soot.jimple.infoflow.results.ResultSourceInfo Java Examples
The following examples show how to use
soot.jimple.infoflow.results.ResultSourceInfo.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: SMTPreparationPhase.java From FuzzDroid with Apache License 2.0 | 6 votes |
|
private ResultSourceInfo findDataFlowPathForSink(Stmt sinkStmt, Local sinkLokal, List<ResultSourceInfo> allDataFlows) {
for(ResultSourceInfo singleFlow : allDataFlows){
Stmt[] statements = singleFlow.getPath();
AccessPath[] accessPath = singleFlow.getPathAccessPaths();
for(int i = 0; i < statements.length; i++) {
Stmt currentStmt = statements[i];
if(currentStmt == sinkStmt) {
if(accessPath[i].getPlainValue() == sinkLokal)
return singleFlow;
}
else if(currentStmt instanceof AssignStmt) {
AssignStmt assignStmt = (AssignStmt)currentStmt;
Value lhs = assignStmt.getLeftOp();
if(lhs == sinkLokal)
return singleFlow;
}
}
}
return null;
}
Example #2
| Source File: Test.java From JAADAS with GNU General Public License v3.0 | 6 votes |
|
@Override
public void onResultsAvailable(
IInfoflowCFG cfg, InfoflowResults results) {
// Dump the results
if (results == null) {
print("No results found.");
}
else {
for (ResultSinkInfo sink : results.getResults().keySet()) {
print("Found a flow to sink " + sink + ", from the following sources:");
for (ResultSourceInfo source : results.getResults().get(sink)) {
print("\t- " + source.getSource() + " (in "
+ cfg.getMethodOf(source.getSource()).getSignature() + ")");
if (source.getPath() != null && !source.getPath().isEmpty())
print("\t\ton Path " + source.getPath());
}
}
}
}
Example #3
| Source File: FlowDroidLauncher.java From soot-infoflow-android-iccta with GNU Lesser General Public License v2.1 | 6 votes |
|
@Override
public void onResultsAvailable(
IInfoflowCFG cfg, InfoflowResults results) {
// Dump the results
if (results == null) {
print("No results found.");
}
else {
Test.cfg = cfg;
Test.results = results;
for (ResultSinkInfo sink : results.getResults().keySet()) {
print("Found a flow to sink " + sink + ", from the following sources:");
for (ResultSourceInfo source : results.getResults().get(sink)) {
print("\t- " + source.getSource() + " (in "
+ cfg.getMethodOf(source.getSource()).getSignature() + ")");
if (source.getPath() != null)
print("\t\ton Path " + Arrays.toString(source.getPath()));
}
}
}
}
Example #4
| Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 6 votes |
|
/**
* This method iterates over all sources from the FlowDroid-results and extracts the
* category of the specific source. If there is no category found, it will return an empty set,
* otherwise the correct categories will be added.
* @param sourcesInfo: all possible sources from which we try to identify the category
* @return: set of categories for specific sink
*/
private Set<String> getDataIdList(Set<ResultSourceInfo> sourcesInfo){
Set<String> dataIdList = new HashSet<String>();
for(ResultSourceInfo sInfo : sourcesInfo){
if(sInfo.getSource().containsInvokeExpr()){
InvokeExpr invExpr = sInfo.getSource().getInvokeExpr();
for(SourceSinkDefinition meth : sources) {
AndroidMethod am = (AndroidMethod) meth.getMethod();
if(am.getSignature().equals(invExpr.getMethod().getSignature())) {
dataIdList.add(am.getCategory().toString());
}
}
}
else if (isSourceInfoParameter(sInfo)){
dataIdList.add(unknownCategory);
}
else
throw new RuntimeException("Currently not supported");
}
return dataIdList;
}
Example #5
| Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 6 votes |
|
private String getSourceCategory(ResultSourceInfo sourceInfo){
if(sourceInfo.getSource().containsInvokeExpr()){
InvokeExpr invExpr = sourceInfo.getSource().getInvokeExpr();
for(SourceSinkDefinition meth : sources) {
AndroidMethod am = (AndroidMethod) meth.getMethod();
if(am.getSignature().equals(invExpr.getMethod().getSignature())){
return am.getCategory().toString();
}
}
}
else if(isSourceInfoParameter(sourceInfo)){
return unknownCategory;
}
else
throw new RuntimeException("Currently not supported");
return null;
}
Example #6
| Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 6 votes |
|
/**
* Return true if the method corresponding to the source 'si' is an
* Inter Component Communication source method such as "Intent.getExtras()".
* @param si
* @param cfg
* @return
*/
private boolean isInterComponentSourceNoCallback(ResultSourceInfo si, BiDiInterproceduralCFG<Unit, SootMethod> cfg){
if(!si.getSource().containsInvokeExpr())
return false;
InvokeExpr invExpr = si.getSource().getInvokeExpr();
SootMethod sm = invExpr.getMethod();
for(SourceSinkDefinition meth : sources){
AndroidMethod am = (AndroidMethod) meth.getMethod();
if(am.getCategory() == CATEGORY.INTER_APP_COMMUNICATION){
if(am.getSubSignature().equals(sm.getSubSignature())) {
log.info("source is: "+ am);
return true;
}
}
}
return false;
}
Example #7
| Source File: UtilSMT.java From FuzzDroid with Apache License 2.0 | 5 votes |
|
public static Set<ResultSourceInfo> removeDuplicatedFlows(Set<ResultSourceInfo> allDataFlows) {
Set<ResultSourceInfo> copy = new HashSet<ResultSourceInfo>(allDataFlows);
for(ResultSourceInfo dataFlow1 : allDataFlows) {
Stmt[] dataFlowPath1 = dataFlow1.getPath();
for(ResultSourceInfo dataFlow2 : allDataFlows) {
Stmt[] dataFlowPath2 = dataFlow2.getPath();
if(dataFlowPath1 != dataFlowPath2 &&
Arrays.asList(dataFlowPath2).containsAll(Arrays.asList(dataFlowPath1)))
copy.remove(dataFlow1);
}
}
return copy;
}
Example #8
| Source File: SMTPreparationPhase.java From FuzzDroid with Apache License 2.0 | 5 votes |
|
public Set<ResultSourceInfo> prepareDataFlowPathsForSMTConverter() {
//This step is necessary for storing the ResultSourceInfo elements into a set
//The result ResultSourceInfo object does only represent a source and not the dataflow.
//But with the PathAgnosticResults flag, one can force the ResultSourceInfo object
//to consider the path (see equals method)
InfoflowConfiguration.setPathAgnosticResults(false);
//control flow involved
return prepareDataFlowsDependingOnControlFlow(results, FrameworkOptions.mergeDataFlows);
}
Example #9
| Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 5 votes |
|
private boolean isInterComponentSourceCallback(ResultSourceInfo si,
BiDiInterproceduralCFG<Unit, SootMethod> cfg){
if(isSourceInfoParameter(si)){
SootMethod sm = cfg.getMethodOf(si.getSource());
if(entryPointCreator.getCallbackFunctions().containsKey(sm.getDeclaringClass())){
if(entryPointCreator.getCallbackFunctions().get(sm.getDeclaringClass()).contains(sm.getSignature()))
return true;
}
}
return false;
}
Example #10
| Source File: SMTPreparationPhase.java From FuzzDroid with Apache License 2.0 | 4 votes |
|
private static ResultSourceInfo mergeDataFlowsIntoSingleDataFlow(Stmt statementToEnrich, ResultSourceInfo originalPath, ResultSourceInfo pathToMerge) {
List<Stmt> pathStmts = new ArrayList<Stmt>(Arrays.asList(originalPath.getPath()));
List<AccessPath> accessPaths = new ArrayList<AccessPath>(Arrays.asList(originalPath.getPathAccessPaths()));
List<Stmt> pathToMergeStmts = new ArrayList<Stmt>(Arrays.asList(pathToMerge.getPath()));
List<AccessPath> pathToMergeAccessPaths = new ArrayList<AccessPath>(Arrays.asList(pathToMerge.getPathAccessPaths()));
int index = pathStmts.indexOf(statementToEnrich);
// if(index < 0)
// throw new RuntimeException("Woops, there is something wonkey here");
//
// for(int i = 0; i < pathToMergeStmts.size(); i++) {
// pathStmts.add(index, pathToMergeStmts.get(i));
// accessPaths.add(index, pathToMergeAccessPaths.get(i));
// index +=1;
// }
List<Pair<Stmt,AccessPath>> dataToMerge = new ArrayList<Pair<Stmt,AccessPath>>();
int position;
for(position = 0; position < pathToMergeStmts.size(); position++) {
if(pathStmts.contains(pathToMergeStmts.get(position)) && !dataToMerge.isEmpty()) {
int indexToInsertBefore = pathStmts.indexOf(pathToMergeStmts.get(position));
indexToInsertBefore -= 1;
// for(Pair<Stmt,AccessPath> pair : dataToMerge) {
// pathStmts.add(indexToInsertBefore, pair.getFirst());
// accessPaths.add(indexToInsertBefore, pair.getSecond());
// ++indexToInsertBefore;
// }
}
else if(!pathStmts.contains(pathToMergeStmts.get(position))) {
dataToMerge.add(new Pair<Stmt,AccessPath>(pathToMergeStmts.get(position), pathToMergeAccessPaths.get(position)));
}
}
if(!dataToMerge.isEmpty()) {
for(Pair<Stmt,AccessPath> pair : dataToMerge) {
pathStmts.add(index, pair.getFirst());
accessPaths.add(index, pair.getSecond());
++index;
}
}
return new ResultSourceInfo(accessPaths.get(0), pathStmts.get(0), null, pathStmts, accessPaths);
}
Example #11
| Source File: SmartConstantDataExtractorFuzzyAnalysis.java From FuzzDroid with Apache License 2.0 | 4 votes |
|
private void standardDataFlowToSMTConvertion(ResultSourceInfo dataFlow, IInfoflowCFG cfg, Set<ResultSourceInfo> preparedDataFlowsForSMT, Table<Stmt, Integer, Set<String>> splitInfos) {
SMTConverter converter = new SMTConverter(sources);
for(int i = 0; i < dataFlow.getPath().length; i++) {
System.out.println("\t" + dataFlow.getPath()[i]);
System.out.println("\t\t" + dataFlow.getPathAccessPaths()[i]);
}
converter.convertJimpleToSMT(dataFlow.getPath(),
dataFlow.getPathAccessPaths(), targetUnits, cfg, splitInfos);
dataFlowsToSMTPrograms.put(new DataFlowObject(dataFlow.getPath()), converter.getSmtPrograms());
//dynamic value information
dynamicValueInfos.putAll(converter.getDynamicValueInfos());
converter.printProgramToCmdLine();
File z3str2Script = new File(FrameworkOptions.Z3SCRIPT_LOCATION);
if(!z3str2Script.exists())
throw new RuntimeException("There is no z3-script available");
SMTExecutor smtExecutor = new SMTExecutor(converter.getSmtPrograms(), z3str2Script);
Set<File> smtFiles = smtExecutor.createSMTFile();
Set<Object> values = new HashSet<Object>();
for(File smtFile : smtFiles) {
String loggingPointValue = smtExecutor.executeZ3str2ScriptAndExtractLoggingPointValue(smtFile);
if(loggingPointValue != null) {
loggingPointValue = fixSMTSolverIntegerOutput(loggingPointValue, dataFlow.getPath()[0]);
//SMT solver only returns hex-based UTF-8 values in some cases; we fixed this with our own hexToUnicode converter
if(loggingPointValue != null && loggingPointValue.contains("\\x"))
addAdditionalUnicodeValue(loggingPointValue, values);
if(loggingPointValue != null)
values.add(loggingPointValue);
System.out.println(String.format("Extracted loggingpoint-value: %s", loggingPointValue));
}
}
System.out.println("####################################");
//add values to fuzzy-seed
Stmt stmt = dataFlow.getSource();
CodePosition position = codePositionManager.getCodePositionForUnit(stmt);
if(constantBasedValuesToFuzz.containsKey(position.getID()))
constantBasedValuesToFuzz.get(position.getID()).addAll(values);
else
constantBasedValuesToFuzz.put(position.getID(), values);
}
Example #12
| Source File: SmartConstantDataExtractorFuzzyAnalysis.java From FuzzDroid with Apache License 2.0 | 4 votes |
|
private void splitAPI_DataFlowtoSMTConvertion(ResultSourceInfo dataFlow, IInfoflowCFG cfg, Set<ResultSourceInfo> preparedDataFlowsForSMT, Table<Stmt, Integer, Set<String>> splitInfos) {
SMTConverter converter = new SMTConverter(sources);
for(int i = 0; i < dataFlow.getPath().length; i++) {
System.out.println("\t" + dataFlow.getPath()[i]);
System.out.println("\t\t" + dataFlow.getPathAccessPaths()[i]);
}
//we remove the first statement (split-API method)
int n = dataFlow.getPath().length-1;
Stmt[] reducedDataFlow = new Stmt[n];
System.arraycopy(dataFlow.getPath(), 1, reducedDataFlow, 0, n);
//currently only possible if there is a constant index for the array
if(hasConstantIndexAtArrayForSplitDataFlow(reducedDataFlow)) {
String valueOfInterest = getValueOfInterestForSplitDataflow(reducedDataFlow);
converter.convertJimpleToSMT(reducedDataFlow,
dataFlow.getPathAccessPaths(), targetUnits, cfg, null);
converter.printProgramToCmdLine();
File z3str2Script = new File(FrameworkOptions.Z3SCRIPT_LOCATION);
if(!z3str2Script.exists())
throw new RuntimeException("There is no z3-script available");
SMTExecutor smtExecutor = new SMTExecutor(converter.getSmtPrograms(), z3str2Script);
Set<File> smtFiles = smtExecutor.createSMTFile();
for(File smtFile : smtFiles) {
String loggingPointValue = smtExecutor.executeZ3str2ScriptAndExtractValue(smtFile, valueOfInterest);
if(loggingPointValue != null) {
Stmt splitStmt = dataFlow.getPath()[0];
int index = getConstantArrayIndexForSplitDataFlow(reducedDataFlow);
if(splitInfos.contains(splitStmt, index))
splitInfos.get(splitStmt, index).add(loggingPointValue);
else {
Set<String> values = new HashSet<String>();
values.add(loggingPointValue);
splitInfos.put(splitStmt, index, values);
}
}
System.out.println(loggingPointValue);
}
System.out.println("####################################");
}
}
Example #13
| Source File: StringToPrimitiveTypeExtractorDataflowHandler.java From FuzzDroid with Apache License 2.0 | 4 votes |
|
@Override
public void onResultsAvailable(IInfoflowCFG cfg, InfoflowResults results) {
for(ResultSinkInfo sinkInfo : results.getResults().keySet()) {
Stmt sink = sinkInfo.getSink();
InvokeExpr sinkExpr = sink.getInvokeExpr();
SootMethod sinkMethod = sinkExpr.getMethod();
Set<Object> values = new HashSet<Object>();
switch(sinkMethod.getSignature()) {
case "<java.lang.Boolean: boolean parseBoolean(java.lang.String)>":
values.add("true");
values.add("false");
break;
//we add two random values
case "<java.lang.Byte: byte parseByte(java.lang.String)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Byte: byte parseByte(java.lang.String, int)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Short: short parseShort(java.lang.String)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Short: short parseShort(java.lang.String, int)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Integer: int parseInteger(java.lang.String)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Integer: int parseInteger(java.lang.String, int)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Long: long parseLong(java.lang.String)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Long: long parseLong(java.lang.String, int)>":
values.add("0");
values.add("42");
break;
//we add two random values
case "<java.lang.Double: double parseDouble(java.lang.String)>":
values.add("0");
values.add("42.0");
break;
//we add two random values
case "<java.lang.Float: float parseFloat(java.lang.String)>":
values.add("0");
values.add("20.75f");
break;
}
//all sources
Set<ResultSourceInfo> sourceInfos = results.getResults().get(sinkInfo);
for(ResultSourceInfo sourceInfo : sourceInfos) {
Stmt source = sourceInfo.getSource();
int sourceID = codePositionManager.getCodePositionForUnit(source).getID();
valuesToFuzz.put(sourceID, values);
}
}
}
Example #14
| Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 4 votes |
|
@Override
public void onResultsAvailable(IInfoflowCFG cfg, InfoflowResults results) {
log.info("FlowDroid has finished. Duration: " + (System.currentTimeMillis() - Main.startTime) +" ms.");
Main.startTime = System.currentTimeMillis();
Settings.instance.setDummyMainToLibraryClass();
this.results = results;
if (log.isDebugEnabled()) {
log.debug("");
log.debug("InfoFlow Results");
MultiMap<ResultSinkInfo, ResultSourceInfo> r = results.getResults();
for (ResultSinkInfo k : r.keySet()) {
log.debug("ResultSinkInfo: "+ k);
for (ResultSourceInfo rsi: r.get(k)) {
log.debug(" source: "+ rsi);
}
}
log.debug("");
}
log.info("Starting bytecode instrumentation.");
log.info("Adding code to initialize PEPs.");
Util.initializePePInAllPossibleClasses(Settings.instance.getApkPath());
log.info("Build code for new 'WaitPDPActivity"); // building the code has to be done here (not in the Main class, otherwise Jimple validation will fail
String mainActivityClass = UpdateManifestAndCodeForWaitPDP.getMainActivityName(Settings.instance.getApkPath());
String packageName = UpdateManifestAndCodeForWaitPDP.getApplicationPackageName(Settings.instance.getApkPath());
UpdateManifestAndCodeForWaitPDP.updateWaitPDPActivity(packageName, mainActivityClass);
// update packagename in field of WaitPDP class
SootClass sc = Scene.v().getSootClass(Settings.INSTRUMENTATION_HELPER_JAVA);
SootField sf1 = sc.getFieldByName("applicationPackageName");
Util.changeConstantStringInField(sf1, packageName);
log.info("Adding Policy Enforcement Points (PEPs).");
doAccessControlChecks(cfg);
log.info("Instrumentation is done.");
if (Settings.mustOutputJimple()) {
log.info("-------- Dumping Jimple bodies.");
Main.dumpJimple();
log.info("--------");
}
}
Example #15
| Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 4 votes |
|
private List<Unit> instrumentIntentAddings(BiDiInterproceduralCFG<Unit, SootMethod> cfg,
Unit unit, InvokeExpr sinkExpr, Set<ResultSourceInfo> sourceInfo){
if(isMethodInterComponentSink(sinkExpr.getMethod())){
SootMethod method = cfg.getMethodOf(unit);
Body body = null;
if(method.hasActiveBody())
body = method.retrieveActiveBody();
else
throw new RuntimeException("No body found!");
Set<String> sourceCategories = getDataIdList(sourceInfo);
final String hashSetType = "java.util.HashSet";
List<Unit> generated = new ArrayList<Unit>();
//HashSet initialization
Local hashSetLocal = generateFreshLocal(body, RefType.v(hashSetType));
NewExpr newExpr = Jimple.v().newNewExpr(RefType.v(hashSetType));
AssignStmt assignStmt = Jimple.v().newAssignStmt(hashSetLocal, newExpr);
generated.add(assignStmt);
//constructor call
SpecialInvokeExpr constructorCall = Jimple.v().newSpecialInvokeExpr(hashSetLocal, Scene.v().getMethod("<java.util.HashSet: void <init>()>").makeRef());
InvokeStmt constructorCallStmt = Jimple.v().newInvokeStmt(constructorCall);
generated.add(constructorCallStmt);
//add categories to HashSet
for(String cat : sourceCategories){
InterfaceInvokeExpr addCall = Jimple.v().newInterfaceInvokeExpr(hashSetLocal, Scene.v().getMethod("<java.util.Set: boolean add(java.lang.Object)>").makeRef(), StringConstant.v(cat));
InvokeStmt addCallStmt = Jimple.v().newInvokeStmt(addCall);
generated.add(addCallStmt);
}
//get Intent
Value intent = sinkExpr.getArg(0);
List<Object> args = new ArrayList<Object>();
args.add(RefType.v("android.content.Intent"));
args.add(intent);
args.add(RefType.v(hashSetType));
args.add(hashSetLocal);
StaticInvokeExpr sie = Instrumentation.createJimpleStaticInvokeExpr(
Settings.INSTRUMENTATION_HELPER_JAVA,
"addTaintInformationToIntent",
args);
InvokeStmt invStmt = Jimple.v().newInvokeStmt(sie);
generated.add(invStmt);
return generated;
}
return Collections.emptyList();
}
Example #16
| Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 4 votes |
|
private boolean isSourceInfoParameter(ResultSourceInfo sInfo) {
return sInfo.getSource() instanceof IdentityStmt
&& ((IdentityStmt) sInfo.getSource()).getRightOp() instanceof ParameterRef;
}
