[Soot-list] Bug: False positive in sink inside of try block after if statement

Arzt, Steven steven.arzt at sit.fraunhofer.de
Thu Aug 31 11:42:03 EDT 2017 

Hi Miguel,

This is indeed a bug. For now, you can disable exception tracking and FlowDroid works. I'll look into the issue a bit more to find a proper fix.

Thanks for reporting!

Best regards,
  Steven

-----Original Message-----
From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of Miguel Velez
Sent: Tuesday, August 29, 2017 7:39 PM
To: soot-list at cs.mcgill.ca
Subject: [Soot-list] Bug: False positive in sink inside of try block after if statement

I ran an analysis in the following code and I obtained a false positive:

     public static void main(String[] args) {
         Sink.init();

         boolean A = Source.getOptionA(true);

         boolean a = false;
         boolean b = false;

         if(A) {
             a = true;
         }

         try {
             Sink.sink(b); // -> False positive is detected
         } catch (Exception e) {
             e.printStackTrace();
         }

         if(a) {
             System.out.println("");
         }
     }

Variable `b`, which is used in the sink, but it is not tainted is reported a leak. I am using the following settings for the analysis:

ic.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPARK);
     ic.setEnableImplicitFlows(true);
ic.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.NoCodeElimination); 

     ic.setInspectSinks(false);
     ic.setAccessPathLength(10_000);
ic.setDataFlowSolver(InfoflowConfiguration.DataFlowSolver.ContextFlowSensitive); 

ic.setAliasingAlgorithm(InfoflowConfiguration.AliasingAlgorithm.None);
     ic.setFlowSensitiveAliasing(false);
     ic.setStopAfterFirstFlow(false);
     ic.setEnableStaticFieldTracking(true);
     ic.setEnableExceptionTracking(true);
     ic.setMaxThreadNum(1);
     ic.setOneSourceAtATime(true);

Debugging in the ImplicitPropagationRule class, I saw that the jimple instruction that calls the sink method is considered to be inside of the first if statement. Adding any instruction in java code or a nop in jimple before the sink call gives the correct result.

I am using the latest version of this repo, soot, heros, and jasmin. I cloned all those projects, imported them into IntelliJ, and compiled them.

Can someone check if they get the same false positive to confirm it is a bug?
--
Regards,

Miguel Velez
_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

More information about the Soot-list mailing list