StevenArzt
commented
2 years ago For our context-sensitive analysis, we use a value-based analysis, not a call strings approach. Therefore, the analysis knows the incoming taint abstraction at the entry point of the method (at the beginning for forward analysis or at the end for the backward analysis). There is no notion of a call stack, because two contexts with equal incoming abstractions are equal even if they have different call stacks. IFDS therefore re-uses the same method summary. With this concept, it makes no sense to store the call stack, as an analysis must not rely on it.
Once a method has been analyzed, the outgoing taint abstraction is propagated into all callers that called the method with an equivalent incoming taint abstraction. Once again, the call stack is irrelevant. It only matters whether the context is the same from the view of the callee.
FlowDroid has the option to provide propagation paths. This is a best-effort approach due to the concepts described above. We call the path a "whitness", because it is one possible path that allows the analyst to check the correctness of the leak. It does not mean that there are no other equivalent paths.
RichardHoOoOo
Hi @StevenArzt , I am wondering is it possible to get the "call stack" information through the callback of a
TaintPropagationHandlerwhen taint is propagated in a method that has a context. The following is a simple example, and in my situation, I set the data-flow direction as Backwards.So the taint is backward propagated from
sink(o.v). When it meetsf1(o), a forward alias analysis will go intof1(). Then when it findso.v = ..., a backward propagation will again start from that line.I hope to know the call stack when taint is backward propagated in
f1(), which should beIs it possible to get this information through the callbacks in a
TaintPropagationHandler? Thanks in advance!