[Soot-list] Missing call edges(For Spark, not CHA) while invoking Android APIs in FlowDroid
Yu Feng
fengyu8299 at gmail.com
Mon Feb 9 14:11:24 EST 2015
Hi Wei,
Good to hear from you again and thanks for the suggestion!
Actually even if I add those signatures
to EasyTaintWrapperConversion.txt(in both infoflow and infoflow-android),
the edge is still missing in the call graph generated by Spark. Any idea?
<android.content.Context: java.lang.Object
getSystemService(java.lang.String)>
<android.content.ContextWrapper: java.lang.Object
getSystemService(java.lang.String)>
<android.app.Activity: java.lang.Object getSystemService(java.lang.String)>
Best,
Yu
On Mon, Feb 9, 2015 at 12:27 PM, Wei Yang <davidyoung8906 at gmail.com> wrote:
> Hi! Yu,
> I met the same issue before. I think it is because in " $r3 =
> virtualinvoke $r0.<com.GoldDream.zj.zjService: java.lang.Object
> getSystemService(java.lang.String)>($r2);", getSystemService is a factory
> method belonging to Android SDK, so Spark cannot know where "r3" is
> constructed and the actual type of it.
> One solution is to add a entry in the taint wrapper where flowdroid
> will perform a lookup when it encounters a library method.
>
> Best wishes,
> David
>
> 2015-02-09 12:04 GMT-06:00 Yu Feng <fengyu8299 at gmail.com>:
>
>> Hi,
>>
>> I have a quick question regarding FlowDroid:
>>
>> Suppose 'foo' is reachable from the "dummyMain" in FlowDroid,
>>
>> foo() {
>>
>> $r3 = virtualinvoke $r0.<com.GoldDream.zj.zjService:
>> java.lang.Object getSystemService(java.lang.String)>($r2);
>> $r1 = $r3;
>> $r4 = (android.telephony.TelephonyManager) $r1;
>> $r5 = virtualinvoke $r4.<android.telephony.TelephonyManager:
>> java.lang.String getDeviceId()>();
>>
>> }
>>
>> If I build the call graph for this code snippet, it should have at least
>> two edges:
>> 1. foo -> getSystemService
>> 2. foo-> getDeviceId
>>
>> For CHA it looks correct, but for Spark, the second edge is missing
>> because the points-to set of $r3 is empty.
>> I thought most of the Android APIs(like getSystemService) are handled
>> properly in FlowDroid and why it still returns an empty set regarding this
>> case.
>> What should I do if I need to get a sound call graph(based on Spark, not
>> CHA) from FlowDroid?
>>
>> Thanks so much,
>> Yu
>>
>>
>>
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at CS.McGill.CA
>> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>>
>>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
>
--
--Yu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150209/afce9fdc/attachment.html
More information about the Soot-list
mailing list