[Soot-list] How to get context-sensitive result of flowdroid
Steven Arzt
Steven.Arzt at cased.de
Wed Apr 22 05:57:57 EDT 2015
Hi Raikin,
The Infoflow class supports the setPathAgnosticResults() method. The default is “true” which means that paths which have same source and sink are merged into one. If you set it to “false”, you will get the two different paths. However, beware: In general, the number of propagation paths is exponential in the number of branching statements on the way. You can quickly end up with an infeasible number of paths and that’s why the default merges all these paths.
Best regards,
Steven
Von: 润青杨 [mailto:rainkin1993 at gmail.com]
Gesendet: Mittwoch, 22. April 2015 11:26
An: Steven Arzt
Cc: soot-list at cs.mcgill.ca
Betreff: Re: [Soot-list] How to get context-sensitive result of flowdroid
HI Steven,
Two different propagation paths are what I want. But the result only have 1 path;
Can you tell me how to get it?
Thanks,
Rainkin
2015-04-22 17:00 GMT+08:00 Steven Arzt <Steven.Arzt at cased.de>:
Hi Rainkin,
I do not understand your question. In this code example, there is only a single context. The method “foo” is always called with a tainted element which originated from sourceOne(10). In terms of contexts, the two source-to-sink connections are equal. Moreover, there is only one call to “System.out.println()” in the code, so I’m not sure how you want to get two different statements out of that.
The only thing you could do is to obtain two different propagation paths to record that one flow was propagated over the first call to “foo” and the other one over the second call. I’m not sure what the use case for that should be, though.
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von ???
Gesendet: Mittwoch, 22. April 2015 10:50
An: soot-list at CS.McGill.CA
Betreff: [Soot-list] How to get context-sensitive result of flowdroid
Hi guys,
this is a example:
public void test(){
String sourceOne = sourceOne(10); // source
foo(sourceOne);
foo(sourceOne);
}
public String sourceOne(int number){
return number>0 ? "positive" : "negative";
}
public void foo(String s){
System.out.println(s); // sink
}
the method sourceOne is a source and System.out.println() is a sink.
After analysis, I get the following result:
[main] INFO soot.jimple.infoflow.Infoflow - Source lookup done, found 1 sources and 1 sinks.
[main] INFO soot.jimple.infoflow.Infoflow - IFDS problem with 14 forward and 0 backward edges solved, processing 1 results...
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Context-sensitive path reconstructor started
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Obtainted 1 connections between sources and sinks
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Building path 1
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Path processing took 0.008987293 seconds in total
[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke $r2.<java.io.PrintStream: void println(java.lang.String)>(r1) in method <TestCode: void foo(java.lang.String)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r1 = virtualinvoke r0.<TestCode: java.lang.String sourceOne(int)>(10) in method <TestCode: void test()>
[main] INFO soot.jimple.infoflow.Infoflow - on Path:
[main] INFO soot.jimple.infoflow.Infoflow - -> <TestCode: void foo(java.lang.String)>
[main] INFO soot.jimple.infoflow.Infoflow - -> virtualinvoke $r2.<java.io.PrintStream: void println(java.lang.String)>(r1)
I want to know how to get a context-sensitive result, in which sourceOne() will point to 2 different system.out.println()
Thx,
Rainkin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150422/8db2fa89/attachment-0001.html
More information about the Soot-list
mailing list