[Soot-list] FlowDroid: call graph doesn't look context sensitive

Denis Bogdanas denis.bogdanas at gmail.com
Thu Mar 3 18:13:09 EST 2016 

Hi Steven,
Default settings produce the same result. From my logs:

>From <edu.oregonstate.ex.flowdroidtest.TestActivity: void
onCreate(android.os.Bundle)>
  to <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>
--------------------------------------------
<edu.oregonstate.ex.flowdroidtest.TestActivity: void
onCreate(android.os.Bundle)>
<edu.oregonstate.ex.flowdroidtest.TestActivity: void threadWithSensitive()>
<java.lang.Thread: void run()>
<edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()>
<edu.oregonstate.ex.flowdroidtest.TestActivity: void
access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)>
<edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>

>From <edu.oregonstate.ex.flowdroidtest.TestActivity: boolean
onOptionsItemSelected(android.view.MenuItem)>
  to <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>
--------------------------------------------
<edu.oregonstate.ex.flowdroidtest.TestActivity: boolean
onOptionsItemSelected(android.view.MenuItem)>
<edu.oregonstate.ex.flowdroidtest.TestActivity: void emptyThread()>
<java.lang.Thread: void run()>
<edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()>
<edu.oregonstate.ex.flowdroidtest.TestActivity: void
access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)>
<edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>

Paths are produced by navigating the call graph upwards until a callback is
reached. FlowDroid and soot on my machine are 2 weeks old.



On 3 March 2016 at 14:28, Steven Arzt <Steven.Arzt at cased.de> wrote:

> Hi Denis,
>
>
>
> You don’t actually need an implementation of java.* in your Android
> platform JAR file, because FlowDroid provides explicit models for threads.
> If you use FlowDroid’s default models, your callgraph should be able to
> distinguish the two calls, i.e., there should not be a path from
> emptyThread() to sensitive(). You have two different instances of the
> Thread class, two different implementations (and thus also instances
> thereof) of Runnable, and I don’t see any good reason for FlowDroid to
> combine the two paths.
>
>
>
> Best regards,
>
>   Steven
>
>
>
> *Von:* soot-list-bounces at CS.McGill.CA [mailto:
> soot-list-bounces at CS.McGill.CA] *Im Auftrag von *Denis Bogdanas
> *Gesendet:* Donnerstag, 3. März 2016 23:04
> *An:* soot-list at CS.McGill.CA
> *Betreff:* [Soot-list] FlowDroid: call graph doesn't look context
> sensitive
>
>
>
> Suppose we have 2 threads called from 2 UI callbacks. One of them calls
> method sensitive(), another one is empty. In the call graph, both events
> will have a path to sensitive(), as if the two Thread instances were
> modeled as one:
>
> *protected void *onCreate(Bundle savedInstanceState) {
>     threadWithSensitive();
> }
>
> @Override
> *public boolean *onOptionsItemSelected(MenuItem item) {
>     emptyThread();
>     *return false*;
> }
>
> *private void *threadWithSensitive() {
>     *new *Thread(*new *Runnable() {
>         *public void *run() {
>             sensitive();
>         }
>     }).start();
> }
>
> *private void *emptyThread() {
>     *new *Thread(*new *Runnable() {
>         *public void *run() { }
>     }).start();
> }
>
> Shouldn't only onCreate() lead to sensitive() ?
>
> My setup: a crafted android.jar that has stubs for android classes but
> full implementation for java.* and javax.* packages.
>
>
>
> I also noticed that class MethodContext which is supposed to model a
> method in its context, is never instantiated, regardless of what call graph
> algorithm I use.
>
> What am I missing?
>
> thanks,
>
> --
>
> Denis
>



-- 
Denis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20160303/be3a85cd/attachment-0001.html

More information about the Soot-list mailing list