before we started the work on the main method generator, we’ve run our (fairly simple) tests without the CHA and discovered a strange behavior of the PointsToAnalysis. Lets consider the following example:

public class Aliasing {

	public static void test1(int x) {
		Foo a = new Foo(1);
		Foo b = a;
		a.a = x;
		foo(b.a);
	}

	private static native void foo(int x);
}

public class Foo {
	int a;

	public Foo(int x) {
		a = x;
	}
}

Running the analysis without CHA, the PointsToSets of a and b are always empty. With CHA enabled they intersect and the taint is propagated to x. The test case works with default call graph settings and without Spark as well.
As we know Spark  for a very precise PAG construction, this seems to be a very strange behavior.
Furthermore we dumped sparks html output, with and without CHA, and realized that they are identical.
Currently we have no clue of what we are doing wrong.

Here are our settings:

	args.add("-p");
	args.add("cg.spark");
	args.add("on");

	args.add("-p");
	args.add("cg.spark");
	args.add("string-constants:true");

	args.add("-p");
	args.add("cg.spark");
	args.add("simulate-natives:false");

	args.add("-p");
	args.add("cg");
	args.add("all-reachable:true");

	args.add("-p");
	args.add("jb");
	args.add("use-original-names:true");

//	args.add("-p");
//	args.add("cg.cha");
//	args.add("enabled");
		
	args.add("-w");

	args.add("-allow-phantom-refs");

	args.add("-no-bodies-for-excluded");

	args.add("-keep-line-number");

	args.add("-include-all“);

I hope anyone can help me.
Thanks a lot!

Florian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140624/0f610c4b/attachment-0001.html

More information about the Soot-list mailing list