[Soot-list] Spark: Missing API call causes empty points-to set

Arzt, Steven steven.arzt at sit.fraunhofer.de
Fri Jun 23 13:20:38 EDT 2017 

Hi Jonas,

The reason for the missing callgraph edge is that there is no allocation site for “powerManager”. Consequently, the SPARK callgraph algorithm cannot obtain type information for that variable and without type information, there are no outgoing callgraph edges. You have already looked into some of the possibilities for dealing with such issues. You can try to add the underlying Android code to provide for the allocation site. Unfortunately, that won’t work here, because the system service registry in Android is built on a plugin system, i.e., has an internal registry of services that is built dynamically. Such things are tough calls for any callgraph analysis algorithm.

Therefore, I’d rather avoid the need for a callgraph edge. Instead, you can look at the invocation (without resolving it) to see where it goes. It won’t get much more precise than that anyway, unless you really need to know the internal Android class that implements the service. If you’re fine with the PowerManager class that is part of the public API, the invocation signature is enough (which trivially points to PowerManager.newWakeLock). In fact, that’s how we handle such cases in FlowDroid. You don’t need to know the exact type of the variable in that case, you just use the declared one. However, you need to do that on your own. Soot’s SPARK algorithm won’t build such approximated edges into the callgraph for you.

Best regards,
  Steven

From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of Jonas De Bleser
Sent: Tuesday, June 20, 2017 2:09 PM
To: soot-list at cs.mcgill.ca
Subject: [Soot-list] Spark: Missing API call causes empty points-to set

Hi all,

I’m currently using SOOT + FlowDroid to analyse Android applications which works fine, except for one API call:




PowerManager powerManager = (PowerManager) this.getSystemService(Context.POWER_SERVICE);
wakeLock = powerManager.newWakeLock(
        PowerManager.ACQUIRE_CAUSES_WAKEUP,
        "my wakelock");
While the callgraph contains every other call, it does NOT contain powerManager.newWakeLock. Because of this, SPARK determines that the points-to set of wakeLock is empty, while it shouldn’t!

I’ve found two messages on the mailing list that have the same problem:
https://mailman.cs.mcgill.ca/pipermail/soot-list/2016-April/008443.html
https://mailman.cs.mcgill.ca/pipermail/soot-list/2015-February/007734.html

I tried to analyse the application by using the source code of Android (android-all-5.0.0_r2-robolectric-0.jar, from http://central.maven.org/maven2/org/robolectric/android-all/5.0.0_r2-robolectric-0/) instead of the default stub android.jar. I manually checked that the JAR contains the implementation of the powerManager.newWakeLock.

Unfortunately, this gives the same results (i.e., empty points-to set for wakeLock) and I’m clueless on how to solve this problem. I need to know the points-to sets of every WakeLock instance.

Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20170623/10956293/attachment.html>

More information about the Soot-list mailing list