[Soot-list] FlowDroid: Difference between notifyFlowIn and notifyFlowOut in TaintPropagationHandler interface

kaunder kap.underwood+sootlist at gmail.com
Fri Oct 16 17:33:06 EDT 2015 

Hi,

I'm implementing the TaintPropagationHandler interface in order to capture
data about the Abstraction objects propagated during FlowDroid's analysis.

I am confused about the difference between the notifyFlowIn method and the
notifyFlowOut method. In the documentation, it states that notifyFlowIn is
invoked when a taint is propagated in the data flow engine, and that
notifyFlowOut is invoked when a new taint is generated in the data flow
engine. From this, I assume that if an existing taint is being propagated,
but no new taint is being generated, only notifyFlowOut would be invoked.

In my handler, I override notifyFlowIn and notifyFlowOut to dump some
information about the current abstraction to a file when they are invoked.
When I examine this output, it looks like notifyFlowOut is sometimes
invoked even though no new taint is generated. For example:

<Excerpt from my output file>
> Generated by Handler: notifyFlowOut
> Flow function type: NormalFlowFunction
> ***Incoming Abstraction Data***
> Incoming AccessPath value: $i0
> Incoming Source Context: $i0(int) * <+length> in $i0 := @parameter0: int
> Incoming Abstraction hash: -210156627
> Incoming AccessPath Hash: 1889033344
> ***Outgoing Abstraction Set Data - iterate over all elements of the set***
> Outgoing set 0:
> Outgoing Abstraction Access Path: $i0
> Outgoing Abstraction Source Context: $i0(int) * <+length> in $i0 :=
> @parameter0: int
> Outgoing Abstraction Hash:-210156627
> Outgoing AccessPath Hash:1889033344


In this example, it looks like the incoming and outgoing Abstractions are
one and the same. I'm confused about this, because my understanding was
that notifyFlowOut only gets invoked when a NEW taint is generated, and
here it looks like an existing taint is being propagated. Am I confused
about the nature of notifyFlowOut, or what the hash code of the Abstraction
represents, or both?

I am extracting the Abstraction hash in the following way:

> int myHash = incoming.hashCode();

where incoming is the Abstraction object passed into notifyFlowOut.

Thanks for any clarification you can provide,

Katie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20151016/f3eed8b1/attachment.html

More information about the Soot-list mailing list