search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 293 forks source link

Aliasing with casts test is failing in soot-infloflow #584

Open Jclavo opened 1 year ago

Jclavo commented 1 year ago

Hi @StevenArzt , I am exploring soot-infloflow's tests and I managed to run 104 of them but I got 32 fails so I started to explore each folder.

For aliasing folder (FlowDroid/soot-infoflow/securiBench/securibench/micro) and the result was:

[OK] alising1: 
[OK] alising2: 
[FAIL] alising3: 
[FAIL] alising4: 
[FAIL] alising5: 
[OK] alising6:

so lets focus on test alising4 (which is using cast)

public class Aliasing4 extends BasicTestCase implements MicroTestCase {
    private static final String FIELD_NAME = "name";

    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
       String name = req.getParameter(FIELD_NAME);
       Object o1 = name;
       Object o2 = name.concat("abc");
       Object o3 = "anc";

       PrintWriter writer = resp.getWriter();
       writer.println(o1);                              /* BAD */
       writer.println(o2);                              /* BAD */
       writer.println(o3);                              /* OK */
    }

    public String getDescription() {
        return "simple aliasing with casts";
    }

    public int getVulnerabilityCount() {
        return 1;
    }
}

It is only checking as bad writer.println(o1); but not writer.println(o2);

UPDATE

While I am exploring basic folder, I have found some similar errors and my first conclusion is that every time that a TAINTED var does an operation like:

String name = req.getParameter(FIELD_NAME);
String s1 = name.concat("abc");
writer.println(s1);
String name = req.getParameter(FIELD_NAME);
String s1 = name.toString();
writer.println(s1);
String name = req.getParameter(FIELD_NAME);
String s1 = name.toLowerCase();
writer.println(s1);

the var loses its TAINTED.

Do you have any idea of what could be happening?

CONFIG

I am using the last Flowdroid's dependency

<dependency>
    <groupId>de.fraunhofer.sit.sse.flowdroid</groupId>
    <artifactId>soot-infoflow</artifactId>
    <version>2.10.0</version>
</dependency>
timll commented 1 year ago

If you lose taints over library calls, it might be due to the called class containing the method being phantom (aka Soot found references to the class but couldn't find the bytecode and thus, can't resolve the method body). Either configure Soot to find the bytecode of the library or preferably, use a taint wrapper that has a summary for the methods.