[Soot-list] Bug: False positive in sink inside of try block after if statement
Miguel Velez
mvelezce at cs.cmu.edu
Tue Aug 29 13:39:17 EDT 2017
I ran an analysis in the following code and I obtained a false positive:
public static void main(String[] args) {
Sink.init();
boolean A = Source.getOptionA(true);
boolean a = false;
boolean b = false;
if(A) {
a = true;
}
try {
Sink.sink(b); // -> False positive is detected
} catch (Exception e) {
e.printStackTrace();
}
if(a) {
System.out.println("");
}
}
Variable `b`, which is used in the sink, but it is not tainted is
reported a leak. I am using the following settings for the analysis:
ic.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPARK);
ic.setEnableImplicitFlows(true);
ic.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.NoCodeElimination);
ic.setInspectSinks(false);
ic.setAccessPathLength(10_000);
ic.setDataFlowSolver(InfoflowConfiguration.DataFlowSolver.ContextFlowSensitive);
ic.setAliasingAlgorithm(InfoflowConfiguration.AliasingAlgorithm.None);
ic.setFlowSensitiveAliasing(false);
ic.setStopAfterFirstFlow(false);
ic.setEnableStaticFieldTracking(true);
ic.setEnableExceptionTracking(true);
ic.setMaxThreadNum(1);
ic.setOneSourceAtATime(true);
Debugging in the ImplicitPropagationRule class, I saw that the jimple
instruction that calls the sink method is considered to be inside of the
first if statement. Adding any instruction in java code or a nop in
jimple before the sink call gives the correct result.
I am using the latest version of this repo, soot, heros, and jasmin. I
cloned all those projects, imported them into IntelliJ, and compiled them.
Can someone check if they get the same false positive to confirm it is a
bug?
--
Regards,
Miguel Velez
More information about the Soot-list
mailing list