[Soot-list] Doubt in flowdroid alias analysis
Arzt, Steven
steven.arzt at sit.fraunhofer.de
Thu Jan 18 06:13:35 EST 2018
Hi,
FlowDroid uses its own alias analysis, because the one integrated in Soot has limitations. First and foremost, Soot’s PtS-based analysis only handles base objects and single field dereferences. FlowDroid, on the other hand, uses access paths, which model sequences of field dereferences with an arbitrary length. Secondly, we need a context-sensitive alias analysis, which Soot does not provide. You can read up on the details in my PhD thesis [1], which contains a complete section on aliasing.
The backwards analysis stops when it reaches an allocation site for the base value for the access path which it is currently propagating. In other words, when going back, we check whether the current variable (base of the access path) is overwritten. If so, no aliases can be created before.
Best regards,
Steven
[1] http://tuprints.ulb.tu-darmstadt.de/5937/
From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of Sri Shaila G
Sent: Thursday, January 18, 2018 1:20 AM
To: soot-list at cs.mcgill.ca
Subject: [Soot-list] Doubt in flowdroid alias analysis
Hi,
I have a doubt in flowdroid. My doubts are as follows.
1.I understand that you are using the backwards analysis in flowdroid to find out the aliases of the tainted variables. Why did you choose the backwards analysis method to find the aliases instead of using the pointsToAnalysis in Soot.
2. When does the backwards analysis stop?
Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20180118/fc8bf739/attachment.html>
More information about the Soot-list
mailing list