[Soot-list] Creating ISourceSinkManager to track information flow between Stmt or Value
Wei Yang
davidyoung8906 at gmail.com
Mon Oct 13 16:57:16 EDT 2014
Hi! Steven,
Could you provide the name of the callback? Is it computeTargets in
InfoflowProblem.java?
Thanks a lot!
Best wishes,
David
2014-10-05 16:40 GMT-05:00 Steven Arzt <Steven.Arzt at cased.de>:
> We have a callback that gets called whenever a taint is propagated over a
> statement. You might be able to process this information and check for a
> parameter sink on your own. For FlowDroid, you define the whole method as a
> sink, but you use this callback to filter out what's not flowing into the
> correct parameter. I know this is sort of a hack, but it's probably the
> best you can do with the current version.
>
> I'm currently not in the office, but the name of the callback should be
> easy to find in the code.
>
> Marc-André Laverdière <marc-andre.laverdiere-papineau at polymtl.ca>
> wrote:
>
> >After thinking a bit more about it, I think you should override the
> >callback when a sink is detected. You should be able to examine the
> >statement and the Abstraction object. Steven would give better technical
> >details :)
> >
> >Marc-André Laverdière-Papineau
> >Doctorant - PhD Candidate
> >
> >On 10/02/2014 11:29 AM, Wei Yang wrote:
> >> Hi! Steven & Marc,
> >> Thanks for your answer. To filter out the result from flowdroid, I
> >> think the information about the tainted variables in a flow is needed.
> >> Do you know how to get such information?
> >>
> >> Thanks a lot!
> >>
> >> Best wishes,
> >> David
> >>
> >> 2014-10-02 10:22 GMT-05:00 Marc-André Laverdière
> >> <marc-andre.laverdiere-papineau at polymtl.ca
> >> <mailto:marc-andre.laverdiere-papineau at polymtl.ca>>:
> >>
> >> Just to add to what Steven said...
> >>
> >> A simple (but not nice) hack is to filter out the results from
> Flowdroid
> >> that don't correspond to your specific case.
> >>
> >> Marc-André Laverdière-Papineau
> >> Doctorant - PhD Candidate
> >>
> >> On 10/02/2014 05:28 AM, Steven Arzt wrote:
> >> > Hi Wei,
> >> >
> >> >
> >> >
> >> > Now I understand your problem. Indeed, FlowDroid is at the moment
> >> > lacking a notion of parameter sinks. We only support a notion of
> sink
> >> > statements, i.e. if a tainted variable is read in a statement
> that is
> >> > defined as a sink, we report it as a leak. Extended FlowDroid to
> support
> >> > a more precise notion of sinks would be an interesting direction
> of
> >> > future work.
> >> >
> >> >
> >> >
> >> > Best regards,
> >> >
> >> > Steven
> >> >
> >> >
> >> >
> >> > *Von:*soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>
> >> > [mailto:soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>] *Im Auftrag von *Wei Yang
> >> > *Gesendet:* Donnerstag, 2. Oktober 2014 08:11
> >> > *An:* Steven Arzt
> >> > *Cc:* soot-list at cs.mcgill.ca <mailto:soot-list at cs.mcgill.ca>;
> >> soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
> >> > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
> >> > information flow between Stmt or Value
> >> >
> >> >
> >> >
> >> > Hi! Steven,
> >> >
> >> > Thanks for your detail explanation. Sorry that my question
> cause
> >> > some trouble to understand. Here's an example where I need to
> track
> >> > certain variables:
> >> >
> >> > a = getSecret();;
> >> >
> >> > sendSecret(a,"1", "2" ,"3");
> >> >
> >> > sendSecret("1", a, "2" ,"3");
> >> >
> >> >
> >> >
> >> > What I want to do is only track the information flow only when
> the first
> >> > parameter of sendSecret get tainted. In this case, if the
> variable a get
> >> > tainted, the analysis should report a -> sendSecret(a,"1", "2"
> ,"3");
> >> > but not a -> sendSecret("1", a, "2" ,"3"). Currently I'm unable
> to
> >> > know which variable has been tainted in the information flow from
> >> > InfoflowResults. Is there any way I can get such information?
> >> >
> >> >
> >> >
> >> > Thanks!
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Best wishes,
> >> >
> >> > David
> >> >
> >> >
> >> >
> >> > 2014-09-30 2:39 GMT-05:00 Steven Arzt <Steven.Arzt at cased.de
> <mailto:Steven.Arzt at cased.de>
> >> > <mailto:Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>>>:
> >> >
> >> > Hi Wei,
> >> >
> >> >
> >> >
> >> > In FlowDroid, sources are defined as the points in the code where
> a
> >> > variable first gets unconditionally tainted. The tool then tracks
> data
> >> > flow between variables and fields. Or, in other words, the source
> >> > defines which variables are of interest to the taint analysis.
> Take the
> >> > following example:
> >> >
> >> >
> >> >
> >> > a = getSecret();
> >> >
> >> > b = a;
> >> >
> >> >
> >> >
> >> > In this example, the variable “a” is of interest, because it is
> assigned
> >> > the return value of the “getSecret()” method which is a source. Of
> >> > course, your custom source sink manager can implement any rule
> you like
> >> > for defining that a variable is of interest.
> >> >
> >> >
> >> >
> >> > The implicit rule in FlowDroid is that athe source sink manager
> is asked
> >> > for an assign statement. If it returns that this statement is a
> source,
> >> > the variable on the left-hand side of the assignment gets tainted
> >> > unconditionally. In the example above, this means that “a” gets
> tainted
> >> > unconditionally, because the source sink manager replied “true”
> for the
> >> > first statement.
> >> >
> >> >
> >> >
> >> > What exactly is your condition on which you decide whether to
> track a
> >> > certain variable or not?
> >> >
> >> >
> >> >
> >> > Best regards,
> >> >
> >> > Steven
> >> >
> >> >
> >> >
> >> > *Von:*soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>
> >> > <mailto:soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>>
> >> > [mailto:soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>
> >> > <mailto:soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>>] *Im Auftrag von *Wei Yang
> >> > *Gesendet:* Dienstag, 30. September 2014 07:55
> >> > *An:* Steven Arzt
> >> > *Cc:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>
> >> <mailto:soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>>;
> >> > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
> >> <mailto:soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca
> >>
> >> > *Betreff:* Re: [Soot-list] Creating ISourceSinkManager to track
> >> > information flow between Stmt or Value
> >> >
> >> >
> >> >
> >> > Hi! Steven,
> >> > Sorry that my question is a bit confusing in the earlier
> email.
> >> > What I try to do is to find the information flows between
> variables
> >> > (Value). Both methods /getSourceInfo /and /isSink /in inteface
> >> > ISourceSinkManager are based on Stmt. But I knew that the taint
> analysis
> >> > is based on variables. So we should be able to obtain such
> information
> >> > from the analysis. As I'm not very familiar with the code about
> the
> >> > taint propagation, could you point me a direction and related
> files that
> >> > I can look into to track the information flows between variables?
> >> >
> >> > Thanks a lot!
> >> >
> >> > On Sep 29, 2014 7:27 AM, "Steven Arzt" <Steven.Arzt at cased.de
> <mailto:Steven.Arzt at cased.de>
> >> > <mailto:Steven.Arzt at cased.de <mailto:Steven.Arzt at cased.de>>>
> wrote:
> >> >
> >> > Hi David,
> >> >
> >> >
> >> >
> >> > I am not sure whether I understand your question correctly. If you
> >> > implement your own source-sink-manager directly on top of the
> >> > ISourceSinkManager interface, you are free to define whatever
> kind of
> >> > sources and sinks you need. There is no need to have a predefined
> list –
> >> > FlowDroid will iterator over all statements in your program under
> >> > analysis and ask the source-sink-manager whether to treat the
> respective
> >> > statement as a source, as a sink, or as neither.
> >> >
> >> >
> >> >
> >> > Still, this is an a-priori analysis that is completed before the
> actual
> >> > taint tracking starts. At the moment, I am not sure in which
> cases this
> >> > should produce any limitations.
> >> >
> >> >
> >> >
> >> > Best regards,
> >> >
> >> > Steven
> >> >
> >> >
> >> >
> >> > *Von:*soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>
> >> > <mailto:soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>>
> >> > [mailto:soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>
> >> > <mailto:soot-list-bounces at CS.McGill.CA
> >> <mailto:soot-list-bounces at CS.McGill.CA>>] *Im Auftrag von *Wei Yang
> >> > *Gesendet:* Sonntag, 28. September 2014 07:17
> >> > *An:* soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>
> >> <mailto:soot-list at CS.McGill.CA <mailto:soot-list at CS.McGill.CA>>;
> >> > soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca>
> >> <mailto:soot-list at sable.mcgill.ca <mailto:soot-list at sable.mcgill.ca
> >>
> >> > *Betreff:* [Soot-list] Creating ISourceSinkManager to track
> >> information
> >> > flow between Stmt or Value
> >> >
> >> >
> >> >
> >> > Hi! All,
> >> >
> >> > I'm trying to use FlowDroid to find if there's a information
> flow
> >> > between two statements (Stmt) or Variables (Value). I found that
> >> > in MethodBasedSourceSinkManager or AndroidSourceSinkManager, we
> need to
> >> > provide the signature of source and sink methods statically for
> all
> >> > program. How can I define my own ISourceSinkManager so that it
> can track
> >> > information flow based on Stmt or Value provided dynamically from
> the
> >> > analysis? Is there any example code I could look into to find
> related
> >> > information?
> >> >
> >> >
> >> >
> >> > Thanks a lot!
> >> >
> >> >
> >> > Best wishes,
> >> >
> >> > David
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Soot-list mailing list
> >> > Soot-list at CS.McGill.CA <mailto:Soot-list at CS.McGill.CA>
> >> > https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
> >> >
> >> _______________________________________________
> >> Soot-list mailing list
> >> Soot-list at CS.McGill.CA <mailto:Soot-list at CS.McGill.CA>
> >> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
> >>
> >>
> >_______________________________________________
> >Soot-list mailing list
> >Soot-list at CS.McGill.CA
> >https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141013/e66ae1a4/attachment-0001.html
More information about the Soot-list
mailing list