[Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value

Marc-André Laverdière marc-andre.laverdiere-papineau at polymtl.ca
Thu Oct 2 21:08:42 EDT 2014 

After thinking a bit more about it, I think you should override the
callback when a sink is detected. You should be able to examine the
statement and the Abstraction object. Steven would give better technical
details :)

Marc-André Laverdière-Papineau
Doctorant - PhD Candidate

On 10/02/2014 11:29 AM, Wei Yang wrote:
> Hi! Steven & Marc,
>       Thanks for your answer. To filter out the result from flowdroid, I
> think the information about the tainted variables in a flow is needed.
> Do you know how to get such information?
> 
> Thanks a lot!
> 
> Best wishes,
> David 
> 
> 2014-10-02 10:22 GMT-05:00 Marc-André Laverdière
> <marc-andre.laverdiere-papineau at polymtl.ca
> <mailto:marc-andre.laverdiere-papineau at polymtl.ca>>:
> 
>     Just to add to what Steven said...
> 
>     A simple (but not nice) hack is to filter out the results from Flowdroid
>     that don't correspond to your specific case.
> 
>     Marc-André Laverdière-Papineau
>     Doctorant - PhD Candidate
> 
>     On 10/02/2014 05:28 AM, Steven Arzt wrote:
>     > Hi Wei,
>     >
>     >
>     >
>     > Now I understand your problem. Indeed, FlowDroid is at the moment
>     > lacking a notion of parameter sinks. We only support a notion of sink
>     > statements, i.e. if a tainted variable is read in a statement that is
>     > defined as a sink, we report it as a leak. Extended FlowDroid to support
>     > a more precise notion of sinks would be an interesting direction of
>     > future work.
>     >
>     >
>     >
>     > Best regards,
>     >
>     >   Steven
>     >
>     >
>     >
>     > *Von:*soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>
>     > [mailto:soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>] *Im Auftrag von *Wei Yang
>     > *Gesendet:* Donnerstag, 2. Oktober 2014 08:11
>     > *An:* Steven Arzt
>     > *Cc:* soot-list at cs.mcgill.ca <mailto:soot-list at cs.mcgill.ca>;
>     soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
>     > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
>     > information flow between Stmt or Value
>     >
>     >
>     >
>     > Hi! Steven,
>     >
>     >      Thanks for your detail explanation. Sorry that my question cause
>     > some trouble to understand. Here's an example where I need to track
>     > certain variables:
>     >
>     > a = getSecret();;
>     >
>     > sendSecret(a,"1", "2" ,"3");
>     >
>     > sendSecret("1", a, "2" ,"3");
>     >
>     >
>     >
>     > What I want to do is only track the information flow only when the first
>     > parameter of sendSecret get tainted. In this case, if the variable a get
>     > tainted, the analysis should report a ->  sendSecret(a,"1", "2" ,"3");
>     > but not  a ->  sendSecret("1", a, "2" ,"3"). Currently I'm unable to
>     > know which variable has been tainted in the information flow from
>     > InfoflowResults. Is there any way I can get such information?
>     >
>     >
>     >
>     > Thanks!
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > Best wishes,
>     >
>     > David
>     >
>     >
>     >
>     > 2014-09-30 2:39 GMT-05:00 Steven Arzt <Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>
>     > <mailto:Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>>>:
>     >
>     > Hi Wei,
>     >
>     >
>     >
>     > In FlowDroid, sources are defined as the points in the code where a
>     > variable first gets unconditionally tainted. The tool then tracks data
>     > flow between variables and fields. Or, in other words, the source
>     > defines which variables are of interest to the taint analysis. Take the
>     > following example:
>     >
>     >
>     >
>     > a = getSecret();
>     >
>     > b = a;
>     >
>     >
>     >
>     > In this example, the variable “a” is of interest, because it is assigned
>     > the return value of the “getSecret()” method which is a source. Of
>     > course, your custom source sink manager can implement any rule you like
>     > for defining that a variable is of interest.
>     >
>     >
>     >
>     > The implicit rule in FlowDroid is that athe source sink manager is asked
>     > for an assign statement. If it returns that this statement is a source,
>     > the variable on the left-hand side of the assignment gets tainted
>     > unconditionally. In the example above, this means that “a” gets tainted
>     > unconditionally, because the source sink manager replied “true” for the
>     > first statement.
>     >
>     >
>     >
>     > What exactly is your condition on which you decide whether to track a
>     > certain variable or not?
>     >
>     >
>     >
>     > Best regards,
>     >
>     >   Steven
>     >
>     >
>     >
>     > *Von:*soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>
>     > <mailto:soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>>
>     > [mailto:soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>
>     > <mailto:soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>>] *Im Auftrag von *Wei Yang
>     > *Gesendet:* Dienstag, 30. September 2014 07:55
>     > *An:* Steven Arzt
>     > *Cc:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>
>     <mailto:soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>>;
>     > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
>     <mailto:soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>>
>     > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
>     > information flow between Stmt or Value
>     >
>     >
>     >
>     > Hi! Steven,
>     >      Sorry that my question is a bit confusing in the earlier email.
>     > What I try to do is to find the information flows between variables
>     > (Value).  Both methods /getSourceInfo /and /isSink /in inteface
>     > ISourceSinkManager are based on Stmt. But I knew that the taint analysis
>     > is based on variables. So we should be able to obtain such information
>     > from the analysis. As I'm not very familiar with the code about the
>     > taint propagation, could you point me a direction and related files that
>     > I can look into to track the information flows between variables?
>     >
>     > Thanks a lot!
>     >
>     > On Sep 29, 2014 7:27 AM, "Steven Arzt" <Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>
>     > <mailto:Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>>> wrote:
>     >
>     > Hi David,
>     >
>     >
>     >
>     > I am not sure whether I understand your question correctly. If you
>     > implement your own source-sink-manager directly on top of the
>     > ISourceSinkManager interface, you are free to define whatever kind of
>     > sources and sinks you need. There is no need to have a predefined list –
>     > FlowDroid will iterator over all statements in your program under
>     > analysis and ask the source-sink-manager whether to treat the respective
>     > statement as a source, as a sink, or as neither.
>     >
>     >
>     >
>     > Still, this is an a-priori analysis that is completed before the actual
>     > taint tracking starts. At the moment, I am not sure in which cases this
>     > should produce any limitations.
>     >
>     >
>     >
>     > Best regards,
>     >
>     >   Steven
>     >
>     >
>     >
>     > *Von:*soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>
>     > <mailto:soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>>
>     > [mailto:soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>
>     > <mailto:soot-list-bounces at CS.McGill.CA
>     <mailto:soot-list-bounces at CS.McGill.CA>>] *Im Auftrag von *Wei Yang
>     > *Gesendet:* Sonntag, 28. September 2014 07:17
>     > *An:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>
>     <mailto:soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>>;
>     > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
>     <mailto:soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>>
>     > *Betreff:* [Soot-list] Creating ISourceSinkManager to track
>     information
>     > flow between Stmt or Value
>     >
>     >
>     >
>     > Hi! All,
>     >
>     >      I'm trying to use FlowDroid to find if there's a information flow
>     > between two statements (Stmt) or Variables (Value). I found that
>     > in MethodBasedSourceSinkManager or AndroidSourceSinkManager, we need to
>     > provide the signature of source and sink methods statically for all
>     > program. How can I define my own ISourceSinkManager so that it can track
>     > information flow based on Stmt or Value provided dynamically from the
>     > analysis? Is there any example code I could look into to find related
>     > information?
>     >
>     >
>     >
>     > Thanks a lot!
>     >
>     >
>     > Best wishes,
>     >
>     > David
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Soot-list mailing list
>     > Soot-list at CS.McGill.CA <mailto:Soot-list at CS.McGill.CA>
>     > https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>     >
>     _______________________________________________
>     Soot-list mailing list
>     Soot-list at CS.McGill.CA <mailto:Soot-list at CS.McGill.CA>
>     https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
> 
>

More information about the Soot-list mailing list