[Soot-list] Missing call edges(For Spark, not CHA) while invoking Android APIs in FlowDroid

Steven Arzt Steven.Arzt at cased.de
Tue Feb 10 04:19:57 EST 2015 

Hi Wei, Hi Yu,

 

Wei’s explanation of why there are no call edges in the callgraph is correct. The taint wrapper however does not add any edges to the callgraph. Instead, it tells the taint propagation algorithm how to continue when it encounters a call site for which there are no callees. In other words, the callgraph does not contain these edges in FlowDroid either. FlowDroid however checks if such a situation happens and then consults the taint wrapper which is able to answer questions such as “if a.b.c is tainted on a call to c.foo(a), what will be tainted afterwards?” Therefore, taint wrappers are not oblivious to the type of analysis you are conducting. If you are doing taint analysis, feel free to use the taint wrapper infrastructure from FlowDroid – otherwise, you can take the concept and create your own wrapper semantics.

 

Technically, we map the taint wrappers against InvokeExpr.getMethod() if there are no call edges.

 

Best regards,

  Steven

 

 

M.Sc. M.Sc. Steven Arzt

Secure Software Engineering Group (SSE)

European Center for Security and Privacy by Design (EC SPRIDE) 

Rheinstraße 75

D-64293 Darmstadt

Phone: +49 61 51 869-336

Fax: +49 61 51 16-72118

eMail:  <mailto:steven.arzt at ec-spride.de> steven.arzt at ec-spride.de

Web: http://sse.ec-spride.de <http://sse.ec-spride.de/> 

 

 

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Yu Feng
Gesendet: Montag, 9. Februar 2015 20:11
An: Wei Yang
Cc: soot-list at CS.McGill.CA
Betreff: Re: [Soot-list] Missing call edges(For Spark, not CHA) while invoking Android APIs in FlowDroid

 

Hi Wei,

 

Good to hear from you again and thanks for the suggestion!

 

Actually even if I add those signatures to EasyTaintWrapperConversion.txt(in both infoflow and infoflow-android), the edge is still missing in the call graph generated by Spark. Any idea?

<android.content.Context: java.lang.Object getSystemService(java.lang.String)>

<android.content.ContextWrapper: java.lang.Object getSystemService(java.lang.String)>

<android.app.Activity: java.lang.Object getSystemService(java.lang.String)>

 

Best,

Yu

 

On Mon, Feb 9, 2015 at 12:27 PM, Wei Yang <davidyoung8906 at gmail.com> wrote:

Hi! Yu,

     I met the same issue before. I think it is because in " $r3 = virtualinvoke $r0.<com.GoldDream.zj.zjService: java.lang.Object getSystemService(java.lang.String)>($r2);", getSystemService is a factory method belonging to Android SDK, so Spark cannot know where "r3" is constructed and the actual type of it. 

    One solution is to add a entry in the taint wrapper where flowdroid will perform a lookup when it encounters a library method.




Best wishes,

David 

 

2015-02-09 12:04 GMT-06:00 Yu Feng <fengyu8299 at gmail.com>:

Hi,

 

I have a quick question regarding FlowDroid:

 

Suppose 'foo' is reachable from the "dummyMain" in FlowDroid,

 

foo() {                                                                                     

        $r3 = virtualinvoke $r0.<com.GoldDream.zj.zjService: java.lang.Object getSystemService(java.lang.String)>($r2);

        $r1 = $r3;

        $r4 = (android.telephony.TelephonyManager) $r1;

        $r5 = virtualinvoke $r4.<android.telephony.TelephonyManager: java.lang.String getDeviceId()>();

 

}

 

If I build the call graph for this code snippet, it should have at least two edges:

1. foo -> getSystemService

2. foo-> getDeviceId

 

For CHA it looks correct, but for Spark, the second edge is missing because the points-to set of $r3 is empty. 

I thought most of the Android APIs(like getSystemService) are handled properly in FlowDroid and why it still returns an empty set regarding this case.

What should I do if I need to get a sound call graph(based on Spark, not CHA) from FlowDroid?

 

Thanks so much,

Yu 




 

 

_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

 


_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

 




 

-- 

--Yu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150210/5d5b30eb/attachment.html

More information about the Soot-list mailing list