[Soot-list] Bug: False negative in sink when looping objects

mvelezce at cs.cmu.edu mvelezce at cs.cmu.edu
Mon Nov 6 19:19:58 EST 2017 

There is a problem with the example I posted earlier. Here is the 
updated code:

  public static void main(String[] args) {
          taint = Source.getOptionA(true);
          I b = new B();
          List<I> list = new LinkedList<>();
          list.add(b);

         for(int i = 0; i < list.size(); i++) {
              I ob = list.get(i);
              ob.sink(taint); -> NO FLOW IS DETECTED
         }
  }

  public interface I {
      public void sink(boolean a);
  }

  public class B implements I {
      @Override
      public void sink(boolean a) {
          System.out.println("");
      }
  }

Thanks

On 2017-10-31 10:02, Miguel Velez wrote:
> I ran an analysis in the following code and I am not getting a very
> obvious result:
> 
> public static void main(String[] args) {
>         A = Source.getOptionA(true);
>         I b = new B();
>         List<I> list = new LinkedList<>();
>         list.add(b);
> 
>        for(int i = 0; i < list.size(); i++) {
>             I ob = list.get(i);
>             ob.sink(taint); -> NO FLOW IS DETECTED
>        }
> }
> 
> public interface I {
>     public void sink(boolean a);
> }
> 
> public class B implements I {
>     @Override
>     public void sink(boolean a) {
>         System.out.println("");
>     }
> }
> 
> The tainted variable 'taint' is passed to a sink, but it is not
> detected as a flow. These are the settings I am using for the
> analysis:
> 
> ic.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPARK);
> ic.setEnableImplicitFlows(true);
> ic.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.NoCodeElimination);
> 
> ic.setInspectSinks(false);
> ic.setInspectSources(false);
> ic.setAccessPathLength(10);
> ic.setDataFlowSolver(InfoflowConfiguration.DataFlowSolver.ContextFlowSensitive);
> 
> ic.setAliasingAlgorithm(InfoflowConfiguration.AliasingAlgorithm.None);
> ic.setFlowSensitiveAliasing(false);
> ic.setStopAfterFirstFlow(false);
> ic.setEnableStaticFieldTracking(false);
> ic.setEnableExceptionTracking(true);
> ic.setMaxThreadNum(1);
> ic.setOneSourceAtATime(true);
> ic.setSingleJoinPointAbstraction(true);
> 
> However, if I do not put object 'b' in a list and call the sink
> method, the flow is detected. I believe this is a bug since the same
> functionality and output should not change depending if the object is
> accessed directly or it is put in a list and then retrieved.
> 
> I am using the latest version of this repo, soot, heros, and jasmin. I
> cloned all those projects, imported them into IntelliJ, and compiled
> them.
> 
> Can someone check if they get the same false negative to confirm it is 
> a bug?

More information about the Soot-list mailing list