Closed OlesiaSub closed 1 year ago
timll
commented
1 year ago The command line tool only supports Android. You can invoke FlowDroid on Java code only using code, for an example you can take a look at how the unit tests work in https://github.com/secure-software-engineering/FlowDroid/blob/develop/soot-infoflow/test/soot/jimple/infoflow/test/junit/JUnitTests.java.
OlesiaSub
commented
1 year ago @timll thanks a lot! I also have one more question, when I launch the tool I want to be able to see the whole execution trace. For example,
public void multipleExitTest1() {
String tainted = TelephonyManager.getDeviceId();
String data = "";
try {
data = doGetData(tainted);
}
catch (Exception ex) {
data = tainted;
}
ConnectionManager cm = new ConnectionManager();
cm.publish(data);
}here I would like to see the trace, containing data about all the instructions located between the source and the sink. Propagation path in the infoflow is usually null when I run the tests, even if it exists I (expectedly) can't see all the instructions, only the ones, where the data is propagated. Is there an opportunity to see the whole execution path? And if so, could you please tell me where can I look for it?
timll
commented
1 year ago Use config.getPathConfiguration().setPathReconstructionMode(mode) to set the path reconstruction either to FAST or PRECISE to get a non-null path.
In the IFDS solver, we construct abstraction chains (each data flow fact has predecessors) that we later use in the path builder to reconstruct the path. By default, we do not reconstruct the path in between, as this enables us to shorten these chains at each return (i.e. we only keep the result of the callee) in the solver. With FAST, we only shorten if the result of the callee is the same as the incoming fact at the call site. With PRECISE, there is no shortening at all of these chains.
Note that it is not possible to get the all statements on the path from the source to sink but only those which influenced the taint (e.g. in your example, regardless of the path reconstruction mode, data = ""; will never be on the reconstructed path). See also the discussion in #576.
OlesiaSub
commented
1 year ago @timll understood, thanks a lot for your answer :)
I am looking for a taint analysis tool that would work on Java code (not Android). In the description of your tool it is stated that FlowDroid can analyse Java code. But I've read the instruction and I was confused by the fact that it is mandatory to set some Android-specific parameters to execute the tool. Couldn't find any examples/instructions for launching FlowDroid on non-Android sources. I was wondering, how can I launch FlowDroid on Java code and is there is an API for that? I'd also like to use FlowDroid as a library, could you please point out where I can find any examples of how to do it?