[Soot-list] Enable Explicit Taint Propogation in Soot-Infoflow
Steven Arzt
Steven.Arzt at cased.de
Wed Oct 22 07:58:29 EDT 2014
Hi Suresh,
I looked at your code snippet once again. What you are looking for is an implicit data flow, not an explicit one. The reason why the statement in line 7 leaks information at all is that its execution depends on the value of a secret. Without the conditional, there would be no leak.
Implicit information flow tracking must be enabled explicitly in FlowDroid. Use Infoflow.setEnableImplicitFlows(true) to do so.
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Suresh Rangaswamy
Gesendet: Mittwoch, 22. Oktober 2014 13:50
An: Steven Arzt
Cc: soot-list at CS.McGill.CA
Betreff: Re: [Soot-list] Enable Explicit Taint Propogation in Soot-Infoflow
Hi Steven,
Thank you for the quick response.
I have read the paper and I understood that it is supposed to detect it, but there may be some configuration that I am missing because in the analysis it is not detecting the above source to sink flow.
I am using the soot-Infoflow directly instead of soot-infoflow-android,
I am analyzing JAR file.
PFA, EasyTaintWrapperSource.txt, SourcesAndSink.txt and output.txt.
which I am using to run my analysis.
Regards
Suresh Rangaswamy
(M) +91-9711154493
(M.Tech Information Security)
cerc.iiitd.ac.in
about.me/suresh301190
<http://iiitd.ac.in> Das Bild wurde vom Absender entfernt.
On Wed, Oct 22, 2014 at 4:53 PM, Steven Arzt <Steven.Arzt at cased.de> wrote:
Hi Suresh,
FlowDroid is a data flow tracker, so tracking explicit data flows is what the tool was originally built for. What exactly is your question? Did you read the paper or technical report? Did you have a look at our wiki (https://github.com/secure-software-engineering/soot-infoflow-android/wiki)?
Best regards,
Steven
M.Sc. M.Sc. Steven Arzt
Secure Software Engineering Group (SSE)
European Center for Security and Privacy by Design (EC SPRIDE)
Mornewegstraße 32
D-64293 Darmstadt
Phone: +49 61 51 16-75426
Fax: +49 61 51 16-72118
eMail: <mailto:steven.arzt at ec-spride.de> steven.arzt at ec-spride.de
Web: http://sse.ec-spride.de <http://sse.ec-spride.de/>
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Suresh Rangaswamy
Gesendet: Mittwoch, 22. Oktober 2014 13:10
An: soot-list at CS.McGill.CA
Betreff: [Soot-list] Enable Explicit Taint Propogation in Soot-Infoflow
Hi,
How can we enable the explicit tainting in soot-infoflow if its possible.
1. void foo(){
2. int x = 0, y = 9;
3. try{
4. BufferedReader is = new BufferedReader(new InputStreamReader(System.in));
5. x = Integer.parseInt(is.readLine());
6. if(x == 5){
7. System.out.println(y);
8. }
9. }catch(IOException e){
10. e.printStackTrace();
11. }
In the example I want the flow from 5 -> 6 -> 7 be detected by the infoflow.
Regards
Suresh Rangaswamy
(M) +91-9711154493
(M.Tech Information Security)
cerc.iiitd.ac.in
about.me/suresh301190
<http://iiitd.ac.in> Fehler! Es wurde kein Dateiname angegeben.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141022/393cc144/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 425 bytes
Desc: not available
Url : http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141022/393cc144/attachment.jpe
More information about the Soot-list
mailing list