[Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value

Wei Yang davidyoung8906 at gmail.com
Thu Oct 2 02:11:08 EDT 2014 

Hi! Steven,
     Thanks for your detail explanation. Sorry that my question cause some
trouble to understand. Here's an example where I need to track certain
variables:
a = getSecret();;
sendSecret(a,"1", "2" ,"3");
sendSecret("1", a, "2" ,"3");

What I want to do is only track the information flow only when the first
parameter of sendSecret get tainted. In this case, if the variable a get
tainted, the analysis should report a ->  sendSecret(a,"1", "2" ,"3"); but
not  a ->  sendSecret("1", a, "2" ,"3"). Currently I'm unable to know which
variable has been tainted in the information flow from InfoflowResults. Is
there any way I can get such information?

Thanks!




Best wishes,
David

2014-09-30 2:39 GMT-05:00 Steven Arzt <Steven.Arzt at cased.de>:

> Hi Wei,
>
>
>
> In FlowDroid, sources are defined as the points in the code where a
> variable first gets unconditionally tainted. The tool then tracks data flow
> between variables and fields. Or, in other words, the source defines which
> variables are of interest to the taint analysis. Take the following example:
>
>
>
> a = getSecret();
>
> b = a;
>
>
>
> In this example, the variable “a” is of interest, because it is assigned
> the return value of the “getSecret()” method which is a source. Of course,
> your custom source sink manager can implement any rule you like for
> defining that a variable is of interest.
>
>
>
> The implicit rule in FlowDroid is that athe source sink manager is asked
> for an assign statement. If it returns that this statement is a source, the
> variable on the left-hand side of the assignment gets tainted
> unconditionally. In the example above, this means that “a” gets tainted
> unconditionally, because the source sink manager replied “true” for the
> first statement.
>
>
>
> What exactly is your condition on which you decide whether to track a
> certain variable or not?
>
>
>
> Best regards,
>
>   Steven
>
>
>
> *Von:* soot-list-bounces at CS.McGill.CA [mailto:
> soot-list-bounces at CS.McGill.CA] *Im Auftrag von *Wei Yang
> *Gesendet:* Dienstag, 30. September 2014 07:55
> *An:* Steven Arzt
> *Cc:* soot-list at CS.McGill.CA; soot-list at sable.mcgill.ca
> *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
> information flow between Stmt or Value
>
>
>
> Hi! Steven,
>      Sorry that my question is a bit confusing in the earlier email. What
> I try to do is to find the information flows between variables (Value).
> Both methods *getSourceInfo *and *isSink *in inteface ISourceSinkManager
> are based on Stmt. But I knew that the taint analysis is based on
> variables. So we should be able to obtain such information from the
> analysis. As I'm not very familiar with the code about the taint
> propagation, could you point me a direction and related files that I can
> look into to track the information flows between variables?
>
> Thanks a lot!
>
> On Sep 29, 2014 7:27 AM, "Steven Arzt" <Steven.Arzt at cased.de> wrote:
>
> Hi David,
>
>
>
> I am not sure whether I understand your question correctly. If you
> implement your own source-sink-manager directly on top of the
> ISourceSinkManager interface, you are free to define whatever kind of
> sources and sinks you need. There is no need to have a predefined list –
> FlowDroid will iterator over all statements in your program under analysis
> and ask the source-sink-manager whether to treat the respective statement
> as a source, as a sink, or as neither.
>
>
>
> Still, this is an a-priori analysis that is completed before the actual
> taint tracking starts. At the moment, I am not sure in which cases this
> should produce any limitations.
>
>
>
> Best regards,
>
>   Steven
>
>
>
> *Von:* soot-list-bounces at CS.McGill.CA [mailto:
> soot-list-bounces at CS.McGill.CA] *Im Auftrag von *Wei Yang
> *Gesendet:* Sonntag, 28. September 2014 07:17
> *An:* soot-list at CS.McGill.CA; soot-list at sable.mcgill.ca
> *Betreff:* [Soot-list] Creating ISourceSinkManager to track information
> flow between Stmt or Value
>
>
>
> Hi! All,
>
>      I'm trying to use FlowDroid to find if there's a information flow
> between two statements (Stmt) or Variables (Value). I found that
> in MethodBasedSourceSinkManager or AndroidSourceSinkManager, we need to
> provide the signature of source and sink methods statically for all
> program. How can I define my own ISourceSinkManager so that it can track
> information flow based on Stmt or Value provided dynamically from the
> analysis? Is there any example code I could look into to find related
> information?
>
>
>
> Thanks a lot!
>
>
> Best wishes,
>
> David
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141002/b6a86950/attachment-0003.html

More information about the Soot-list mailing list