search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 292 forks source link

(Question) about path between sources and sinks. #729

Open Alireza-Ardalani opened 2 months ago

Alireza-Ardalani commented 2 months ago

I use the following configuration, using FlowDroid as library =>

    SetupApplication setupApplication = new SetupApplication(jarString, apkFile);
    InfoflowConfiguration config = setupApplication.getConfig();
    config.setAliasingAlgorithm(FlowSensitive);
    config.setCodeEliminationMode(NoCodeElimination);
    config.getSolverConfiguration().setDataFlowSolver(InfoflowConfiguration.DataFlowSolver.ContextFlowSensitive);
    config.getSolverConfiguration().setSparsePropagationStrategy(InfoflowConfiguration.SparsePropagationStrategy.Precise);
    config.setDataFlowDirection(InfoflowConfiguration.DataFlowDirection.Backwards);
    config.setImplicitFlowMode(AllImplicitFlows);
    config.getPathConfiguration().setPathReconstructionMode(Precise);
    config.getPathConfiguration().setPathBuildingAlgorithm(ContextSensitive);
    config.setMemoryThreshold(1.0d);
    config.getPathConfiguration().setPathReconstructionTimeout(1000);
    config.setDataFlowTimeout(1000);
    config.getPathConfiguration().setMaxPathLength(100);
    config.setLogSourcesAndSinks(true);
    config.getAccessPathConfiguration().setAccessPathLength(10);
    config.getAccessPathConfiguration().setUseRecursiveAccessPaths(false);
    config.getAccessPathConfiguration().setUseThisChainReduction(false);

I need a precise path between source and sink without any elimination, therefore according to my search I think this is the precise configuration ( If I miss something, I would so thankful for mentioning it)

I change the default source and sink in sourceAndSink.txt, therefore FlowDroid found some result in my test cases.

Q1) when I look at some flow, I cannot trace the source to sink, according to the provided path by FlowDroid. For example =>

1) <com.lionmobi.netmaster.activity.SaveResultActivity: void changeFirewallAdEnable()> --> $r2 = virtualinvoke $r1.<android.widget.LinearLayout: android.view.View findViewById(int)>(2131427749)

2) <com.lionmobi.netmaster.activity.SaveResultActivity: void changeFirewallAdEnable()> --> if $r2 == null goto return

3) <android.os.Handler: boolean postDelayed(java.lang.Runnable,long)> --> this := @this: android.os.Handler 4) <com.baidu.location.a.i$b: void run()> --> r0 := @this: com.baidu.location.a.i$b 5) <com.baidu.location.a.i: void a(com.baidu.location.a.i,android.os.Message)> --> $r0 := @parameter0: com.baidu.location.a.i 6) <com.baidu.location.a.i: void g(android.os.Message)> --> r0 := @this: com.baidu.location.a.i 7) <com.baidu.location.a.a: com.baidu.location.a.a a()> --> $r0 =

So in this path, I cannot find any relation between 2 and 3.

Did I miss something?

Q2) For resolving the problem I searched during the issues and find "TaintWrapper" which I did not used in my code, So it could be cause of some problem?

If yes, my previous results are not reliable without "TaintWrapper" ?

Q3) If I should use "TaintWrapper", should I add new method signature to it? because I started to define new sinks from thirdParty library and just add them to new sink file.

Thank you for your time and consideration.