[Soot-list] [Flowdroid taint propagation]

Arzt, Steven steven.arzt at sit.fraunhofer.de
Fri Feb 9 11:30:40 EST 2018 

Hi Claudio,

FlowDroid does not propagate the sources along with the individual taints for scalability reasons. If one method is called multiple times with different sources, the method would have to be analyzed once per source, if we would propagate the source as part of the taint. That's a waste of time, because the behavior of the method doesn't change depending on the source. Therefore, we only propagate source-agnostic taints through the program. Each taint knows its predecessor(s). After the taint propagation is done, FlowDroid takes the list of taint abstractions that have reached a sink, and scans this tree backwards (i.e., the links from a given abstraction to its predecessor) to find the corresponding source. Consequently, you can't easily ask for the source during taint propagation.

What you can do is the following: You can define method1() and method2() as sources and run the taint propagation as usual. After the results are available, you can check whether the sources are identical for the two methods. In that case, you would have a standard taint propagation problem with a post-processing and would circumvent the problem of not having access to sources _during_ propagation.

Best regards,
  Steven

-----Original Message-----
From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of claudio
Sent: Friday, February 9, 2018 5:21 PM
To: soot-list at cs.mcgill.ca
Subject: Re: [Soot-list] [Flowdroid taint propagation]

of course it was y = method1(...);


Claudio


On 09/02/18 16:19, claudio wrote:
> Dear all,
>
> I am currently using Flowdroid to analyze Android app. However, I need 
> to detect particular situations. For example consider this method
> sequence:
>
>
> x = method1(....);
>
> y.method2(...);
>
>
> now assume that method 1 is called with tainted value from a known 
> source.
>
> If method2 is called as well with tainted value, then I want to check 
> whether the taint as input in method2 comes from the same source as 
> the one that is tainting its base object y.
>
> Is there a way to achieve it? I was looking for some sort of taint Map 
> where all the taints are stored, but I couldn't find it.
>
>
> Thanks,
>
> Claudio
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

More information about the Soot-list mailing list