[Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value

Steven Arzt Steven.Arzt at cased.de
Thu Oct 2 05:28:42 EDT 2014 

Hi Wei,

 

Now I understand your problem. Indeed, FlowDroid is at the moment lacking a notion of parameter sinks. We only support a notion of sink statements, i.e. if a tainted variable is read in a statement that is defined as a sink, we report it as a leak. Extended FlowDroid to support a more precise notion of sinks would be an interesting direction of future work.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Wei Yang
Gesendet: Donnerstag, 2. Oktober 2014 08:11
An: Steven Arzt
Cc: soot-list at cs.mcgill.ca; soot-list at sable.mcgill.ca
Betreff: Re: [Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value

 

Hi! Steven,

     Thanks for your detail explanation. Sorry that my question cause some trouble to understand. Here's an example where I need to track certain variables:

a = getSecret();;

sendSecret(a,"1", "2" ,"3");

sendSecret("1", a, "2" ,"3");

 

What I want to do is only track the information flow only when the first parameter of sendSecret get tainted. In this case, if the variable a get tainted, the analysis should report a ->  sendSecret(a,"1", "2" ,"3"); but not  a ->  sendSecret("1", a, "2" ,"3"). Currently I'm unable to know which variable has been tainted in the information flow from InfoflowResults. Is there any way I can get such information?

 

Thanks! 

 

 

 




Best wishes,

David 

 

2014-09-30 2:39 GMT-05:00 Steven Arzt <Steven.Arzt at cased.de>:

Hi Wei,

 

In FlowDroid, sources are defined as the points in the code where a variable first gets unconditionally tainted. The tool then tracks data flow between variables and fields. Or, in other words, the source defines which variables are of interest to the taint analysis. Take the following example:

 

a = getSecret();

b = a;

 

In this example, the variable “a” is of interest, because it is assigned the return value of the “getSecret()” method which is a source. Of course, your custom source sink manager can implement any rule you like for defining that a variable is of interest.

 

The implicit rule in FlowDroid is that athe source sink manager is asked for an assign statement. If it returns that this statement is a source, the variable on the left-hand side of the assignment gets tainted unconditionally. In the example above, this means that “a” gets tainted unconditionally, because the source sink manager replied “true” for the first statement.

 

What exactly is your condition on which you decide whether to track a certain variable or not?

 

Best regards,

  Steven 

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Wei Yang
Gesendet: Dienstag, 30. September 2014 07:55
An: Steven Arzt
Cc: soot-list at CS.McGill.CA; soot-list at sable.mcgill.ca
Betreff: Re: [Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value

 

Hi! Steven,
     Sorry that my question is a bit confusing in the earlier email. What I try to do is to find the information flows between variables (Value).  Both methods getSourceInfo and isSink in inteface ISourceSinkManager are based on Stmt. But I knew that the taint analysis is based on variables. So we should be able to obtain such information from the analysis. As I'm not very familiar with the code about the taint propagation, could you point me a direction and related files that I can look into to track the information flows between variables?

Thanks a lot!     

On Sep 29, 2014 7:27 AM, "Steven Arzt" <Steven.Arzt at cased.de> wrote:

Hi David,

 

I am not sure whether I understand your question correctly. If you implement your own source-sink-manager directly on top of the ISourceSinkManager interface, you are free to define whatever kind of sources and sinks you need. There is no need to have a predefined list – FlowDroid will iterator over all statements in your program under analysis and ask the source-sink-manager whether to treat the respective statement as a source, as a sink, or as neither.

 

Still, this is an a-priori analysis that is completed before the actual taint tracking starts. At the moment, I am not sure in which cases this should produce any limitations.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Wei Yang
Gesendet: Sonntag, 28. September 2014 07:17
An: soot-list at CS.McGill.CA; soot-list at sable.mcgill.ca
Betreff: [Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value

 

Hi! All,

     I'm trying to use FlowDroid to find if there's a information flow between two statements (Stmt) or Variables (Value). I found that in MethodBasedSourceSinkManager or AndroidSourceSinkManager, we need to provide the signature of source and sink methods statically for all program. How can I define my own ISourceSinkManager so that it can track information flow based on Stmt or Value provided dynamically from the analysis? Is there any example code I could look into to find related information?

 

Thanks a lot!




Best wishes,

David 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141002/2f7d2d57/attachment-0003.html

More information about the Soot-list mailing list