soot.jimple.toolkits.ide.icfg.BiDiInterproceduralCFG Java Examples
The following examples show how to use
soot.jimple.toolkits.ide.icfg.BiDiInterproceduralCFG.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: AndroidSourceSinkManager.java From JAADAS with GNU General Public License v3.0 | 6 votes |
/** * Finds the last assignment to the given String local by searching upwards * from the given statement * * @param stmt * The statement from which to look backwards * @param local * The variable for which to look for assignments * @return The last value assigned to the given variable */ private String findLastStringAssignment(Stmt stmt, Local local, BiDiInterproceduralCFG<Unit, SootMethod> cfg) { if (stmt instanceof AssignStmt) { AssignStmt assign = (AssignStmt) stmt; if (assign.getLeftOp() == local) { // ok, now find the new value from the right side if (assign.getRightOp() instanceof StringConstant) return ((StringConstant) assign.getRightOp()).value; } } // Continue the search upwards for (Unit pred : cfg.getPredsOf(stmt)) { if (!(pred instanceof Stmt)) continue; String lastAssignment = findLastStringAssignment((Stmt) pred, local, cfg); if (lastAssignment != null) return lastAssignment; } return null; }
Example #2
Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 6 votes |
/** * Return true if the method corresponding to the source 'si' is an * Inter Component Communication source method such as "Intent.getExtras()". * @param si * @param cfg * @return */ private boolean isInterComponentSourceNoCallback(ResultSourceInfo si, BiDiInterproceduralCFG<Unit, SootMethod> cfg){ if(!si.getSource().containsInvokeExpr()) return false; InvokeExpr invExpr = si.getSource().getInvokeExpr(); SootMethod sm = invExpr.getMethod(); for(SourceSinkDefinition meth : sources){ AndroidMethod am = (AndroidMethod) meth.getMethod(); if(am.getCategory() == CATEGORY.INTER_APP_COMMUNICATION){ if(am.getSubSignature().equals(sm.getSubSignature())) { log.info("source is: "+ am); return true; } } } return false; }
Example #3
Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 5 votes |
private boolean isInterComponentSourceCallback(ResultSourceInfo si, BiDiInterproceduralCFG<Unit, SootMethod> cfg){ if(isSourceInfoParameter(si)){ SootMethod sm = cfg.getMethodOf(si.getSource()); if(entryPointCreator.getCallbackFunctions().containsKey(sm.getDeclaringClass())){ if(entryPointCreator.getCallbackFunctions().get(sm.getDeclaringClass()).contains(sm.getSignature())) return true; } } return false; }
Example #4
Source File: AndroidSourceSinkManager.java From JAADAS with GNU General Public License v3.0 | 4 votes |
/** * Checks whether the given call site indicates a UI source, e.g. a password * input * * @param sCallSite * The call site that may potentially read data from a sensitive * UI control * @param cfg * The bidirectional control flow graph * @return True if the given call site reads data from a UI source, false * otherwise */ private boolean isUISource(Stmt sCallSite, InterproceduralCFG<Unit, SootMethod> cfg) { // If we match input controls, we need to check whether this is a call // to one of the well-known resource handling functions in Android if (this.layoutMatching != LayoutMatchingMode.NoMatch && sCallSite.containsInvokeExpr()) { InvokeExpr ie = sCallSite.getInvokeExpr(); final String signature = methodToSignature.getUnchecked(ie.getMethod()); if (signature.equals(Activity_FindViewById) || signature.equals(View_FindViewById)) { // Perform a constant propagation inside this method exactly // once SootMethod uiMethod = cfg.getMethodOf(sCallSite); if (analyzedLayoutMethods.add(uiMethod)) ConstantPropagatorAndFolder.v().transform(uiMethod.getActiveBody()); // If we match all controls, we don't care about the specific // control we're dealing with if (this.layoutMatching == LayoutMatchingMode.MatchAll) return true; // If we don't have a layout control list, we cannot perform any // more specific checks if (this.layoutControls == null) return false; // If we match specific controls, we need to get the ID of // control and look up the respective data object if (ie.getArgCount() != 1) { System.err.println("Framework method call with unexpected " + "number of arguments"); return false; } int id = 0; if (ie.getArg(0) instanceof IntConstant) id = ((IntConstant) ie.getArg(0)).value; else if (ie.getArg(0) instanceof Local) { Integer idVal = findLastResIDAssignment(sCallSite, (Local) ie.getArg(0), (BiDiInterproceduralCFG<Unit, SootMethod>) cfg, new HashSet<Stmt>(cfg.getMethodOf(sCallSite).getActiveBody().getUnits().size())); if (idVal == null) { System.err.println("Could not find assignment to local " + ((Local) ie.getArg(0)).getName() + " in method " + cfg.getMethodOf(sCallSite).getSignature()); return false; } else id = idVal.intValue(); } else { System.err.println("Framework method call with unexpected " + "parameter type: " + ie.toString() + ", " + "first parameter is of type " + ie.getArg(0).getClass()); return false; } LayoutControl control = this.layoutControls.get(id); if (control == null) { System.err.println("Layout control with ID " + id + " not found"); return false; } if (this.layoutMatching == LayoutMatchingMode.MatchSensitiveOnly && control.isSensitive()) return true; } } return false; }
Example #5
Source File: AndroidSourceSinkManager.java From JAADAS with GNU General Public License v3.0 | 4 votes |
/** * Finds the last assignment to the given local representing a resource ID * by searching upwards from the given statement * * @param stmt * The statement from which to look backwards * @param local * The variable for which to look for assignments * @return The last value assigned to the given variable */ private Integer findLastResIDAssignment(Stmt stmt, Local local, BiDiInterproceduralCFG<Unit, SootMethod> cfg, Set<Stmt> doneSet) { if (!doneSet.add(stmt)) return null; // If this is an assign statement, we need to check whether it changes // the variable we're looking for if (stmt instanceof AssignStmt) { AssignStmt assign = (AssignStmt) stmt; if (assign.getLeftOp() == local) { // ok, now find the new value from the right side if (assign.getRightOp() instanceof IntConstant) return ((IntConstant) assign.getRightOp()).value; else if (assign.getRightOp() instanceof FieldRef) { SootField field = ((FieldRef) assign.getRightOp()).getField(); for (Tag tag : field.getTags()) if (tag instanceof IntegerConstantValueTag) return ((IntegerConstantValueTag) tag).getIntValue(); else System.err.println("Constant " + field + " was of unexpected type"); } else if (assign.getRightOp() instanceof InvokeExpr) { InvokeExpr inv = (InvokeExpr) assign.getRightOp(); if (inv.getMethod().getName().equals("getIdentifier") && inv.getMethod().getDeclaringClass().getName().equals("android.content.res.Resources") && this.resourcePackages != null) { // The right side of the assignment is a call into the // well-known // Android API method for resource handling if (inv.getArgCount() != 3) { System.err.println("Invalid parameter count for call to getIdentifier"); return null; } // Find the parameter values String resName = ""; String resID = ""; String packageName = ""; // In the trivial case, these values are constants if (inv.getArg(0) instanceof StringConstant) resName = ((StringConstant) inv.getArg(0)).value; if (inv.getArg(1) instanceof StringConstant) resID = ((StringConstant) inv.getArg(1)).value; if (inv.getArg(2) instanceof StringConstant) packageName = ((StringConstant) inv.getArg(2)).value; else if (inv.getArg(2) instanceof Local) packageName = findLastStringAssignment(stmt, (Local) inv.getArg(2), cfg); else { System.err.println("Unknown parameter type in call to getIdentifier"); return null; } // Find the resource ARSCFileParser.AbstractResource res = findResource(resName, resID, packageName); if (res != null) return res.getResourceID(); } } } } // Continue the search upwards for (Unit pred : cfg.getPredsOf(stmt)) { if (!(pred instanceof Stmt)) continue; Integer lastAssignment = findLastResIDAssignment((Stmt) pred, local, cfg, doneSet); if (lastAssignment != null) return lastAssignment; } return null; }
Example #6
Source File: BackwardsInfoflowProblem.java From JAADAS with GNU General Public License v3.0 | 4 votes |
public BackwardsInfoflowProblem(BiDiInterproceduralCFG<Unit, SootMethod> icfg, ISourceSinkManager sourceSinkManager) { super(icfg, sourceSinkManager); }
Example #7
Source File: AbstractInfoflowProblem.java From JAADAS with GNU General Public License v3.0 | 4 votes |
public AbstractInfoflowProblem(BiDiInterproceduralCFG<Unit, SootMethod> icfg, ISourceSinkManager sourceSinkManager) { super(icfg); this.sourceSinkManager = sourceSinkManager; }
Example #8
Source File: InfoflowCFG.java From JAADAS with GNU General Public License v3.0 | 4 votes |
public InfoflowCFG(BiDiInterproceduralCFG<Unit, SootMethod> delegate) { this.delegate = delegate; }
Example #9
Source File: WeightedBoomerang.java From SPDS with Eclipse Public License 2.0 | 4 votes |
public void createPOI(BiDiInterproceduralCFG<Unit, SootMethod> icfg, AbstractBoomerangSolver<W> baseSolver, AbstractBoomerangSolver<W> flowSolver, WeightedBoomerang<W>.FieldReadPOI fieldReadPOI, Statement succ) { // TODO Auto-generated method stub }
Example #10
Source File: PolicyEnforcementPoint.java From DroidForce with GNU Lesser General Public License v2.1 | 4 votes |
private List<Unit> instrumentIntentAddings(BiDiInterproceduralCFG<Unit, SootMethod> cfg, Unit unit, InvokeExpr sinkExpr, Set<ResultSourceInfo> sourceInfo){ if(isMethodInterComponentSink(sinkExpr.getMethod())){ SootMethod method = cfg.getMethodOf(unit); Body body = null; if(method.hasActiveBody()) body = method.retrieveActiveBody(); else throw new RuntimeException("No body found!"); Set<String> sourceCategories = getDataIdList(sourceInfo); final String hashSetType = "java.util.HashSet"; List<Unit> generated = new ArrayList<Unit>(); //HashSet initialization Local hashSetLocal = generateFreshLocal(body, RefType.v(hashSetType)); NewExpr newExpr = Jimple.v().newNewExpr(RefType.v(hashSetType)); AssignStmt assignStmt = Jimple.v().newAssignStmt(hashSetLocal, newExpr); generated.add(assignStmt); //constructor call SpecialInvokeExpr constructorCall = Jimple.v().newSpecialInvokeExpr(hashSetLocal, Scene.v().getMethod("<java.util.HashSet: void <init>()>").makeRef()); InvokeStmt constructorCallStmt = Jimple.v().newInvokeStmt(constructorCall); generated.add(constructorCallStmt); //add categories to HashSet for(String cat : sourceCategories){ InterfaceInvokeExpr addCall = Jimple.v().newInterfaceInvokeExpr(hashSetLocal, Scene.v().getMethod("<java.util.Set: boolean add(java.lang.Object)>").makeRef(), StringConstant.v(cat)); InvokeStmt addCallStmt = Jimple.v().newInvokeStmt(addCall); generated.add(addCallStmt); } //get Intent Value intent = sinkExpr.getArg(0); List<Object> args = new ArrayList<Object>(); args.add(RefType.v("android.content.Intent")); args.add(intent); args.add(RefType.v(hashSetType)); args.add(hashSetLocal); StaticInvokeExpr sie = Instrumentation.createJimpleStaticInvokeExpr( Settings.INSTRUMENTATION_HELPER_JAVA, "addTaintInformationToIntent", args); InvokeStmt invStmt = Jimple.v().newInvokeStmt(sie); generated.add(invStmt); return generated; } return Collections.emptyList(); }
Example #11
Source File: TaintPropagationHandler.java From JAADAS with GNU General Public License v3.0 | 3 votes |
/** * Handler function that is invoked when a new taint is generated in the data * flow engine * @param stmt The statement over which the taint is propagated * @param d1 The abstraction at the beginning of the current method * @param incoming The original abstraction from which the outgoing ones * were computed * @param outgoing The set of taints being propagated * @param cfg The interprocedural control flow graph containing the current * method * @param type The type of data flow edge being processed * @return The new abstractions to be propagated on. If you do not want to * change the normal propagation behavior, just return the value of the * "taints" parameter as-is. */ public Set<Abstraction> notifyFlowOut(Unit stmt, Abstraction d1, Abstraction incoming, Set<Abstraction> outgoing, BiDiInterproceduralCFG<Unit, SootMethod> cfg, FlowFunctionType type);
Example #12
Source File: TaintPropagationHandler.java From JAADAS with GNU General Public License v3.0 | 2 votes |
/** * Handler function that is invoked when a taint is proagated in the data * flow engine * @param stmt The statement over which the taint is propagated * @param taint The taint being propagated * @param cfg The interprocedural control flow graph containing the current * method * @param type The type of data flow edge being processed */ public void notifyFlowIn (Unit stmt, Abstraction taint, BiDiInterproceduralCFG<Unit, SootMethod> cfg, FlowFunctionType type);