[Soot-list] Inquiry on analyzing fields using IFDS
Edward Suhkoi
edward.suhkoi at gmail.com
Wed Nov 26 07:52:41 EST 2014
Hi all:
I'm implementing a small demo IFDS simple taint analysis (on a forward
icfg) and had some problems regarding instance fields, would you kindly
shed some lights on this?
1)
for the following code snippets:
class Test
> {
> String string = source();
> void test() //CallFlow, fact: <Test.string>
> {
> string = "OVERWRITTEN"; //NormalFlow, fact get killed
> //ReturnFlow, no fact
> }
> void final() //
> {
> sink(string);
> }
> public static void main(String[] args)
> {
> Test t = new Test(); //<init> fact: <Test.string>
>
> t.test();//however, CallToReturn still preserves the
> fact:<Test.string>, how does it know the fact is indirectly killed inside
> t.test()? Since datafact at CallToReturn is "merged" with datafact from
> ReturnFlowFunction, if I understood clearly.
> t.final();
> }
> }
One can see that first a taint is generated at Test.<init>, then transfer
to Test.string, Test.string is overwritten at test(), so I have some
questions here:
1) In my implementation, data facts of fields will be propagated in
CallFlowFunction. If datafact gets killed in this function, how does data
fact "outside" this function call get to know this? Because the field taint
data fact also exists and NormalFlowFunction and CallToReturnFlowFunction
"outside" function test() "in" function main(), but the field taint data is
killed inside function call, how do we get to erase data facts "outside"
this function call?
2) I wonder how FlowDroid addresses this problem? Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141126/0b9d86b7/attachment.html
More information about the Soot-list
mailing list