search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 292 forks source link

FlowDroid with EPICC #601

Open NicolasFNino opened 1 year ago

NicolasFNino commented 1 year ago

Hello,

I was wondering if the tool mentioned in the paper, integration of FlowDroid with EPICC, has been published yet, or if this is not a plan anymore.

Thank you in advance,

StevenArzt commented 1 year ago

We have integrated FlowDroid and ICCTA, i.e., FlowDroid can analyze inter-component communication. However, FlowDroid needs a model of these ICC links as an input, which can be generated by EPICC or other tools. Since EPICC is built on a different technology stack, we have not integrated it.

The commercial code scanner VUSC that we develop at Fraunhofer SIT (which is built on top of Soot and FlowDroid) uses static value analysis to build the ICC models on demand. This is just another way to feed FlowDroid with the required models, which we found to scale better and to be more precise than ICCTA. The value analysis is proprietary code, so we can't use that for OSS FlowDroid.

If we want a good solution for OSS FlowDroid, I'd rather suggest to implement a simple value analysis or something with fewer dependencies and running time than EPICC.