[Soot-list] Soot-list Digest, Vol 114, Issue 70
Xueliang Li
xueliang at ruc.dk
Wed Oct 29 10:05:11 EDT 2014
Hi all,
Very sorry, actually there is nothing wrong at all, I got the call graph
by this codeŠŠ
I¹m a very beginner for sootŠŠ Sorry for disturbing all of youŠ..
Best,
Xueliang
On 10/29/14, 11:59 AM, "soot-list-request at CS.McGill.CA"
<soot-list-request at CS.McGill.CA> wrote:
>Send Soot-list mailing list submissions to
> soot-list at CS.McGill.CA
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>or, via email, send a message with subject or body 'help' to
> soot-list-request at CS.McGill.CA
>
>You can reach the person managing the list at
> soot-list-owner at CS.McGill.CA
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Soot-list digest..."
>
>
>Today's Topics:
>
> 1. Android application call graph (Xueliang Li)
> 2. FlowDroid produces unreasonable false positive (flanker017)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Wed, 29 Oct 2014 10:12:07 +0000
>From: Xueliang Li <xueliang at ruc.dk>
>Subject: [Soot-list] Android application call graph
>To: "soot-list at CS.McGill.CA" <soot-list at CS.McGill.CA>
>Message-ID: <D075CE1F.57F9%xueliang at ruc.dk>
>Content-Type: text/plain; charset="windows-1252"
>
>Hi all,
>
>I am now constructing the cll graph of an Android app, a game app. The
>main code in as below:
>
>
>public static void main(String[] args) {
>
>// TODO Auto-generated method stub
>
>SetupApplication app = new
>SetupApplication("/Users/xueliang/Documents/tools/sootpackages/android-4.0
>.3_r1.jar","/Users/xueliang/Documents/tools/AndroidInstrument/cocos2d_andr
>oid.apk");
>try {
>
>app.calculateSourcesSinksEntrypoints("/Users/xueliang/Documents/workspace/
>soot-infoflow-android/SourcesAndSinks.txt");
>
>} catch (IOException e) {
>
>// TODO Auto-generated catch block
>
>e.printStackTrace();
>
>} catch (XmlPullParserException e) {
>
>// TODO Auto-generated catch block
>
>e.printStackTrace();
>
> }
>
> soot.G.reset();
>
>Options.v().set_src_prec(Options.src_prec_apk);
>
>Options.v().set_process_dir(Collections.singletonList("/Users/xueliang/Doc
>uments/tools/AndroidInstrument/cocos2d_android.apk"));
>
>Options.v().set_android_jars("/Users/xueliang/Documents/tools/sootpackages
>");
>
>Options.v().set_whole_program(true);
>
>Options.v().set_allow_phantom_refs(true);
>
>Options.v().set_output_format(Options.output_format_none);
>
>Options.v().setPhaseOption("cg.spark", "on");
>
> Scene.v().loadNecessaryClasses();
>
> SootMethod entryPoint =
>app.getEntryPointCreator().createDummyMain();
>
> Options.v().set_main_class(entryPoint.getSignature());
>
> Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
>
> System.out.println(entryPoint.getActiveBody());
>
> PackManager.v().runPacks();
>
>System.out.println(Scene.v().getCallGraph().size());
>
> }
>
>However, I still cannot get the expected result, a call graph. The
>information shown in console is a large amount, I summarise it as the
>steps below:
>
>1. The message is
>
> ?[Call Graph] For information on where the call graph may be
>incomplete, use the verbose option to the cg phase.
> [Spark] Pointer Assignment Graph in 0.4 seconds.
> [Spark] Type masks in 0.1 seconds.
> [Spark] Pointer Graph simplified in 0.0 seconds.
> [Spark] Propagation in 5.1 seconds.
> [Spark] Solution found in 5.1 seconds.
> Callback analysis done.
> Found 0 layout controls
> Using
>'/Users/xueliang/Documents/tools/sootpackages/android-4.0.3_r1.jar' as
>android.jar"
>
>2. A large list of warnings displays all the phantom classes, like
>
> Warning: java.lang.NoClassDefFoundError is a phantom class!
> Warning: java.lang.StringBuffer is a phantom class!
> Warning: java.lang.Boolean is a phantom class!
> Warning: java.lang.Long is a phantom class!
> Warning: java.lang.Integer is a phantom class!
> Warning: java.lang.Short is a phantom class!
> ???????????.
>
>3. The generated main method, like
>
> public static void dummyMainMethod()
> {
> int $i0;
> org.cocos2d.tests.SoundEngineTest $r0;
> ??????????????
>
>4. Repeat steps 1 to 3 for three times, exactly the same message.
>
>5. Transform all the classes in the app, like
>
> Transforming org.cocos2d.tests.ActionsTest$ActionProperty...
> Transforming com.badlogic.gdx.physics.box2d.joints.MouseJointDef...
> Transforming org.cocos2d.nodes.CCLabel...
> Transforming
>org.cocos2d.utils.collections.ConcNodeCachingLinkedQueue...
> Transforming org.cocos2d.transitions.CCRadialCCWTransition?
> ?????????..
>6. End with a number ?30606? in the last line.
>
>Could anyone tell me what happened? And how to fix it to get the desired
>call graph? Thank you!!
>
>Best wishes
>Xueliang
>
>
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141029/160ca
>5d1/attachment-0001.html
>
>------------------------------
>
>Message: 2
>Date: Wed, 29 Oct 2014 19:00:05 +0800
>From: flanker017 <flankerhqd017 at gmail.com>
>Subject: [Soot-list] FlowDroid produces unreasonable false positive
>To: soot-list at cs.mcgill.ca
>Message-ID:
> <CACWOJOz6YT4XHCrB+OJA6Y6wfG3F8S_UbEXf8vnPe5mTh=4ymw at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>Hi, I found FlowDroid produces unreasonable false positive on fields.
>
>if f.a is tainted, FlowDroid will mark f as tainted, thus introducing huge
>amount of false positives.
>
>Detail can be found at
>https://github.com/secure-software-engineering/soot-infoflow-android/issue
>s/38
>.
>
>FlowDroid will deduce that there is a flow from intent.getStringExtra('r')
>to this.getString(2131230774) for the following source, which is no doubt
>a
>false positive.
>
>
>package com.example.testwebview;
>
>import android.app.Activity;
>import android.content.Intent;
>import android.os.Bundle;
>import android.widget.Button;
>
>public class MainActivity extends Activity {
> protected String n;
> protected Button T;
>
> @Override
> protected void onCreate(Bundle savedInstanceState) {
> super.onCreate(savedInstanceState);
>
> Intent intent = this.getIntent();
> this.n = intent.getStringExtra("r");
> this.T = new Button(this);
> this.T.setText(this.getString(2131230774));
>
> }
>}
>
>
>Produced flow:
>
>[main] INFO
>soot.jimple.infoflow.data.pathBuilders.ContextInsensitivePathBuilder
>- Obtainted 1 connections between sources and sinks
>[main] INFO
>soot.jimple.infoflow.data.pathBuilders.ContextInsensitivePathBuilder
>- Building path 1
>[main] INFO
>soot.jimple.infoflow.data.pathBuilders.ContextInsensitivePathBuilder
>- Path processing took 0.002538356 seconds in total for 3 edges
>[main] INFO soot.jimple.infoflow.Infoflow - The sink $r3 =
>virtualinvoke $r0.<com.example.testwebview.MainActivity:
>java.lang.String getString(int)>(2131230774) in method
><com.example.testwebview.MainActivity: void
>onCreate(android.os.Bundle)> was called with values from the following
>sources:
>[main] INFO soot.jimple.infoflow.Infoflow - - $r3 = virtualinvoke
>$r2.<android.content.Intent: java.lang.String
>getStringExtra(java.lang.String)>("r") in method
><com.example.testwebview.MainActivity: void
>onCreate(android.os.Bundle)>
>[main] INFO soot.jimple.infoflow.Infoflow - on Path:
>[main] INFO soot.jimple.infoflow.Infoflow - ->
><com.example.testwebview.MainActivity: void
>onCreate(android.os.Bundle)>
>[main] INFO soot.jimple.infoflow.Infoflow - -> $r3 =
>virtualinvoke $r2.<android.content.Intent: java.lang.String
>getStringExtra(java.lang.String)>("r")
>[main] INFO soot.jimple.infoflow.Infoflow - ->
><com.example.testwebview.MainActivity: void
>onCreate(android.os.Bundle)>
>[main] INFO soot.jimple.infoflow.Infoflow - ->
>$r0.<com.example.testwebview.MainActivity: java.lang.String n> = $r3
>[main] INFO soot.jimple.infoflow.Infoflow - ->
><com.example.testwebview.MainActivity: void
>onCreate(android.os.Bundle)>
>[main] INFO soot.jimple.infoflow.Infoflow - -> $r3 =
>virtualinvoke $r0.<com.example.testwebview.MainActivity:
>java.lang.String getString(int)>(2131230774)
>
>Running arguments: app-debug.apk /home/xxx/adt-bundle/sdk/platforms/
>--aplength 1 --nocallbacks --layoutmode none --pathalgo CONTEXTINSENSITIVE
>
>Test apk:
>
>https://www.dropbox.com/s/wnirus0as7p0p2n/sample.apk?dl=0
>I trace down the source code, and think the issue maybe at
>public FlowFunction<Abstraction> getCallToReturnFlowFunction,
>
>In field references, newSource.getAccessPath.getPlainValue() is "field
>base
>value", not actually tainted value. That is , if f.a is tainted, this
>method will return f, not f.a, which is not reasonable.
>
>if (isSink) {
>>
>> // If we are inside a conditional branch, we consider every sink call a
>>> leak
>>
>> boolean conditionalCall = enableImplicitFlows
>>
>> && !interproceduralCFG().getMethodOf(call).isStatic()
>>
>> &&
>>>
>>>aliasing.mayAlias(interproceduralCFG().getMethodOf(call).getActiveBody()
>>>.getThisLocal(),
>>
>> newSource.getAccessPath().getPlainValue())
>>
>> && newSource.getAccessPath().getFirstField() == null;
>>
>> boolean taintedParam = (conditionalCall
>>
>> || newSource.getTopPostdominator() != null
>>
>> || newSource.getAccessPath().isEmpty())
>>
>> && newSource.isAbstractionActive();
>>
>> // If the base object is tainted, we also consider the "code" associated
>>
>> // with the object's class as tainted.
>>
>> if (!taintedParam) {
>>
>> for (int i = 0; i < callArgs.length; i++) {
>>
>> if (aliasing.mayAlias(callArgs[i],
>>> newSource.getAccessPath().getPlainValue())) {
>>
>> taintedParam = true;
>>
>> break;
>>
>> }
>>
>> }
>>
>> }
>>
>> if (taintedParam && newSource.isAbstractionActive())
>>
>> addResult(new AbstractionAtSink(newSource, invExpr, iStmt));
>>
>> // if the base object which executes the method is tainted the sink is
>>> reached, too.
>>
>> if (invExpr instanceof InstanceInvokeExpr) {
>>
>> InstanceInvokeExpr vie = (InstanceInvokeExpr) iStmt.getInvokeExpr();
>>
>> if (newSource.isAbstractionActive()
>>
>> && aliasing.mayAlias(vie.getBase(),
>>> newSource.getAccessPath().getPlainValue()))
>>
>> {
>>
>> addResult(new AbstractionAtSink(newSource, invExpr, iStmt));
>>
>> }
>>
>> }
>>
>> }
>>
>>
>Will someone kindly look into this issue? Thanks.
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141029/ba37a
>4dc/attachment.html
>
>------------------------------
>
>_______________________________________________
>Soot-list mailing list
>Soot-list at CS.McGill.CA
>https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
>
>End of Soot-list Digest, Vol 114, Issue 70
>******************************************
More information about the Soot-list
mailing list