Keep all statements that use the taint abstraction in the path

[NicolasFNino]

Hello,

If I want to keep all the statements in the paths that use the taint object, could you please point me in the direction of where I could achieve this?

Example:

String var = source("a");
var.append("b");
sink(var);

The second line would not show in the results.

I reckon is not related to the MemoryManager since in the default implementation it is null.

Thank you for your kind help as always!

[timll]

Set the path reconstruction mode to fast. For example, with config.getPathConfiguration().setPathReconstructionMode(InfoflowConfiguration.PathReconstructionMode.Fast) at the right place.

[NicolasFNino]

Is that not the same as using -cp in the command line options? I think I might have mislead you with my example, I do get a path not only formed by sources and sinks, but some methods do not show up in there. Please, consider the next example:

1. StringBuilder var1 = source("a");
2. var1.append("b");
3. String var2 = toString(var1);
4. sink(var2);

In this case line 2 does not show in the path, but line 3 does. The difference I see is that line 3 uses the tainted object as a parameter while line 2 does not, but it does change its value without overwriting it and killing the taint.

Thanks a lot!

[StevenArzt]

The taint is not changed in line 2. Variable var1 was tainted before line 2, and it is tainted thereafter. There isn't even a second source that influences the taint on var1, because you only append a constant. Therefore, from a data flow perspective, line 2 is useless. You could remove it from the code and still get the same flow. That's why FlowDroid doesn't process it.

In fact, FlowDroid skips that line right away, because no API model applies to this method without any taint on the parameter.

[NicolasFNino]

Thank you very much for your response. Would you please point me to where I could find/modify this behavior so that FlowDroid does not skip these lines? Any help is much appreciated.

[StevenArzt]

FlowDroid has the general concept of not deriving new taint abstraction unless necessary. Creating one abstraction per line and context regardless of whether the taint was changed might significantly increase the memory consumption of the analysis. Therefore, the entire implementation follows the concept of skipping statements as soon as it becomes clear that the taint won't change. That means there is no single line of code that says "skip", but rather many of them.

For your concrete example, you may look into the SummaryTaintWrapper and its getTaintsForMethod method. Still, even if you create useless taints there, the optimizations in the IFDS solver may still throw away such abstractions. That is not to discourage you, but there will be challenges.

In general, I wonder whether you actually need a data flow solver or rather a backward slicer.

[NicolasFNino]

That makes sense. Thanks again for the help.

By any chance, do you know of a simple slicer for android apps?