Taint tracking with objects

[zavalyshyn]

Hi,

I have a simple code that gets the integer and prints it.

    public static int getData() {
        return 111;
    }

    public static void outputData() {
        int record = getData(); 
        String line = Integer.toString(record);
        // not tracked by Phosphor
        System.out.println(line);
        // tracked by Phosphor
        System.out.println(record);
    }

I specify getData()I method as a source and these methods as sinks:

java/io/PrintStream.println(D)V
java/io/PrintStream.println(F)V
java/io/PrintStream.println(J)V
java/io/PrintStream.println(Ljava/lang/Object;)V
java/io/PrintStream.println(Ljava/lang/String;)V
java/io/PrintStream.println([C)V
java/io/PrintStream.println()V
java/io/PrintStream.println(Z)V
java/io/PrintStream.println(C)V
java/io/PrintStream.println(I)V

Phosphor throws illegal exception when I try to print received integer as it is. However, when I convert the received integer to string and print it, Phosphor does nothing. I'm using obj instrumented jre with -multiTaint flag. I instrument the code with -multiTaint flag as well.

[zavalyshyn]

I've asked José Pablo Cambronero to check that on his side and he confirmed the issue and added the examples to the phosphor-examples repository (he was using the instrumentation API though, not the automatic instrumentation). This is his latest commit.

Below I quote his reply to me.

I've gone ahead and tried this out using the explicit Phosphor API, rather than the automated approach (to isolate any potential issues there). And I see the same behavior with the taint info dropping (at least partially in the case of object tags and fully in the case of int tags). The examples are in object tags (testExample6) and for integer tags (testExample7)

I'm not entirely sure why this is. I looked at the bytecode for the object example (testExample5) in a non-pre-instrumented JAR, and I see the call to Integer.toString clearly instrumented.

similarly with a pre-instrumented JAR (albeit a slightly different signature)

but in both cases the actual dependencies are dropped on the String object that came from the tainted int.

Something similar happens with int tags (resulting in 0 for the String).

[jon-bell]

Yes... I am working on a patch to force tags to be propagated in this scenario.

If you refer back to the end of section 4.4 and figure 4 in the paper, you should see a very brief discussion that hints at what's going on - the same sort of thing happens when you convert an int to an Integer - there is now direct data flow relationship between the input and output, but given that it is part of a standard API, you would imagine that we would just patch around it - I will get that patch in soon but am just coming back from 2 weeks of honeymoon so have been a little busy (and apologize for delays in the past few weeks) :)

[zavalyshyn]

Great. Thanks Jon.
No worries about the delays. Especially during and after the honeymoon. Congrats by the way

[jon-bell]

This should be tidied up now in 9c997f5.