[Soot-list] How to get context-sensitive result of flowdroid
Steven Arzt
Steven.Arzt at cased.de
Wed May 6 04:39:13 EDT 2015
Hi Rainkin,
I looked into the issue. There is another thing to keep in mind: You can only have two reports that differ in their taint propagation path if you have the analysis reconstruct paths at all. The traditional way was to specify this flag in the constructor of the Infoflow class by providing a corresponding PathBuilderFactory. I have just added a setter that also allows you to do this later on for convenience.
The example in soot.jimple.infoflow.test.junit.OtherTests.multiSinkTest2() works and shows how to do it.
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von ???
Gesendet: Mittwoch, 6. Mai 2015 04:08
An: Steven Arzt; soot-list at CS.McGill.CA
Betreff: Re: [Soot-list] How to get context-sensitive result of flowdroid
Hi Steven,
To make sure the flag works, I directly use the test case soot.jimple.infoflow.test.securibench.AliasingTests.java aliasing5()
and I add the call infoflow.setPathAgnosticResults(false);
@Test
public void aliasing5() {
List<String> epoints = new ArrayList<String>();
epoints.add("<securibench.micro.aliasing.Aliasing5: void doGet(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>");
Infoflow infoflow = initInfoflow(epoints);
infoflow.setPathAgnosticResults(false);
infoflow.computeInfoflow(abppPath, libPath, entryPointCreator, sources, sinks);
checkInfoflow(infoflow, 1);
}
And I change the corresponding test code, the red line is what I add:
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
StringBuffer buf = new StringBuffer("abc");
foo(buf, buf, resp, req);
foo(buf, buf, resp, req);
}
Finally, I got the following result:
Using following locations as sources for classes: /home/rainkin/Desktop/soot-infoflow-develop/bin:/home/rainkin/Desktop/soot-infoflow-develop/build/classes/home/rainkin/Desktop/soot-infoflow-develop/build/testclasses, /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/rt.jar:/home/rainkin/Desktop/soot-infoflow-develop/lib/j2ee.jar:/home/rainkin/Desktop/soot-infoflow-develop/lib/cos.jar
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/home/rainkin/Desktop/soot-infoflow-develop/lib/slf4j-simple-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/home/rainkin/Downloads/heros-trunk.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/home/rainkin/Downloads/soot-trunk.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory]
[main] INFO soot.jimple.infoflow.Infoflow - Resetting Soot...
Warning: javax.crypto.SecretKey is a phantom class!
[main] INFO soot.jimple.infoflow.Infoflow - Basic class loading done.
[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 1.7 seconds.
[Spark] Type masks in 0.1 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 9.0 seconds.
[Spark] Solution found in 9.0 seconds.
[main] INFO soot.jimple.infoflow.util.InterproceduralConstantValuePropagator - Removing side-effect free methods is disabled
[main] INFO soot.jimple.infoflow.Infoflow - Dead code elimination took 0.479650968 seconds
[main] INFO soot.jimple.infoflow.Infoflow - Callgraph has 10477 edges
[main] INFO soot.jimple.infoflow.Infoflow - Implicit flow tracking is NOT enabled
[main] INFO soot.jimple.infoflow.Infoflow - Running with a maximum access path length of 5
[main] INFO soot.jimple.infoflow.Infoflow - Using path-sensitive result collection
[main] INFO soot.jimple.infoflow.Infoflow - Recursive access path shortening is enabled
[main] INFO soot.jimple.infoflow.Infoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.Infoflow - Source lookup done, found 1 sources and 1 sinks.
[main] INFO soot.jimple.infoflow.Infoflow - IFDS problem with 2270 forward and 430 backward edges solved, processing 1 results...
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Context-sensitive path reconstructor started
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Obtainted 1 connections between sources and sinks
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Building path 1
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Path processing took 0.020252891 seconds in total
[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke r6.<java.io.PrintWriter: void println(java.lang.String)>($r8) in method <securibench.micro.aliasing.Aliasing5: void foo(java.lang.StringBuffer,java.lang.StringBuffer,javax.servlet.ServletResponse,javax.servlet.ServletRequest)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r5 = interfaceinvoke r4.<javax.servlet.ServletRequest: java.lang.String getParameter(java.lang.String)>("name") in method <securibench.micro.aliasing.Aliasing5: void foo(java.lang.StringBuffer,java.lang.StringBuffer,javax.servlet.ServletResponse,javax.servlet.ServletRequest)>
[main] INFO soot.jimple.infoflow.Infoflow - on Path:
[main] INFO soot.jimple.infoflow.Infoflow - -> <securibench.micro.aliasing.Aliasing5: void foo(java.lang.StringBuffer,java.lang.StringBuffer,javax.servlet.ServletResponse,javax.servlet.ServletRequest)>
[main] INFO soot.jimple.infoflow.Infoflow - -> virtualinvoke r6.<java.io.PrintWriter: void println(java.lang.String)>($r8)
2015-05-06 0:27 GMT+08:00 Steven Arzt <Steven.Arzt at cased.de>:
Are you sure that you set this flag before you start the actual data flow analysis?
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von ???
Gesendet: Dienstag, 5. Mai 2015 18:26
An: Steven Arzt
Cc: soot-list at CS.McGill.CA
Betreff: Re: [Soot-list] How to get context-sensitive result of flowdroid
Hi Steven,
I try to call infoflow.setPathAgnosticResults(false), but it still only shows one path.
I don't know why it happened?
Rainkin
2015-04-22 17:57 GMT+08:00 Steven Arzt <Steven.Arzt at cased.de>:
Hi Raikin,
The Infoflow class supports the setPathAgnosticResults() method. The default is “true” which means that paths which have same source and sink are merged into one. If you set it to “false”, you will get the two different paths. However, beware: In general, the number of propagation paths is exponential in the number of branching statements on the way. You can quickly end up with an infeasible number of paths and that’s why the default merges all these paths.
Best regards,
Steven
Von: 润青杨 [mailto:rainkin1993 at gmail.com]
Gesendet: Mittwoch, 22. April 2015 11:26
An: Steven Arzt
Cc: soot-list at cs.mcgill.ca
Betreff: Re: [Soot-list] How to get context-sensitive result of flowdroid
HI Steven,
Two different propagation paths are what I want. But the result only have 1 path;
Can you tell me how to get it?
Thanks,
Rainkin
2015-04-22 17:00 GMT+08:00 Steven Arzt <Steven.Arzt at cased.de>:
Hi Rainkin,
I do not understand your question. In this code example, there is only a single context. The method “foo” is always called with a tainted element which originated from sourceOne(10). In terms of contexts, the two source-to-sink connections are equal. Moreover, there is only one call to “System.out.println()” in the code, so I’m not sure how you want to get two different statements out of that.
The only thing you could do is to obtain two different propagation paths to record that one flow was propagated over the first call to “foo” and the other one over the second call. I’m not sure what the use case for that should be, though.
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von ???
Gesendet: Mittwoch, 22. April 2015 10:50
An: soot-list at CS.McGill.CA
Betreff: [Soot-list] How to get context-sensitive result of flowdroid
Hi guys,
this is a example:
public void test(){
String sourceOne = sourceOne(10); // source
foo(sourceOne);
foo(sourceOne);
}
public String sourceOne(int number){
return number>0 ? "positive" : "negative";
}
public void foo(String s){
System.out.println(s); // sink
}
the method sourceOne is a source and System.out.println() is a sink.
After analysis, I get the following result:
[main] INFO soot.jimple.infoflow.Infoflow - Source lookup done, found 1 sources and 1 sinks.
[main] INFO soot.jimple.infoflow.Infoflow - IFDS problem with 14 forward and 0 backward edges solved, processing 1 results...
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Context-sensitive path reconstructor started
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Obtainted 1 connections between sources and sinks
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Building path 1
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Path processing took 0.008987293 seconds in total
[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke $r2.<java.io.PrintStream: void println(java.lang.String)>(r1) in method <TestCode: void foo(java.lang.String)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r1 = virtualinvoke r0.<TestCode: java.lang.String sourceOne(int)>(10) in method <TestCode: void test()>
[main] INFO soot.jimple.infoflow.Infoflow - on Path:
[main] INFO soot.jimple.infoflow.Infoflow - -> <TestCode: void foo(java.lang.String)>
[main] INFO soot.jimple.infoflow.Infoflow - -> virtualinvoke $r2.<java.io.PrintStream: void println(java.lang.String)>(r1)
I want to know how to get a context-sensitive result, in which sourceOne() will point to 2 different system.out.println()
Thx,
Rainkin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150506/3a6385c3/attachment-0001.html
More information about the Soot-list
mailing list