search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.03k stars 293 forks source link

Confusion about backward alias analysis. #458

Open zhouyuhao1018 opened 2 years ago

zhouyuhao1018 commented 2 years ago

Dear, I have confusion about backward alias analysis, and there is false negative caused by this. The following is the case. The local $r2 in line12 is a source based on StatementSourceSinkDefinition , the void setNumber(int) in line 17 is a sink based on MethodSourceSinkDefinition.

Obviously, the source taint $r2 is a alias of MainActivity.num, and there is a leak in line 17.

I try to debug this by implementing a instance of TaintPropagationHandler and print the backward analysis step by step. The backward alias analysis stop after analyzing line9. However, the local $i0 is not tainted (i.e., $i0 is not a alias), neither the in line08. So that, the leak caused by line 16-17 is missed.

public void onClick(android.view.View)
    {
        com.example.viewmedeltest.MainActivity$1 r0;
        android.view.View $r1;
        java.lang.String $r2;
        com.example.viewmedeltest.MainActivity r3;
        int $i0;
        android.widget.TextView $r4;
        com.example.viewmedeltest.MyViewModel $r5;

01        r0 := @this: com.example.viewmedeltest.MainActivity$1;

02        $r1 := @parameter0: android.view.View;

03        r3 = r0.<com.example.viewmedeltest.MainActivity$1: com.example.viewmedeltest.MainActivity this$0>;

04        $i0 = r3.<com.example.viewmedeltest.MainActivity: int num>;

05        $i0 = $i0 + 1;

06        r3.<com.example.viewmedeltest.MainActivity: int num> = $i0;

07        r3 = r0.<com.example.viewmedeltest.MainActivity$1: com.example.viewmedeltest.MainActivity this$0>;

08        $i0 = r3.<com.example.viewmedeltest.MainActivity: int num>;

09        $r2 = staticinvoke <java.lang.String: java.lang.String valueOf(int)>($i0);

10        r3 = r0.<com.example.viewmedeltest.MainActivity$1: com.example.viewmedeltest.MainActivity this$0>;

11        $r4 = r3.<com.example.viewmedeltest.MainActivity: android.widget.TextView textView>;

12        virtualinvoke $r4.<android.widget.TextView: void setText(java.lang.CharSequence)>($r2);

13        r3 = r0.<com.example.viewmedeltest.MainActivity$1: com.example.viewmedeltest.MainActivity this$0>;

14        $r5 = r3.<com.example.viewmedeltest.MainActivity: com.example.viewmedeltest.MyViewModel myViewModel>;

15        r3 = r0.<com.example.viewmedeltest.MainActivity$1: com.example.viewmedeltest.MainActivity this$0>;

16        $i0 = r3.<com.example.viewmedeltest.MainActivity: int num>;

17        virtualinvoke $r5.<com.example.viewmedeltest.MyViewModel: void setNumber(int)>($i0);

18        return;
    }

What can I do to avoid this ? or, Maybe my understanding of alias analysis is wrong? I really hope your suggestions.

zhouyuhao1018 commented 2 years ago

@StevenArzt , sorry to bother you. I think that maybe I know the reason. I found that there is no implementation of the function public Set<Abstraction> getAliasesForMethod() in taintWrappers class. Does this lead to the backward alias analysis missing the $i0 (in line09) that is a alias of $r2 (in line12) ? PS: I use the EasyTaintWrapper and alias algorithm is FlowSensitive.