[Soot-list] FlowDroid - null SourceContext when Abstraction is instantiated with the copy constructor

Steven Arzt Steven.Arzt at cased.de
Thu Nov 5 02:55:30 EST 2015 

Hi Katie,

 

The source context is only non-null for those abstractions that are generated directly at the sources. For all abstractions that are propagated through the program, the source context is null. Instead, those derived abstractions have a predecessor and a (possibly null) set of neighbors. The idea is that you get a graph of taint abstractions. Only the root needs to know the source to which it belongs. From all other abstractions, you can walk up the tree to find the respective root(s) and get the sources from there.

 

The concept is as follows. If a variable “a” is tainted at some statement “a = b + c”, the predecessor is the taint on “b” or “c” that existed before and that lead to “a” being tainted. In case both “b” and “c” were tainted before, we have one of them as predecessor and the taint on “a” has a neighbor with the other one as a predecessor. Essentially, neighbors capture non-unique predecessor relationships.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von kaunder
Gesendet: Donnerstag, 5. November 2015 00:33
An: soot-list at CS.McGill.CA
Betreff: [Soot-list] FlowDroid - null SourceContext when Abstraction is instantiated with the copy constructor

 

Hello all,

 

I am working on using FlowDroid to track how many statements each taint propagates across before eventually reaching a sink. To this end, I have implemented a TaintPropagationHandler and am using the notifyFlowOut function to capture and examine each Abstraction object generated during FlowDroid's analysis. 

 

 

In the output of the notifyFlowOut handler function, I have noticed that whenever the incoming Abstraction is not the zero Abstraction, the outgoing Abstraction will have a null SourceContext.

 

In addition, it appears that this case is consistent with the Abstraction copy constructor being using to instantiate a new Abstraction object (I added a couple of lines to the Abstraction constructors in order to identify which constructor was used to instantiate a given Abstraction object).

 

I'm curious about why SourceContext is null in these cases. Is there a way to recover SourceContext for these Abstractions?

 

An example of my handler function output:

 

Case where outgoing source context is not null - Incoming Abstraction is the zero Abstraction

 

***Incoming Abstraction Data***

Soot statement: $r1 := @parameter1: android.view.KeyEvent

Incoming Source Context: null

Incoming Abstraction Hash: 1217330535     

 

***Outgoing Abstraction Set Data***

Outgoing set 0:

Outgoing Abstraction Source Context: $r1(android.view.KeyEvent) * <+length> in $r1 := @parameter1: android.view.KeyEvent     

Outgoing Abstraction Hash: -285378327     

Constructor: public

 

 

 

Case where outgoing source context is null - Incoming Abstraction is not the zero Abstraction

 

***Incoming Abstraction Data***

Soot statement: $r1 = virtualinvoke $r1.<android.os.Bundle: android.os.Bundle getBundle(java.lang.String)>($r5)

Incoming Source Context: $r1(android.os.Bundle) * <+length> in $r1 := @parameter0: android.os.Bundle

Incoming Abstraction Hash: -437298944     

 

***Outgoing Abstraction Set Data***

Outgoing set 0:

Outgoing Abstraction Source Context: null   

Outgoing Abstraction Hash: 2043788688     

Constructor: copy

 

 

 

Thank you for your time! Please let me know if I can provide any additional clarification about my implementation.

 

Best Regards,

 

Katie Underwood

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20151105/ac8c50b6/attachment.html

More information about the Soot-list mailing list