StevenArzt
commented
3 months ago Thank you for the positive feedback on FlowDroid.
Obtaining all paths between a source and a sink is a non-trivial problem. Let's take the following code:
void main() {
String a = source();
foo(a);
}
void foo(String a) {
if (...)
sink(a);
else
foo("x" + a);
}FlowDroid does not reason about conditionals. That means we always need to assume that both cases (then and else) are possible, i.e., every conditional has two control flow successors. Under this assumption, there are infinitely many flows, because we don't know how often there is a recursive call to the foo method. If we try to output all path, the analysis will not terminate. That's why we opted for a singlr arbitrary path in the first place.
Internally, the data flow is a graph. We first track the taints across the control flow graph, which gives us a taint graph. Only afterwards, we extract a single representative path from the graph. You can also work on the full taint graph if that is better for your research question. Have a look at the IAbstractionPathBuilder interface. It takes the graph (modeled via the abstraction that arrives at the sink and its transitive predecessors) and generated the path from it. In other words, at that stage, you get access to the full taint graph.
Analyzing web applications primarily requires generating a suitabl dummy main method (entry point) that simulates calls to all of the REST endpoints. It is a bit more complex, because frameworks such as Spring also allow for dependency injection and implicitly instantiated objects. A naive implementation isn't too hard, but if you really want to support real-world web applications, it's a lot of effort.
We have done this effort as part of our commercial code scanner VUSC. There are free academic licenses for non-profit organizations such as universities. We provide the scanner with a development environment (extended version of Eclipse) along with some examples of how to write analysis plugins and run them inside the scanner. Internally, VUSC uses Soot and FlowDroid plus a lot of private code to deal with Java web applications, Android apps, iOS apps, and more.
Dear developers,
I hope this message finds you well. Firstly, I would like to express my appreciation for your excellent work on the Soot-FlowDroid module. It has been instrumental in my recent analysis tasks.
I am writing to request some modifications to enhance the functionality of the Soot-FlowDroid module for class analysis. I have successfully performed an analysis using the module, but I have encountered two specific issues that I would like to address:
Request for outputting all reachable paths from source to sink: Currently, the module provides valuable information regarding data flow from source to sink points. However, I would like to have the ability to obtain a comprehensive list of all the reachable paths from the source to the sink point. This would greatly assist in understanding the flow of data and potential security risks within the analyzed code. Could you please guide me on how to modify the module to include this feature?
Request for analysis support for web applications (such as JavaEE or Spring frameworks): In addition to analyzing standalone Java applications, I am particularly interested in analyzing web applications built using JavaEE or Spring frameworks. I would like to extend the capabilities of Soot-FlowDroid to handle such applications effectively. Could you provide suggestions or guidance on how to modify the module to support web application analysis, considering the unique characteristics and dependencies of such frameworks?
I highly value these modifications and greatly appreciate your guidance and assistance in this regard. I am in great need of these enhancements and eagerly look forward to your support. Thank you for considering my request.
Thank you for your attention to this matter. I appreciate your efforts in developing and maintaining such a valuable tool.
Best regards