[Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value
Wei Yang
davidyoung8906 at gmail.com
Thu Oct 2 11:29:02 EDT 2014
Hi! Steven & Marc,
Thanks for your answer. To filter out the result from flowdroid, I
think the information about the tainted variables in a flow is needed. Do
you know how to get such information?
Thanks a lot!
Best wishes,
David
2014-10-02 10:22 GMT-05:00 Marc-André Laverdière <
marc-andre.laverdiere-papineau at polymtl.ca>:
> Just to add to what Steven said...
>
> A simple (but not nice) hack is to filter out the results from Flowdroid
> that don't correspond to your specific case.
>
> Marc-André Laverdière-Papineau
> Doctorant - PhD Candidate
>
> On 10/02/2014 05:28 AM, Steven Arzt wrote:
> > Hi Wei,
> >
> >
> >
> > Now I understand your problem. Indeed, FlowDroid is at the moment
> > lacking a notion of parameter sinks. We only support a notion of sink
> > statements, i.e. if a tainted variable is read in a statement that is
> > defined as a sink, we report it as a leak. Extended FlowDroid to support
> > a more precise notion of sinks would be an interesting direction of
> > future work.
> >
> >
> >
> > Best regards,
> >
> > Steven
> >
> >
> >
> > *Von:*soot-list-bounces at CS.McGill.CA
> > [mailto:soot-list-bounces at CS.McGill.CA] *Im Auftrag von *Wei Yang
> > *Gesendet:* Donnerstag, 2. Oktober 2014 08:11
> > *An:* Steven Arzt
> > *Cc:* soot-list at cs.mcgill.ca; soot-list at sable.mcgill.ca
> > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
> > information flow between Stmt or Value
> >
> >
> >
> > Hi! Steven,
> >
> > Thanks for your detail explanation. Sorry that my question cause
> > some trouble to understand. Here's an example where I need to track
> > certain variables:
> >
> > a = getSecret();;
> >
> > sendSecret(a,"1", "2" ,"3");
> >
> > sendSecret("1", a, "2" ,"3");
> >
> >
> >
> > What I want to do is only track the information flow only when the first
> > parameter of sendSecret get tainted. In this case, if the variable a get
> > tainted, the analysis should report a -> sendSecret(a,"1", "2" ,"3");
> > but not a -> sendSecret("1", a, "2" ,"3"). Currently I'm unable to
> > know which variable has been tainted in the information flow from
> > InfoflowResults. Is there any way I can get such information?
> >
> >
> >
> > Thanks!
> >
> >
> >
> >
> >
> >
> >
> >
> > Best wishes,
> >
> > David
> >
> >
> >
> > 2014-09-30 2:39 GMT-05:00 Steven Arzt <Steven.Arzt at cased.de
> > <mailto:Steven.Arzt at cased.de>>:
> >
> > Hi Wei,
> >
> >
> >
> > In FlowDroid, sources are defined as the points in the code where a
> > variable first gets unconditionally tainted. The tool then tracks data
> > flow between variables and fields. Or, in other words, the source
> > defines which variables are of interest to the taint analysis. Take the
> > following example:
> >
> >
> >
> > a = getSecret();
> >
> > b = a;
> >
> >
> >
> > In this example, the variable “a” is of interest, because it is assigned
> > the return value of the “getSecret()” method which is a source. Of
> > course, your custom source sink manager can implement any rule you like
> > for defining that a variable is of interest.
> >
> >
> >
> > The implicit rule in FlowDroid is that athe source sink manager is asked
> > for an assign statement. If it returns that this statement is a source,
> > the variable on the left-hand side of the assignment gets tainted
> > unconditionally. In the example above, this means that “a” gets tainted
> > unconditionally, because the source sink manager replied “true” for the
> > first statement.
> >
> >
> >
> > What exactly is your condition on which you decide whether to track a
> > certain variable or not?
> >
> >
> >
> > Best regards,
> >
> > Steven
> >
> >
> >
> > *Von:*soot-list-bounces at CS.McGill.CA
> > <mailto:soot-list-bounces at CS.McGill.CA>
> > [mailto:soot-list-bounces at CS.McGill.CA
> > <mailto:soot-list-bounces at CS.McGill.CA>] *Im Auftrag von *Wei Yang
> > *Gesendet:* Dienstag, 30. September 2014 07:55
> > *An:* Steven Arzt
> > *Cc:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>;
> > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
> > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
> > information flow between Stmt or Value
> >
> >
> >
> > Hi! Steven,
> > Sorry that my question is a bit confusing in the earlier email.
> > What I try to do is to find the information flows between variables
> > (Value). Both methods /getSourceInfo /and /isSink /in inteface
> > ISourceSinkManager are based on Stmt. But I knew that the taint analysis
> > is based on variables. So we should be able to obtain such information
> > from the analysis. As I'm not very familiar with the code about the
> > taint propagation, could you point me a direction and related files that
> > I can look into to track the information flows between variables?
> >
> > Thanks a lot!
> >
> > On Sep 29, 2014 7:27 AM, "Steven Arzt" <Steven.Arzt at cased.de
> > <mailto:Steven.Arzt at cased.de>> wrote:
> >
> > Hi David,
> >
> >
> >
> > I am not sure whether I understand your question correctly. If you
> > implement your own source-sink-manager directly on top of the
> > ISourceSinkManager interface, you are free to define whatever kind of
> > sources and sinks you need. There is no need to have a predefined list –
> > FlowDroid will iterator over all statements in your program under
> > analysis and ask the source-sink-manager whether to treat the respective
> > statement as a source, as a sink, or as neither.
> >
> >
> >
> > Still, this is an a-priori analysis that is completed before the actual
> > taint tracking starts. At the moment, I am not sure in which cases this
> > should produce any limitations.
> >
> >
> >
> > Best regards,
> >
> > Steven
> >
> >
> >
> > *Von:*soot-list-bounces at CS.McGill.CA
> > <mailto:soot-list-bounces at CS.McGill.CA>
> > [mailto:soot-list-bounces at CS.McGill.CA
> > <mailto:soot-list-bounces at CS.McGill.CA>] *Im Auftrag von *Wei Yang
> > *Gesendet:* Sonntag, 28. September 2014 07:17
> > *An:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>;
> > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
> > *Betreff:* [Soot-list] Creating ISourceSinkManager to track information
> > flow between Stmt or Value
> >
> >
> >
> > Hi! All,
> >
> > I'm trying to use FlowDroid to find if there's a information flow
> > between two statements (Stmt) or Variables (Value). I found that
> > in MethodBasedSourceSinkManager or AndroidSourceSinkManager, we need to
> > provide the signature of source and sink methods statically for all
> > program. How can I define my own ISourceSinkManager so that it can track
> > information flow based on Stmt or Value provided dynamically from the
> > analysis? Is there any example code I could look into to find related
> > information?
> >
> >
> >
> > Thanks a lot!
> >
> >
> > Best wishes,
> >
> > David
> >
> >
> >
> >
> >
> > _______________________________________________
> > Soot-list mailing list
> > Soot-list at CS.McGill.CA
> > https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
> >
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141002/a309f29b/attachment-0001.html
More information about the Soot-list
mailing list