[Soot-list] [Flowdroid taint propagation]

Arzt, Steven steven.arzt at sit.fraunhofer.de
Fri Feb 9 14:29:23 EST 2018 

Hi Claudio,

That would be the most trivial approach that ignores aliasing. You can try that. If you find that you run into issues, you may want to query Soots PointsToSets instead of simply comparing the locals.

Best regards,
  Steven

From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of claudio
Sent: Friday, February 9, 2018 6:05 PM
To: soot-list at cs.mcgill.ca
Subject: Re: [Soot-list] [Flowdroid taint propagation]


Hi Steven,

Thank you for your reply.



I thought about doing what you suggest. However, I also need to have a relation between the local assigned from method1 and the base object  used to call method 2. So Ideally, assuming that method1 and 2 have the same source, I also need to be sure that the assigned value form method1 is the same one I use to call method2 from.

In a post processing phase, would it be enough to do something like:

if method1 has same source has method2; then
    stm1.getLeftOp().equals(stm2.getBase())

?



Bests,

Claudio

On 09/02/18 16:30, Arzt, Steven wrote:

Hi Claudio,



FlowDroid does not propagate the sources along with the individual taints for scalability reasons. If one method is called multiple times with different sources, the method would have to be analyzed once per source, if we would propagate the source as part of the taint. That's a waste of time, because the behavior of the method doesn't change depending on the source. Therefore, we only propagate source-agnostic taints through the program. Each taint knows its predecessor(s). After the taint propagation is done, FlowDroid takes the list of taint abstractions that have reached a sink, and scans this tree backwards (i.e., the links from a given abstraction to its predecessor) to find the corresponding source. Consequently, you can't easily ask for the source during taint propagation.



What you can do is the following: You can define method1() and method2() as sources and run the taint propagation as usual. After the results are available, you can check whether the sources are identical for the two methods. In that case, you would have a standard taint propagation problem with a post-processing and would circumvent the problem of not having access to sources _during_ propagation.



Best regards,

  Steven



-----Original Message-----

From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of claudio

Sent: Friday, February 9, 2018 5:21 PM

To: soot-list at cs.mcgill.ca<mailto:soot-list at cs.mcgill.ca>

Subject: Re: [Soot-list] [Flowdroid taint propagation]



of course it was y = method1(...);





Claudio





On 09/02/18 16:19, claudio wrote:

Dear all,



I am currently using Flowdroid to analyze Android app. However, I need

to detect particular situations. For example consider this method

sequence:





x = method1(....);



y.method2(...);





now assume that method 1 is called with tainted value from a known

source.



If method2 is called as well with tainted value, then I want to check

whether the taint as input in method2 comes from the same source as

the one that is tainting its base object y.



Is there a way to achieve it? I was looking for some sort of taint Map

where all the taints are stored, but I couldn't find it.





Thanks,



Claudio



_______________________________________________

Soot-list mailing list

Soot-list at CS.McGill.CA<mailto:Soot-list at CS.McGill.CA>

https://mailman.CS.McGill.CA/mailman/listinfo/soot-list



_______________________________________________

Soot-list mailing list

Soot-list at CS.McGill.CA<mailto:Soot-list at CS.McGill.CA>

https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20180209/4ebc629b/attachment-0001.html>

More information about the Soot-list mailing list