[Soot-list] [Flowdroid taint propagation]
claudio
claudio.rizzo.2015 at live.rhul.ac.uk
Fri Feb 9 12:04:35 EST 2018
Hi Steven,
Thank you for your reply.
I thought about doing what you suggest. However, I also need to have a
relation between the local assigned from method1 and the base object
used to call method 2. So Ideally, assuming that method1 and 2 have the
same source, I also need to be sure that the assigned value form method1
is the same one I use to call method2 from.
In a post processing phase, would it be enough to do something like:
*if* method1 has same source has method2; *then*
stm1.getLeftOp().equals(stm2.getBase())
?
Bests,
Claudio
On 09/02/18 16:30, Arzt, Steven wrote:
> Hi Claudio,
>
> FlowDroid does not propagate the sources along with the individual taints for scalability reasons. If one method is called multiple times with different sources, the method would have to be analyzed once per source, if we would propagate the source as part of the taint. That's a waste of time, because the behavior of the method doesn't change depending on the source. Therefore, we only propagate source-agnostic taints through the program. Each taint knows its predecessor(s). After the taint propagation is done, FlowDroid takes the list of taint abstractions that have reached a sink, and scans this tree backwards (i.e., the links from a given abstraction to its predecessor) to find the corresponding source. Consequently, you can't easily ask for the source during taint propagation.
>
> What you can do is the following: You can define method1() and method2() as sources and run the taint propagation as usual. After the results are available, you can check whether the sources are identical for the two methods. In that case, you would have a standard taint propagation problem with a post-processing and would circumvent the problem of not having access to sources _during_ propagation.
>
> Best regards,
> Steven
>
> -----Original Message-----
> From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of claudio
> Sent: Friday, February 9, 2018 5:21 PM
> To: soot-list at cs.mcgill.ca
> Subject: Re: [Soot-list] [Flowdroid taint propagation]
>
> of course it was y = method1(...);
>
>
> Claudio
>
>
> On 09/02/18 16:19, claudio wrote:
>> Dear all,
>>
>> I am currently using Flowdroid to analyze Android app. However, I need
>> to detect particular situations. For example consider this method
>> sequence:
>>
>>
>> x = method1(....);
>>
>> y.method2(...);
>>
>>
>> now assume that method 1 is called with tainted value from a known
>> source.
>>
>> If method2 is called as well with tainted value, then I want to check
>> whether the taint as input in method2 comes from the same source as
>> the one that is tainting its base object y.
>>
>> Is there a way to achieve it? I was looking for some sort of taint Map
>> where all the taints are stored, but I couldn't find it.
>>
>>
>> Thanks,
>>
>> Claudio
>>
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at CS.McGill.CA
>> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20180209/326452f9/attachment.html>
More information about the Soot-list
mailing list