[prev in list] [next in list] [prev in thread] [next in thread] 

List:       soot-list
Subject:    [Soot-list] Inquiry on analyzing fields using IFDS
From:       Edward Suhkoi <edward.suhkoi () gmail ! com>
Date:       2014-11-26 12:52:41
Message-ID: CAHLxGC47zmy=P4Q7OMuXF1_wO0auWie6=yv9zdCjNi6PN+EJ4w () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi all:

I'm implementing a small demo IFDS simple taint analysis (on a forward
icfg) and had some problems regarding instance fields, would you kindly
shed some lights on this?

1)
for the following code snippets:

class Test
> {
>     String string = source();
>      void test() //CallFlow, fact: <Test.string>
>      {
>           string = "OVERWRITTEN"; //NormalFlow, fact get killed
>             //ReturnFlow, no fact
>      }
>     void final() //
>     {
>          sink(string);
>     }
>      public static void main(String[] args)
>     {
>         Test t = new Test(); //<init> fact: <Test.string>
>


>         t.test();//however, CallToReturn still preserves the
> fact:<Test.string>, how does it know the fact is indirectly killed inside
> t.test()? Since datafact at CallToReturn is "merged" with datafact from
> ReturnFlowFunction, if I understood clearly.
>         t.final();
>     }
> }


One can see that first a taint is generated at Test.<init>,  then transfer
to Test.string, Test.string is overwritten at test(),  so I have some
questions here:

1) In my implementation, data facts of fields will be propagated in
CallFlowFunction. If datafact gets killed in this function, how does data
fact "outside" this function call get to know this? Because the field taint
data fact also exists and NormalFlowFunction and CallToReturnFlowFunction
"outside" function test() "in" function main(), but the field taint data is
killed inside function call, how do we get to erase data facts "outside"
this function call?

2) I wonder how FlowDroid addresses this problem? Thanks.

[Attachment #5 (text/html)]

<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi \
all:</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">I&#39;m implementing a small demo \
IFDS simple taint analysis (on a forward icfg) and had some problems regarding \
instance fields, would you kindly shed some lights on this?</div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">1)  </div><div \
style="font-family:arial,sans-serif;font-size:13px">for the following code \
snippets:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><blockquote class="gmail_quote" \
style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">class \
Test<br>{<br>      String string = source();<br>        void test() //CallFlow, fact: \
&lt;Test.string&gt;<br>        {<br>               string = &quot;OVERWRITTEN&quot;; \
//NormalFlow, fact get killed<br>                  //ReturnFlow, no fact<br>        \
}<br>      void final() //<br>      {<br>              sink(string);<br>      }  <br> \
public static void main(String[] args)<br>      {<br>            Test t = new Test(); \
//&lt;init&gt; fact: &lt;Test.string&gt;<br></blockquote><div>  </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> \
t.test();//however, CallToReturn still preserves the fact:&lt;Test.string&gt;, how \
does it know the fact is indirectly killed inside t.test()? Since datafact at \
CallToReturn is &quot;merged&quot; with datafact from ReturnFlowFunction, if I \
understood clearly.<br>            t.final();<br>      \
}<br>}</blockquote><div><br></div><div>One can see that first a taint is generated at \
Test.&lt;init&gt;,   then transfer to Test.string, Test.string is overwritten at \
test(),   so I have some questions here:</div></div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">1) In my implementation, data \
facts of fields will be propagated in CallFlowFunction. If datafact gets killed in \
this function, how does data fact &quot;outside&quot; this function call get to know \
this? Because the field taint data fact also exists and NormalFlowFunction and \
CallToReturnFlowFunction &quot;outside&quot; function test() &quot;in&quot; function \
main(), but the field taint data is killed inside function call, how do we get to \
erase data facts &quot;outside&quot; this function call?</div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">2) I wonder how FlowDroid \
addresses this problem? Thanks.</div></div>



_______________________________________________
Soot-list mailing list
Soot-list@CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic