The Taint interface currently supports only two methods - get() and set(int taint). These are used to combine the taint of all values reachable through the corresponding object reference, for example during external method calls. However, there are situations when using these methods would be too conservative. An example could be this:
// Point is an external class in Android, two int fields X, Y
class MyPoint extends Point {
public int z;
}
void fn() {
Point p = new MyPoint(); // create TaintInternal
p.x = sensitiveInteger(); // calls Taint.set
p.y = normalInteger();
int y = p.y; // calls Taint.get, taints Y
int z = ((MyPoint) p).z; // retrieves t_z that contains the taint
}
The expected behaviour of the example is that it taints the whole Point object, i.e. both X and Y will become tainted. This is the case, because TaintInternal stores TaintExternal for the external part of itself and taints it in Taint.set. However, it taints Z as well, which is not necessary.
By adding extra methods getExternal and setExternal to the Taint interface, this could be avoided.
brazdil
commented
11 years ago
The Taint interface currently supports only two methods - get() and set(int taint). These are used to combine the taint of all values reachable through the corresponding object reference, for example during external method calls. However, there are situations when using these methods would be too conservative. An example could be this:
The expected behaviour of the example is that it taints the whole Point object, i.e. both X and Y will become tainted. This is the case, because TaintInternal stores TaintExternal for the external part of itself and taints it in Taint.set. However, it taints Z as well, which is not necessary.
By adding extra methods getExternal and setExternal to the Taint interface, this could be avoided.