secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.07k stars 301 forks source link

Java code analysis #595

Closed OlesiaSub closed 1 year ago

OlesiaSub commented 1 year ago

I am looking for a taint analysis tool that would work on Java code (not Android). In the description of your tool it is stated that FlowDroid can analyse Java code. But I've read the instruction and I was confused by the fact that it is mandatory to set some Android-specific parameters to execute the tool. Couldn't find any examples/instructions for launching FlowDroid on non-Android sources. I was wondering, how can I launch FlowDroid on Java code and is there is an API for that? I'd also like to use FlowDroid as a library, could you please point out where I can find any examples of how to do it?

t1mlange commented 1 year ago

The command line tool only supports Android. You can invoke FlowDroid on Java code only using code, for an example you can take a look at how the unit tests work in https://github.com/secure-software-engineering/FlowDroid/blob/develop/soot-infoflow/test/soot/jimple/infoflow/test/junit/JUnitTests.java.

OlesiaSub commented 1 year ago

@timll thanks a lot! I also have one more question, when I launch the tool I want to be able to see the whole execution trace. For example,

        public void multipleExitTest1() {
        String tainted = TelephonyManager.getDeviceId();
        String data = "";
        try {
            data = doGetData(tainted);
        }
        catch (Exception ex) {
            data = tainted;
        }
        ConnectionManager cm = new ConnectionManager();
        cm.publish(data);
    }

here I would like to see the trace, containing data about all the instructions located between the source and the sink. Propagation path in the infoflow is usually null when I run the tests, even if it exists I (expectedly) can't see all the instructions, only the ones, where the data is propagated. Is there an opportunity to see the whole execution path? And if so, could you please tell me where can I look for it?

t1mlange commented 1 year ago

Use config.getPathConfiguration().setPathReconstructionMode(mode) to set the path reconstruction either to FAST or PRECISE to get a non-null path.

In the IFDS solver, we construct abstraction chains (each data flow fact has predecessors) that we later use in the path builder to reconstruct the path. By default, we do not reconstruct the path in between, as this enables us to shorten these chains at each return (i.e. we only keep the result of the callee) in the solver. With FAST, we only shorten if the result of the callee is the same as the incoming fact at the call site. With PRECISE, there is no shortening at all of these chains.

Note that it is not possible to get the all statements on the path from the source to sink but only those which influenced the taint (e.g. in your example, regardless of the path reconstruction mode, data = ""; will never be on the reconstructed path). See also the discussion in #576.

OlesiaSub commented 1 year ago

@timll understood, thanks a lot for your answer :)