New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FlowDroid fails to propagate taint when involving type casting #470
Comments
InfoflowConfiguration is: protected static InfoflowConfiguration globalConf;
public static void initEnv() {
// reset soot env
soot.G.reset();
System.gc();
// init configuration
// config information flow
globalConf = new InfoflowConfiguration();
//more precise call graph algorithm
globalConf.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPARK);
globalConf.setImplicitFlowMode(InfoflowConfiguration.ImplicitFlowMode.AllImplicitFlows);
// globalConf.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.PropagateConstants);
globalConf.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.NoCodeElimination);
globalConf.getAccessPathConfiguration().setAccessPathLength(20);
globalConf.getSolverConfiguration().setDataFlowSolver(InfoflowConfiguration.DataFlowSolver.ContextFlowSensitive);
globalConf.setMaxThreadNum(-1);
globalConf.setInspectSources(false);
globalConf.setInspectSinks(false);
globalConf.setAliasingAlgorithm(InfoflowConfiguration.AliasingAlgorithm.FlowSensitive);
globalConf.setFlowSensitiveAliasing(true);
globalConf.setStopAfterFirstFlow(false);
globalConf.setStaticFieldTrackingMode(InfoflowConfiguration.StaticFieldTrackingMode.ContextFlowSensitive);
// do not track exception
globalConf.setEnableExceptionTracking(false);
globalConf.setOneSourceAtATime(true);
globalConf.getPathConfiguration().setPathReconstructionMode(InfoflowConfiguration.PathReconstructionMode.Precise);
globalConf.getSolverConfiguration().setMaxJoinPointAbstractions(-1);
LOGGER.info("information flow config done.");
} |
How did you specify your sources and sinks? Did you just place the map-get into The paper would have benefited from asking here... Concerning your configuration: Why do you enable "one source at a time"? There are only very few use cases for this option. Access Path length 20 is quite a lot and is very unlikely to scale on real-world applications. |
Thank for your concerning, I am a freshman. I use a class
So, the question is: Why SPARK can not propagate taint in this case |
RTA performs an over-approximation. This may lead to additional leaks. However, it is not a proper solution in most cases. Your second post seems to relate to another test application. There is no call to For proper handling of library classes such as Your approach of duplicating the source/sink manager is technically possible, but unnecessarily complex. You can use FlowDroid's built-in mechanisms such as the XML-based specification language. |
Sorry, I describe my case not clearly. I instrument a sink |
Sorry, I am a freshman who is learning FlowDroid, and I wanna know why you say " In your case, you want to taint the base object "? |
You need to taint the base object
You have a special case, and the more expressive XML format for sources and sinks can be used to model such cases. |
I am considering: Is the real problem in handling of library class? |
May I ask how do you define the stmt |
I instrument a customize sink method before if statement.You can think about |
@jimmy66688 @zhouyuhao1018 how do u instrument a customised sink before if statements can you please explain a bit..thanks |
considering this running example:
the source method signature is
"<java.util.Map: java.lang.Object get(java.lang.Object)>"
the sink we foucus on is every
if statement
, so I instrument a dummy sinkvoid sink(Object o)
before every if statment, so that i can trackif
the log shows that
[main] WARN No results found.
so, the question i wanna know is
What causes this?
, i found a paperAnalyzing Android Taint Analysis Tools: FlowDroid, Amandroid, and DroidSafe
described this problem, but without any solution.The text was updated successfully, but these errors were encountered: