[Soot-list] Bug: False negative in sink when looping objects
Arzt, Steven
steven.arzt at sit.fraunhofer.de
Tue Nov 7 05:05:16 EST 2017
Hi Miguel,
Looking at your example, there are two potential problem areas that I can spot. Firstly, you do not set a taint wrapper. This means that FlowDroid does not have any library models it could use for the analysis. In that case, you need to make sure that the library implementation (Java's rt.jar for the Java Collections API in that case) is on the Soot / FlowDroid classpath. Otherwise, FlowDroid will simply skip those library calls, because there is neither a library model nor any code it could analyze. I strongly suggest that you go for the library model instead of putting the code on the classpath for performance reasons. You can create an instance of the EasyTaintWrapper class and pass it to the Infoflow object.
The second aspect that is a bit unusual about your code is that you explicitly disable the alias analysis. Your results will heavily depend on the exact structure of the Jimple code in that case.
Best regards,
Steven
-----Original Message-----
From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of mvelezce at cs.cmu.edu
Sent: Tuesday, November 7, 2017 1:20 AM
To: soot-list at cs.mcgill.ca
Subject: Re: [Soot-list] Bug: False negative in sink when looping objects
There is a problem with the example I posted earlier. Here is the updated code:
public static void main(String[] args) {
taint = Source.getOptionA(true);
I b = new B();
List<I> list = new LinkedList<>();
list.add(b);
for(int i = 0; i < list.size(); i++) {
I ob = list.get(i);
ob.sink(taint); -> NO FLOW IS DETECTED
}
}
public interface I {
public void sink(boolean a);
}
public class B implements I {
@Override
public void sink(boolean a) {
System.out.println("");
}
}
Thanks
On 2017-10-31 10:02, Miguel Velez wrote:
> I ran an analysis in the following code and I am not getting a very
> obvious result:
>
> public static void main(String[] args) {
> A = Source.getOptionA(true);
> I b = new B();
> List<I> list = new LinkedList<>();
> list.add(b);
>
> for(int i = 0; i < list.size(); i++) {
> I ob = list.get(i);
> ob.sink(taint); -> NO FLOW IS DETECTED
> }
> }
>
> public interface I {
> public void sink(boolean a);
> }
>
> public class B implements I {
> @Override
> public void sink(boolean a) {
> System.out.println("");
> }
> }
>
> The tainted variable 'taint' is passed to a sink, but it is not
> detected as a flow. These are the settings I am using for the
> analysis:
>
> ic.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPAR
> K);
> ic.setEnableImplicitFlows(true);
> ic.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.No
> CodeElimination);
>
> ic.setInspectSinks(false);
> ic.setInspectSources(false);
> ic.setAccessPathLength(10);
> ic.setDataFlowSolver(InfoflowConfiguration.DataFlowSolver.ContextFlowS
> ensitive);
>
> ic.setAliasingAlgorithm(InfoflowConfiguration.AliasingAlgorithm.None);
> ic.setFlowSensitiveAliasing(false);
> ic.setStopAfterFirstFlow(false);
> ic.setEnableStaticFieldTracking(false);
> ic.setEnableExceptionTracking(true);
> ic.setMaxThreadNum(1);
> ic.setOneSourceAtATime(true);
> ic.setSingleJoinPointAbstraction(true);
>
> However, if I do not put object 'b' in a list and call the sink
> method, the flow is detected. I believe this is a bug since the same
> functionality and output should not change depending if the object is
> accessed directly or it is put in a list and then retrieved.
>
> I am using the latest version of this repo, soot, heros, and jasmin. I
> cloned all those projects, imported them into IntelliJ, and compiled
> them.
>
> Can someone check if they get the same false negative to confirm it is
> a bug?
_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
More information about the Soot-list
mailing list