[Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value
Steven Arzt
Steven.Arzt at cased.de
Sun Oct 5 17:40:49 EDT 2014
We have a callback that gets called whenever a taint is propagated over a statement. You might be able to process this information and check for a parameter sink on your own. For FlowDroid, you define the whole method as a sink, but you use this callback to filter out what's not flowing into the correct parameter. I know this is sort of a hack, but it's probably the best you can do with the current version.
I'm currently not in the office, but the name of the callback should be easy to find in the code.
Marc-André Laverdière <marc-andre.laverdiere-papineau at polymtl.ca> wrote:
>After thinking a bit more about it, I think you should override the
>callback when a sink is detected. You should be able to examine the
>statement and the Abstraction object. Steven would give better technical
>details :)
>
>Marc-André Laverdière-Papineau
>Doctorant - PhD Candidate
>
>On 10/02/2014 11:29 AM, Wei Yang wrote:
>> Hi! Steven & Marc,
>> Thanks for your answer. To filter out the result from flowdroid, I
>> think the information about the tainted variables in a flow is needed.
>> Do you know how to get such information?
>>
>> Thanks a lot!
>>
>> Best wishes,
>> David
>>
>> 2014-10-02 10:22 GMT-05:00 Marc-André Laverdière
>> <marc-andre.laverdiere-papineau at polymtl.ca
>> <mailto:marc-andre.laverdiere-papineau at polymtl.ca>>:
>>
>> Just to add to what Steven said...
>>
>> A simple (but not nice) hack is to filter out the results from Flowdroid
>> that don't correspond to your specific case.
>>
>> Marc-André Laverdière-Papineau
>> Doctorant - PhD Candidate
>>
>> On 10/02/2014 05:28 AM, Steven Arzt wrote:
>> > Hi Wei,
>> >
>> >
>> >
>> > Now I understand your problem. Indeed, FlowDroid is at the moment
>> > lacking a notion of parameter sinks. We only support a notion of sink
>> > statements, i.e. if a tainted variable is read in a statement that is
>> > defined as a sink, we report it as a leak. Extended FlowDroid to support
>> > a more precise notion of sinks would be an interesting direction of
>> > future work.
>> >
>> >
>> >
>> > Best regards,
>> >
>> > Steven
>> >
>> >
>> >
>> > *Von:*soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>
>> > [mailto:soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>] *Im Auftrag von *Wei Yang
>> > *Gesendet:* Donnerstag, 2. Oktober 2014 08:11
>> > *An:* Steven Arzt
>> > *Cc:* soot-list at cs.mcgill.ca <mailto:soot-list at cs.mcgill.ca>;
>> soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
>> > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
>> > information flow between Stmt or Value
>> >
>> >
>> >
>> > Hi! Steven,
>> >
>> > Thanks for your detail explanation. Sorry that my question cause
>> > some trouble to understand. Here's an example where I need to track
>> > certain variables:
>> >
>> > a = getSecret();;
>> >
>> > sendSecret(a,"1", "2" ,"3");
>> >
>> > sendSecret("1", a, "2" ,"3");
>> >
>> >
>> >
>> > What I want to do is only track the information flow only when the first
>> > parameter of sendSecret get tainted. In this case, if the variable a get
>> > tainted, the analysis should report a -> sendSecret(a,"1", "2" ,"3");
>> > but not a -> sendSecret("1", a, "2" ,"3"). Currently I'm unable to
>> > know which variable has been tainted in the information flow from
>> > InfoflowResults. Is there any way I can get such information?
>> >
>> >
>> >
>> > Thanks!
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Best wishes,
>> >
>> > David
>> >
>> >
>> >
>> > 2014-09-30 2:39 GMT-05:00 Steven Arzt <Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>
>> > <mailto:Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>>>:
>> >
>> > Hi Wei,
>> >
>> >
>> >
>> > In FlowDroid, sources are defined as the points in the code where a
>> > variable first gets unconditionally tainted. The tool then tracks data
>> > flow between variables and fields. Or, in other words, the source
>> > defines which variables are of interest to the taint analysis. Take the
>> > following example:
>> >
>> >
>> >
>> > a = getSecret();
>> >
>> > b = a;
>> >
>> >
>> >
>> > In this example, the variable “a” is of interest, because it is assigned
>> > the return value of the “getSecret()” method which is a source. Of
>> > course, your custom source sink manager can implement any rule you like
>> > for defining that a variable is of interest.
>> >
>> >
>> >
>> > The implicit rule in FlowDroid is that athe source sink manager is asked
>> > for an assign statement. If it returns that this statement is a source,
>> > the variable on the left-hand side of the assignment gets tainted
>> > unconditionally. In the example above, this means that “a” gets tainted
>> > unconditionally, because the source sink manager replied “true” for the
>> > first statement.
>> >
>> >
>> >
>> > What exactly is your condition on which you decide whether to track a
>> > certain variable or not?
>> >
>> >
>> >
>> > Best regards,
>> >
>> > Steven
>> >
>> >
>> >
>> > *Von:*soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>
>> > <mailto:soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>>
>> > [mailto:soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>
>> > <mailto:soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>>] *Im Auftrag von *Wei Yang
>> > *Gesendet:* Dienstag, 30. September 2014 07:55
>> > *An:* Steven Arzt
>> > *Cc:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>
>> <mailto:soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>>;
>> > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
>> <mailto:soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>>
>> > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
>> > information flow between Stmt or Value
>> >
>> >
>> >
>> > Hi! Steven,
>> > Sorry that my question is a bit confusing in the earlier email.
>> > What I try to do is to find the information flows between variables
>> > (Value). Both methods /getSourceInfo /and /isSink /in inteface
>> > ISourceSinkManager are based on Stmt. But I knew that the taint analysis
>> > is based on variables. So we should be able to obtain such information
>> > from the analysis. As I'm not very familiar with the code about the
>> > taint propagation, could you point me a direction and related files that
>> > I can look into to track the information flows between variables?
>> >
>> > Thanks a lot!
>> >
>> > On Sep 29, 2014 7:27 AM, "Steven Arzt" <Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>
>> > <mailto:Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>>> wrote:
>> >
>> > Hi David,
>> >
>> >
>> >
>> > I am not sure whether I understand your question correctly. If you
>> > implement your own source-sink-manager directly on top of the
>> > ISourceSinkManager interface, you are free to define whatever kind of
>> > sources and sinks you need. There is no need to have a predefined list –
>> > FlowDroid will iterator over all statements in your program under
>> > analysis and ask the source-sink-manager whether to treat the respective
>> > statement as a source, as a sink, or as neither.
>> >
>> >
>> >
>> > Still, this is an a-priori analysis that is completed before the actual
>> > taint tracking starts. At the moment, I am not sure in which cases this
>> > should produce any limitations.
>> >
>> >
>> >
>> > Best regards,
>> >
>> > Steven
>> >
>> >
>> >
>> > *Von:*soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>
>> > <mailto:soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>>
>> > [mailto:soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>
>> > <mailto:soot-list-bounces at CS.McGill.CA
>> <mailto:soot-list-bounces at CS.McGill.CA>>] *Im Auftrag von *Wei Yang
>> > *Gesendet:* Sonntag, 28. September 2014 07:17
>> > *An:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>
>> <mailto:soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>>;
>> > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
>> <mailto:soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>>
>> > *Betreff:* [Soot-list] Creating ISourceSinkManager to track
>> information
>> > flow between Stmt or Value
>> >
>> >
>> >
>> > Hi! All,
>> >
>> > I'm trying to use FlowDroid to find if there's a information flow
>> > between two statements (Stmt) or Variables (Value). I found that
>> > in MethodBasedSourceSinkManager or AndroidSourceSinkManager, we need to
>> > provide the signature of source and sink methods statically for all
>> > program. How can I define my own ISourceSinkManager so that it can track
>> > information flow based on Stmt or Value provided dynamically from the
>> > analysis? Is there any example code I could look into to find related
>> > information?
>> >
>> >
>> >
>> > Thanks a lot!
>> >
>> >
>> > Best wishes,
>> >
>> > David
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Soot-list mailing list
>> > Soot-list at CS.McGill.CA <mailto:Soot-list at CS.McGill.CA>
>> > https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>> >
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at CS.McGill.CA <mailto:Soot-list at CS.McGill.CA>
>> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>>
>>
>_______________________________________________
>Soot-list mailing list
>Soot-list at CS.McGill.CA
>https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
More information about the Soot-list
mailing list