[Soot-list] How to get context-sensitive result of flowdroid
润青杨
rainkin1993 at gmail.com
Tue May 5 22:08:05 EDT 2015
Hi Steven,
To make sure the flag works, I directly use the test case
soot.jimple.infoflow.test.securibench.AliasingTests.java aliasing5()
and I add the call *infoflow.setPathAgnosticResults(false);*
@Test
public void aliasing5() {
List<String> epoints = new ArrayList<String>();
epoints.add("<securibench.micro.aliasing.Aliasing5: void
doGet(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>");
Infoflow infoflow = initInfoflow(epoints);
* infoflow.setPathAgnosticResults(false);*
infoflow.computeInfoflow(abppPath, libPath, entryPointCreator,
sources, sinks);
checkInfoflow(infoflow, 1);
}
And I change the corresponding test code, the red line is what I add:
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
StringBuffer buf = new StringBuffer("abc");
foo(buf, buf, resp, req);
* foo(buf, buf, resp, req);*
}
Finally, I got the following result:
Using following locations as sources for classes:
/home/rainkin/Desktop/soot-infoflow-develop/bin:/home/rainkin/Desktop/soot-infoflow-develop/build/classes/home/rainkin/Desktop/soot-infoflow-develop/build/testclasses,
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/rt.jar:/home/rainkin/Desktop/soot-infoflow-develop/lib/j2ee.jar:/home/rainkin/Desktop/soot-infoflow-develop/lib/cos.jar
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in
[jar:file:/home/rainkin/Desktop/soot-infoflow-develop/lib/slf4j-simple-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/home/rainkin/Downloads/heros-trunk.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/home/rainkin/Downloads/soot-trunk.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory]
[main] INFO soot.jimple.infoflow.Infoflow - Resetting Soot...
Warning: javax.crypto.SecretKey is a phantom class!
[main] INFO soot.jimple.infoflow.Infoflow - Basic class loading done.
[Call Graph] For information on where the call graph may be incomplete, use
the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 1.7 seconds.
[Spark] Type masks in 0.1 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 9.0 seconds.
[Spark] Solution found in 9.0 seconds.
[main] INFO
soot.jimple.infoflow.util.InterproceduralConstantValuePropagator - Removing
side-effect free methods is disabled
[main] INFO soot.jimple.infoflow.Infoflow - Dead code elimination took
0.479650968 seconds
[main] INFO soot.jimple.infoflow.Infoflow - Callgraph has 10477 edges
[main] INFO soot.jimple.infoflow.Infoflow - Implicit flow tracking is NOT
enabled
[main] INFO soot.jimple.infoflow.Infoflow - Running with a maximum access
path length of 5
*[main] INFO soot.jimple.infoflow.Infoflow - Using path-sensitive result
collection*
[main] INFO soot.jimple.infoflow.Infoflow - Recursive access path
shortening is enabled
[main] INFO soot.jimple.infoflow.Infoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.Infoflow - Source lookup done, found 1
sources and 1 sinks.
[main] INFO soot.jimple.infoflow.Infoflow - IFDS problem with 2270 forward
and 430 backward edges solved, processing 1 results...
[main] INFO
soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder -
Context-sensitive path reconstructor started
[main] INFO
soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder -
Obtainted 1 connections between sources and sinks
[main] INFO
soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder -
Building path 1
[main] INFO
soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Path
processing took 0.020252891 seconds in total
[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke
r6.<java.io.PrintWriter: void println(java.lang.String)>($r8) in method
<securibench.micro.aliasing.Aliasing5: void
foo(java.lang.StringBuffer,java.lang.StringBuffer,javax.servlet.ServletResponse,javax.servlet.ServletRequest)>
was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r5 = interfaceinvoke
r4.<javax.servlet.ServletRequest: java.lang.String
getParameter(java.lang.String)>("name") in method
<securibench.micro.aliasing.Aliasing5: void
foo(java.lang.StringBuffer,java.lang.StringBuffer,javax.servlet.ServletResponse,javax.servlet.ServletRequest)>
[main] INFO soot.jimple.infoflow.Infoflow - on Path:
[main] INFO soot.jimple.infoflow.Infoflow - ->
<securibench.micro.aliasing.Aliasing5: void
foo(java.lang.StringBuffer,java.lang.StringBuffer,javax.servlet.ServletResponse,javax.servlet.ServletRequest)>
[main] INFO soot.jimple.infoflow.Infoflow - -> virtualinvoke
r6.<java.io.PrintWriter: void println(java.lang.String)>($r8)
2015-05-06 0:27 GMT+08:00 Steven Arzt <Steven.Arzt at cased.de>:
> Are you sure that you set this flag before you start the actual data flow
> analysis?
>
>
>
> *Von:* soot-list-bounces at CS.McGill.CA [mailto:
> soot-list-bounces at CS.McGill.CA] *Im Auftrag von *???
> *Gesendet:* Dienstag, 5. Mai 2015 18:26
> *An:* Steven Arzt
> *Cc:* soot-list at CS.McGill.CA
>
> *Betreff:* Re: [Soot-list] How to get context-sensitive result of
> flowdroid
>
>
>
> Hi Steven,
>
> I try to call infoflow.setPathAgnosticResults(false), but it still
> only shows one path.
>
> I don't know why it happened?
>
>
>
> Rainkin
>
>
>
> 2015-04-22 17:57 GMT+08:00 Steven Arzt <Steven.Arzt at cased.de>:
>
> Hi Raikin,
>
>
>
> The Infoflow class supports the setPathAgnosticResults() method. The
> default is “true” which means that paths which have same source and sink
> are merged into one. If you set it to “false”, you will get the two
> different paths. However, beware: In general, the number of propagation
> paths is exponential in the number of branching statements on the way. You
> can quickly end up with an infeasible number of paths and that’s why the
> default merges all these paths.
>
>
>
> Best regards,
>
> Steven
>
>
>
> *Von:* 润青杨 [mailto:rainkin1993 at gmail.com]
> *Gesendet:* Mittwoch, 22. April 2015 11:26
> *An:* Steven Arzt
> *Cc:* soot-list at cs.mcgill.ca
> *Betreff:* Re: [Soot-list] How to get context-sensitive result of
> flowdroid
>
>
>
> HI Steven,
>
> Two different propagation paths are what I want. But the result only
> have 1 path;
>
> Can you tell me how to get it?
>
> Thanks,
>
> Rainkin
>
>
>
>
>
> 2015-04-22 17:00 GMT+08:00 Steven Arzt <Steven.Arzt at cased.de>:
>
> Hi Rainkin,
>
>
>
> I do not understand your question. In this code example, there is only a
> single context. The method “foo” is always called with a tainted element
> which originated from sourceOne(10). In terms of contexts, the two
> source-to-sink connections are equal. Moreover, there is only one call to
> “System.out.println()” in the code, so I’m not sure how you want to get two
> different statements out of that.
>
>
>
> The only thing you could do is to obtain two different propagation paths
> to record that one flow was propagated over the first call to “foo” and the
> other one over the second call. I’m not sure what the use case for that
> should be, though.
>
>
>
> Best regards,
>
> Steven
>
>
>
> *Von:* soot-list-bounces at CS.McGill.CA [mailto:
> soot-list-bounces at CS.McGill.CA] *Im Auftrag von *???
> *Gesendet:* Mittwoch, 22. April 2015 10:50
> *An:* soot-list at CS.McGill.CA
> *Betreff:* [Soot-list] How to get context-sensitive result of flowdroid
>
>
>
> Hi guys,
>
> this is a example:
>
> public void test(){
> String sourceOne = sourceOne(10); // source
> foo(sourceOne);
> foo(sourceOne);
> }
>
> public String sourceOne(int number){
> return number>0 ? "positive" : "negative";
> }
>
> public void foo(String s){
> System.out.println(s); // sink
> }
>
>
>
> the method sourceOne is a source and System.out.println() is a sink.
>
> After analysis, I get the following result:
>
> [main] INFO soot.jimple.infoflow.Infoflow - Source lookup done, found 1
> sources and 1 sinks.
> [main] INFO soot.jimple.infoflow.Infoflow - IFDS problem with 14 forward
> and 0 backward edges solved, processing 1 results...
> [main] INFO
> soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder -
> Context-sensitive path reconstructor started
> [main] INFO
> soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder -
> Obtainted 1 connections between sources and sinks
> [main] INFO
> soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder -
> Building path 1
> [main] INFO
> soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Path
> processing took 0.008987293 seconds in total
> [main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke
> $r2.<java.io.PrintStream: void println(java.lang.String)>(r1) in method
> <TestCode: void foo(java.lang.String)> was called with values from the
> following sources:
> [main] INFO soot.jimple.infoflow.Infoflow - - r1 = virtualinvoke
> r0.<TestCode: java.lang.String sourceOne(int)>(10) in method <TestCode:
> void test()>
> [main] INFO soot.jimple.infoflow.Infoflow - on Path:
> [main] INFO soot.jimple.infoflow.Infoflow - -> <TestCode: void
> foo(java.lang.String)>
> [main] INFO soot.jimple.infoflow.Infoflow - -> virtualinvoke
> $r2.<java.io.PrintStream: void println(java.lang.String)>(r1)
>
>
>
> I want to know how to get a context-sensitive result, in which
> sourceOne() will point to 2 different system.out.println()
>
> Thx,
>
> Rainkin
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150506/e38c1a22/attachment-0001.html
More information about the Soot-list
mailing list