Open dyd1024 opened 2 years ago
"Seed" is the term used by the Boomerang solver and it means that some of the sources that you provide as fluentTQL specification were matched in the code being analyzed. And from there the tracking of the data-flow information starts. If sink is reached from that seed then it will be repored according to the fluentTQL specification.
What is the relationship between "entrypoint" and "seed", they don't seem to be in one-to-one correspondence.
And as far as I know, Boomerang is built on top of the IFDS framework, did I make a mistake?
The entry point is used for the callgraph construction algorithms.
Boomerang is not based on IFDS! It is implementation of the SPDS framework (synchronized pushdown systems) which is mainly computes alias and data-flow information from the given seed. Then in SecuCheck, we are processing this and use it as a taint analysis.
I am confused...... https://www.bodden.de/pubs/sna+16boomerang.pdf
The idea is that IFDS and SPDS are equivalent in terms of what they can compute.
The paper you reference is the initial version of Boomerang, and the idea was only to compute alias information. Later in his dissertation (https://www.bodden.de/pubs/phdSpaeth.pdf), Johanes Späth reimplemented Boomerang to use the SPDS framework and not IFDS. Hope this helps.
Thank you very much, your answer help me a lot!
When I run secucheck, the console outputs the following: and I want to know what does the "seeds" mean? I can't find any explanation in the paper https://ieeexplore.ieee.org/document/9610678, can you help me? Thanks a lot.