search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 292 forks source link

How do XML base and param sources work? #640

Open CalixBarrus opened 10 months ago

CalixBarrus commented 10 months ago

Hello, I am working on using the XML source sink format to incorporate runtime intermediate flow information into Flowdroid's analysis. I don't understand very well exactly how base and param tags labelled as a source cause taint to show up, especially in cases I'm working on where the method being labelled is in client code accessible to flowdroid.

Psuedo code example to illustrate my question: 

void main() {
    String str = "safe";
    foo(str);
    sink(str);
}
void foo(String input) {
    sink(input);
}

Say the method foo, argument 0 is marked as a source for all access paths

<method signature="&lt;com.example.test.MainClass: void foo(java.lang.String)&gt;">
    <param index="0" type="java.lang.String">
        <accessPath isSource="true" isSink="false" />
    </param>
</method>

Would this result in 1 or 2 leaks? Would foo's argument be unconditionally tainted at the top of the function call, or would there just be a summary edge added for the caller? I have similar questions about tainting a base object or fields on a base object in a similar manner; would a field become tainted at the top of a tainted function call? or after the call has returned?

On a similar note, is there any published work or other resource that includes a description of the features offered by the new(ish) XML source/sink files? For example, an explanation of how the additionalFlowConditions work?

timll commented 10 months ago

Would this result in 1 or 2 leaks? Would foo's argument be unconditionally tainted at the top of the function call, or would there just be a summary edge added for the caller? I have similar questions about tainting a base object or fields on a base object in a similar manner; would a field become tainted at the top of a tainted function call? or after the call has returned?

By default, FlowDroid does not propagate the flow into sources and sinks. The taint is introduced in the caller (regardless of the flows in the source/sink). You can disable this behavior with config.setInspectSources(true) and config.setInspectSinks(true).

On a similar note, is there any published work or other resource that includes a description of the features offered by the new(ish) XML source/sink files? For example, an explanation of how the additionalFlowConditions work?

additionalFlowConditions are very much WIP and aren't really usable now, there will be documentation when things are ready.