[Soot-list] Flowdroid: Propagating taint object

Oswaldo Olivo ozzyo86 at gmail.com
Wed Apr 13 22:50:35 EDT 2016 

Answering my own question:

I managed to add a rule in order to propagate taint to a receiving
object whenever a parameter is tainted in a call to 'put'.

The idea is to implement AbstractTaintWrapper, have a field that
stores an EasyWrapper, and implement the custom  taint propagation in
"getTaintsForMethodInternal" by reusing the results from EasyWrapper
and adding the extra taint rules as needed.

Then attach this custom implementation of the taint wrapper to the
SetupApplication that runs infoflow.

The following is my implementation of the wrapper:

===================================

import java.util.HashSet;
import java.util.List;
import java.util.Set;

import soot.jimple.*;
import soot.jimple.infoflow.data.Abstraction;
import soot.jimple.infoflow.data.AccessPath;
import soot.jimple.infoflow.data.AccessPathFactory;
import soot.jimple.infoflow.taintWrappers.AbstractTaintWrapper;
import soot.jimple.infoflow.taintWrappers.EasyTaintWrapper;
import soot.SootMethod;
import soot.Value;

class TaintWrapper extends AbstractTaintWrapper {

    private EasyTaintWrapper easyTaintWrapper;

    public TaintWrapper(EasyTaintWrapper easyTaintWrapper){
this.easyTaintWrapper = easyTaintWrapper;
    }

    private boolean anyTainted(AccessPath taintedPath, List<Value> values){
Value taintedValue = taintedPath.getPlainValue();
for(Value val: values){
   if(taintedValue.equals(val)){
return true;
   }
}
return false;
    }

    @Override
    public Set<Abstraction> getAliasesForMethod(Stmt stmt, Abstraction
a, Abstraction taintedPath){
return null;
    }

    @Override
    public Set<AccessPath> getTaintsForMethodInternal(Stmt stmt,
AccessPath taintedPath){
Set<AccessPath> taints = new HashSet<AccessPath>();
SootMethod method = stmt.getInvokeExpr().getMethod();
// Propagating taint from easy taint wrapper.
taints.addAll(easyTaintWrapper.getTaintsForMethodInternal(stmt, taintedPath));

// Propagating custom taint over the receiving object
// of a call to put with a tainted value.
if(method.getSignature().equals("<java.util.EnumMap: java.lang.Object
put(java.lang.Enum,java.lang.Object)>")){
   InvokeExpr invokeExpr = stmt.getInvokeExpr();
   InstanceInvokeExpr instanceInvokeExpr = (InstanceInvokeExpr)invokeExpr;
   Value base = instanceInvokeExpr.getBase();
   List<Value> args = instanceInvokeExpr.getArgs();
   if(anyTainted(taintedPath, args)){
      taints.add(AccessPathFactory.v().createAccessPath(base, true));
   }
}


return taints;
    }

    @Override
    public boolean isExclusiveInternal(Stmt stmt, AccessPath taintedPath){
return true;
    }

    @Override
    public boolean supportsCallee(SootMethod method){
return true;
    }

    @Override
    public boolean supportsCallee(Stmt callSite){
return true;
    }
}


On Sat, Apr 9, 2016 at 2:57 AM, Oswaldo Olivo <ozzyo86 at gmail.com> wrote:
> Hi,
>
> I'm running soot infoflow programmatically on android APKs.
>
> I was wondering if there's a way to force the analysis to propagate
> taint to a receiver object (or another parameter) if one of the
> parameters of a function is tainted.
>
> Consider the following instruction:
>
> virtualinvoke $r7.<com.facebook.acra.CrashReportData: java.lang.Object
> put(java.lang.Enum,java.lang.Object)>($r8, $r4);
>
>
> I want to taint $r7 whenever $r4 is tainted on a call to "put".
>
> Let me know if there's a way to specify this.
>
> Below is my code for running the taint analysis
>
> ===================================
> public static void main(String[] args) throws Exception{
>
>         System.out.println("=== Starting ReDoS Detector ===");
>
>         // Configuration information.
>         String androidJar = "soot/platforms";
>         String apkFileLocation = "benchmarks/com.facebook.katana.apk";
>         boolean forceAndroidJar = false;
>
>         if(args.length > 0) {
>             apkFileLocation = args[0];
>         }
>
>         System.out.println("Analyzing APK: " + apkFileLocation);
>         SetupApplication app = new SetupApplication(androidJar,
> apkFileLocation);
>         EasyTaintWrapper easyTaintWrapper = new EasyTaintWrapper(new
> File("EasyTaintWrapperSource.txt"));
>         app.setTaintWrapper(easyTaintWrapper);
>
>         InfoflowAndroidConfiguration config = app.getConfig();
>         config.setAccessPathLength(1);
>         config.setComputeResultPaths(false);
>         config.setEnableCallbacks(false);
>         config.setEnableArraySizeTainting(false);
>         config.setEnableExceptionTracking(false);
>         config.setEnableStaticFieldTracking(false);
>         config.setInspectSinks(false);
>         config.setFlowSensitiveAliasing(false);
>         app.setConfig(config);
>
>         app.calculateSourcesSinksEntrypoints("SourcesAndSinks.txt");
>         app.runInfoflow();
>
>         System.out.println("=== Finishing ReDoS Detector ===");
>     }

More information about the Soot-list mailing list