[Soot-list] print the path from source(s) to sink(s) found by flowdroid

Steven Arzt Steven.Arzt at cased.de
Tue Dec 8 09:21:23 EST 2015 

Hi Young,

 

The second data flow that was missed is an implicit flow. There is no sequence of direct assignments between source and sink. Instead, the value that  arrives at the sink is control-dependent on the value obtained from the source. By default, FlowDroid does not track such dependencies. If you need to, you can enable implicit flow tracking using the --implicit command-line option. This will, however, increase the runtime and memory consumption of your analysis.

 

Additionally, for real-world apps, you will get a lot of additional flows as this definition of a data flow is very broad.

 

Best regards,

  Steven

 

Von: XiaoYang [mailto:yangx92 at hotmail.com] 
Gesendet: Dienstag, 8. Dezember 2015 15:14
An: Steven Arzt; 'soot-list at CS.McGill.CA'
Betreff: 答复: [Soot-list] print the path from source(s) to sink(s) found by flowdroid

 

Hi Steven,

 

I appended “—pathalgo contextsensitive” to command line. It showed more information than before. However, it lost some information. 

 

For example, below is the android application code snippets.

>>> 

         protected void onRestart(){

                   super.onRestart();

        EditText usernameText =

                (EditText)findViewById(R.id.username);

        EditText passwordText =

                (EditText)findViewById(R.id.pwdString);

        String uname = usernameText.getText().toString();

        String pwd = passwordText.getText().toString();

        if(!uname.isEmpty() && !pwd.isEmpty())

            this.user = new User(uname, pwd);

         }

         

    //Callback method defined in xml file

    public void sendMessage(View view) throws UnsupportedEncodingException{

        if(user == null) return;

        Password pwd = user.getpwd();

        String pwdString = pwd.getPassword();

        String obfPwd = "";

        //must track primitives

        for(char c : pwdString.toCharArray())

            obfPwd += c + "_";

        String message = "User: " +

                user.getName() + " | PWD: " + obfPwd;

        String message_base64 = Base64.encodeToString(message.getBytes(),Base64.DEFAULT);

        SmsManager sms = SmsManager.getDefault();

        sms.sendTextMessage("+86 12345678901",

                null, message_base64, null, null); //pwd_str+uname_str

    }

>>> 

 

I run the flowdroid with options“--pathalgo contextsensitive --implicit true -aplength 15”.

Following is the information given by flowdroid.

 

>>> 

The sink virtualinvoke $r9.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("+86 12345678901", null, $r5, null, null) on line 49 in method <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)> was called with values from the following sources:

- - $r1 = virtualinvoke $r0.<com.example.leakpasswd.MainActivity: android.view.View findViewById(int)>(2131230724) on line 26 in method <com.example.leakpasswd.MainActivity: void onRestart()>

on Path:

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> $r1 = virtualinvoke $r0.<com.example.leakpasswd.MainActivity: android.view.View findViewById(int)>(2131230724)

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> $r3 = (android.widget.EditText) $r1

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> $r4 = virtualinvoke $r3.<android.widget.EditText: android.text.Editable getText()>()

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> $r6 = interfaceinvoke $r4.<android.text.Editable: java.lang.String toString()>()

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> $z0 = virtualinvoke $r6.<java.lang.String: boolean isEmpty()>()

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> if $z0 != 0 goto return

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> $r0.<com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user> = $r7

-> <com.example.leakpasswd.MainActivity: void onRestart()>

-> return

-> <dummyMainClass: void dummyMainMethod(java.lang.String[])>

-> virtualinvoke $r1.<com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>($r3)

-> <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>

-> $r2 = $r0.<com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user>

-> <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>

-> if $r2 != null goto $r2 = $r0.<com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user>

-> <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>

-> virtualinvoke $r9.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("+86 12345678901", null, $r5, null, null)

>>> 

 

The flowdroid did not track code below. 

>>> 

        for(char c : pwdString.toCharArray())

            obfPwd += c + "_";

        String message = "User: " +

                user.getName() + " | PWD: " + obfPwd;

        String message_base64 = Base64.encodeToString(message.getBytes(),Base64.DEFAULT);

>>> 

 

Is there solution to handle this?

 

Grate thanks!!

 

Young


发件人: Steven Arzt
发送时间: 2015年12月7日 16:33
收件人: 'XiaoYang';'soot-list at CS.McGill.CA'
主题: AW: [Soot-list] print the path from source(s) to sink(s) found by flowdroid

 

 

Hi Xiao,

 

That’s possible. You need to enable a path reconstruction algorithm that supports path reconstruction. If you are using the FlowDroid command-line application, just append “--pathalgo contextsensitive” to your command line. It will increase the runtime, though.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.Mc <mailto:soot-list-bounces at CS.McGill.CA> Gill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von XiaoYang
Gesendet: Sonntag, 6. Dezember 2015 04:55
An: soot-list at CS.McGill.CA
Betreff: [Soot-list] print the path from source(s) to sink(s) found by flowdroid

 

Hi all,

 

Suppose that I found there is information leak in android application by flowdroid. Could I print the path from source(s) to sink(s)?

 

Take an example. Below is the partial information given by flowdroid.

 

>>[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke $r10.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("+86 123456789", null, $r6, null, null) in method <com.example.leakpasswd.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:

>>[main] INFO soot.jimple.infoflow.Infoflow - - $r2 = virtualinvoke $r0.<com.example.leakpasswd.MainActivity: android.view.View findViewById(int)>(2131230722) in method <com.example.leakpasswd.MainActivity: void onCreate(android.os.Bundle)>

 

I want to get the path from findViewById to sendTextMessage. Is there a method to handle that? 

 

Great thanks!!

 

 

Young 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20151208/21f90ca3/attachment-0001.html

More information about the Soot-list mailing list