Have any suggestion for back taint propagation in param var

[hillwangsec]

Description

Hi,

I saw the test cases in resources, including TaintParam, CSBackPropagation, but not found case for back taint propagation.

One case I test shown below:

    public static void main(String[] args) {
        String taint = SourceSink.source();
        ArrayList<String> aa = new ArrayList<String>();
        interfunc(taint, aa);
        for (String elem : aa) {
            SourceSink.sink(elem);
        }
    }

    private static void interfunc(String s1, ArrayList target) {
        target.add(s1);
    }

Also configured the rules:

  - { method: "<java.util.ArrayList: boolean add(java.lang.Object)>", from: 0, to: base }
 - { method: "<java.util.ArrayList: java.util.Iterator iterator()>", from: base, to: result }
 - { method: "<java.util.Iterator: java.lang.Object next()>", from: base, to: result, type: "java.lang.String" }

In pta-results.txt, I found the second param has tainted in the method interfunc, but the caller point (interfunc(taint, aa);), the var aa is not tainted now.

Here have any propose suggestion to resolve. Thanks.

[zhangt2333]

Set the pointer analysis option only-app to false to process ArrayList related methods.

[hillwangsec]

thanks a lot.

if active the only-app flag, the analysis time is increased more. I just temp resolve it through taint Obj propagation when taint propagate to method param (set/list/map.. type) and translate it to the PARAMETER_PASSING source. maybe it's not make sense.

[zhangt2333]

When only-app=true, the analysis is not sound, and unable to benifit from various plugins of Tai-e.

In your case, this problem can be naturally resolved through a sound/complete whole program analysis without the need for using Taint Transfer (another form of code modeling); Otherwise, I am worried that the modeling will be endless.