[Soot-list] Bug: False negative in sink when looping objects
Miguel Velez
mvelezce at cs.cmu.edu
Tue Oct 31 10:02:10 EDT 2017
I ran an analysis in the following code and I am not getting a very
obvious result:
public static void main(String[] args) {
A = Source.getOptionA(true);
I b = new B();
List<I> list = new LinkedList<>();
list.add(b);
for(int i = 0; i < list.size(); i++) {
I ob = list.get(i);
ob.sink(taint); -> NO FLOW IS DETECTED
}
}
public interface I {
public void sink(boolean a);
}
public class B implements I {
@Override
public void sink(boolean a) {
System.out.println("");
}
}
The tainted variable 'taint' is passed to a sink, but it is not detected
as a flow. These are the settings I am using for the analysis:
ic.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPARK);
ic.setEnableImplicitFlows(true);
ic.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.NoCodeElimination);
ic.setInspectSinks(false);
ic.setInspectSources(false);
ic.setAccessPathLength(10);
ic.setDataFlowSolver(InfoflowConfiguration.DataFlowSolver.ContextFlowSensitive);
ic.setAliasingAlgorithm(InfoflowConfiguration.AliasingAlgorithm.None);
ic.setFlowSensitiveAliasing(false);
ic.setStopAfterFirstFlow(false);
ic.setEnableStaticFieldTracking(false);
ic.setEnableExceptionTracking(true);
ic.setMaxThreadNum(1);
ic.setOneSourceAtATime(true);
ic.setSingleJoinPointAbstraction(true);
However, if I do not put object 'b' in a list and call the sink method,
the flow is detected. I believe this is a bug since the same
functionality and output should not change depending if the object is
accessed directly or it is put in a list and then retrieved.
I am using the latest version of this repo, soot, heros, and jasmin. I
cloned all those projects, imported them into IntelliJ, and compiled them.
Can someone check if they get the same false negative to confirm it is a
bug?
--
Regards,
Miguel Velez
More information about the Soot-list
mailing list