search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.03k stars 293 forks source link

Some class resolution errors. Misconfiguration or Bugs? #508

Closed jimmy66688 closed 1 year ago

jimmy66688 commented 1 year ago

Hi @StevenArzt , I am performing a static taint analysis on cassandra and I am suffering from a problem with classes not being resolved correctly:

I set entrypoint as <org.apache.cassandra.service.CassandraDaemon: void main(java.lang.String[])> and the log shows: Cannot generate constructor for class: org.apache.cassandra.service.CassandraDaemon.

I have debugged the whole class resolution, and I know from the debug window that the class resolution is not correct and there is a lot of information missing.

Following information is obtained by SootClass toReturn = SootResolver.v().resolveClass(className, desiredLevel) in method public SootClass tryLoadClass(String className, int desiredLevel), which belongs to class soot.Scene.

toReturn = {SootClass@1801} "org.apache.cassandra.service.CassandraDaemon"
 name = "org.apache.cassandra.service.CassandraDaemon"
 shortName = "CassandraDaemon"
 fixedShortName = null
 packageName = "org.apache.cassandra.service"
 fixedPackageName = null
 modifiers = 0
 fields = null
 subSigToMethods = null
 methodList = null
 interfaces = null
 isInScene = true
 superClass = null
 outerClass = null
 isPhantom = true
 moduleName = null
 moduleInformation = null
 refType = {RefType@1806} "org.apache.cassandra.service.CassandraDaemon"
 resolvingLevel = 3
 number = 1
 line = 0
 col = 0
 mTagList = {ArrayList@1807}  size = 1

It is obvious that the methods in the class cannot be empty.

Similarly, I tried to resolve another class: org.apache.cassandra.transport.messages.StartupMessage and got correct results:

toReturn = {SootClass@1876} "org.apache.cassandra.transport.messages.StartupMessage"
 name = "org.apache.cassandra.transport.messages.StartupMessage"
 shortName = "StartupMessage"
 fixedShortName = null
 packageName = "org.apache.cassandra.transport.messages"
 fixedPackageName = null
 modifiers = 1
 fields = {HashChain@1881}  size = 8
 subSigToMethods = {SmallNumberedMap@1882} 
 methodList = {Collections$SynchronizedRandomAccessList@1883}  size = 6
 interfaces = null
 isInScene = true
 superClass = {SootClass@1884} "org.apache.cassandra.transport.Message$Request"
 outerClass = null
 isPhantom = false
 moduleName = null
 moduleInformation = null
 refType = {RefType@1885} "org.apache.cassandra.transport.messages.StartupMessage"
 resolvingLevel = 3
 number = 1
 line = 0
 col = 0
 mTagList = {ArrayList@1886}  size = 10

I'm confused about this situation and what caused it.

Version Informantion: FlowDroid 2.10 Soot 4.3.0 Cassandra 4.0.5

jimmy66688 commented 1 year ago

I noticed that in the method boolean loadClassFile(InputStream is) of class soot.coffi.ClassFile, after d = new DataInputStream(f);, all the data in d is assigned to 0.

jimmy66688 commented 1 year ago

log shows: soot.coffi.Util - org.apache.cassandra.service.CassandraDaemon is a phantom class! But, why is this class a phantom class? The class does exist intact in the application's jar package.apache-cassandra-4.0.5.jar

StevenArzt commented 1 year ago

Soot shouldn't use Coffi, which highly outdated, but ASM. How do you run FlowDroid? I guess that org.apache.* ends up on the exclusion list, which is the default behavior for the Android analyzer, but not for the pure Java engine.

jimmy66688 commented 1 year ago

Soot shouldn't use Coffi, which highly outdated, but ASM. How do you run FlowDroid? I guess that org.apache.* ends up on the exclusion list, which is the default behavior for the Android analyzer, but not for the pure Java engine.

It was exactly caused by coffi, I checked my configuration based on your reply and I found Options.v().set_coffi(true), when I fixed it the analysis proceeded normally. Thank you Steven.