Is there a way to discard a taint abstraction rather than truncating the access path?

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker

GNU Lesser General Public License v2.1

1.03k stars 293 forks source link

Is there a way to discard a taint abstraction rather than truncating the access path? #532

Closed RichardHoOoOo closed 1 year ago

RichardHoOoOo commented 1 year ago

Suppose in the following example, the incoming taint is b.f0.f1.f2.f3.f4

a.f = b;

When the access path length limit is set as 5, the outgoing taint will be a.f.f0.f1.f2.f3, which may result in FPs. I know totally discarding a.f.f0.f1.f2.f3 may lead to FNs, but I hope FlowDroid can provide this option. May I ask is this option available in FlowDroid right now?

StevenArzt commented 1 year ago

So you are suggesting to drop APs instead of cutting them? FlowDroid doesn't have that option yet, but you can implement it. It would be interesting to see how the FP / FN rate changes when dropping instead of cutting. Keep me posted if you have any insights on this.

RichardHoOoOo commented 1 year ago

Yes, I am suggesting to simply remove a.f.f0.f1.f2.f3 from the outgoings set. Thanks for your reply, I guess I can do this by hooking a taint propagation handler.