soot.jimple.toolkits.ide.icfg.BiDiInterproceduralCFG Java Examples

The following examples show how to use soot.jimple.toolkits.ide.icfg.BiDiInterproceduralCFG. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File:    From JAADAS with GNU General Public License v3.0 6 votes vote down vote up
 * Finds the last assignment to the given String local by searching upwards
 * from the given statement
 * @param stmt
 *            The statement from which to look backwards
 * @param local
 *            The variable for which to look for assignments
 * @return The last value assigned to the given variable
private String findLastStringAssignment(Stmt stmt, Local local, BiDiInterproceduralCFG<Unit, SootMethod> cfg) {
	if (stmt instanceof AssignStmt) {
		AssignStmt assign = (AssignStmt) stmt;
		if (assign.getLeftOp() == local) {
			// ok, now find the new value from the right side
			if (assign.getRightOp() instanceof StringConstant)
				return ((StringConstant) assign.getRightOp()).value;

	// Continue the search upwards
	for (Unit pred : cfg.getPredsOf(stmt)) {
		if (!(pred instanceof Stmt))
		String lastAssignment = findLastStringAssignment((Stmt) pred, local, cfg);
		if (lastAssignment != null)
			return lastAssignment;
	return null;
Example #2
Source File:    From DroidForce with GNU Lesser General Public License v2.1 6 votes vote down vote up
 * Return true if the method corresponding to the source 'si' is an
 * Inter Component Communication source method such as "Intent.getExtras()".
 * @param si
 * @param cfg
 * @return
private boolean isInterComponentSourceNoCallback(ResultSourceInfo si, BiDiInterproceduralCFG<Unit, SootMethod> cfg){
		return false;
	InvokeExpr invExpr = si.getSource().getInvokeExpr();
	SootMethod sm = invExpr.getMethod();
	for(SourceSinkDefinition meth : sources){
		AndroidMethod am = (AndroidMethod) meth.getMethod();
			if(am.getSubSignature().equals(sm.getSubSignature())) {"source is: "+ am);
				return true;
	return false;
Example #3
Source File:    From DroidForce with GNU Lesser General Public License v2.1 5 votes vote down vote up
private boolean isInterComponentSourceCallback(ResultSourceInfo si,
		BiDiInterproceduralCFG<Unit, SootMethod> cfg){
		SootMethod sm = cfg.getMethodOf(si.getSource());
				return true;
	return false;
Example #4
Source File:    From JAADAS with GNU General Public License v3.0 4 votes vote down vote up
 * Checks whether the given call site indicates a UI source, e.g. a password
 * input
 * @param sCallSite
 *            The call site that may potentially read data from a sensitive
 *            UI control
 * @param cfg
 *            The bidirectional control flow graph
 * @return True if the given call site reads data from a UI source, false
 *         otherwise
private boolean isUISource(Stmt sCallSite, InterproceduralCFG<Unit, SootMethod> cfg) {
	// If we match input controls, we need to check whether this is a call
	// to one of the well-known resource handling functions in Android
	if (this.layoutMatching != LayoutMatchingMode.NoMatch && sCallSite.containsInvokeExpr()) {
		InvokeExpr ie = sCallSite.getInvokeExpr();
		final String signature = methodToSignature.getUnchecked(ie.getMethod());
		if (signature.equals(Activity_FindViewById)
				|| signature.equals(View_FindViewById)) {
			// Perform a constant propagation inside this method exactly
			// once
			SootMethod uiMethod = cfg.getMethodOf(sCallSite);
			if (analyzedLayoutMethods.add(uiMethod))

			// If we match all controls, we don't care about the specific
			// control we're dealing with
			if (this.layoutMatching == LayoutMatchingMode.MatchAll)
				return true;
			// If we don't have a layout control list, we cannot perform any
			// more specific checks
			if (this.layoutControls == null)
				return false;

			// If we match specific controls, we need to get the ID of
			// control and look up the respective data object
			if (ie.getArgCount() != 1) {
				System.err.println("Framework method call with unexpected " + "number of arguments");
				return false;
			int id = 0;
			if (ie.getArg(0) instanceof IntConstant)
				id = ((IntConstant) ie.getArg(0)).value;
			else if (ie.getArg(0) instanceof Local) {
				Integer idVal = findLastResIDAssignment(sCallSite, (Local) ie.getArg(0), (BiDiInterproceduralCFG<Unit, SootMethod>) cfg, new HashSet<Stmt>(cfg.getMethodOf(sCallSite).getActiveBody().getUnits().size()));
				if (idVal == null) {
					System.err.println("Could not find assignment to local "
								+ ((Local) ie.getArg(0)).getName()
								+ " in method "
								+ cfg.getMethodOf(sCallSite).getSignature());
					return false;
				} else
					id = idVal.intValue();
			} else {
				System.err.println("Framework method call with unexpected " + "parameter type: " + ie.toString() + ", " + "first parameter is of type " + ie.getArg(0).getClass());
				return false;

			LayoutControl control = this.layoutControls.get(id);
			if (control == null) {
				System.err.println("Layout control with ID " + id + " not found");
				return false;
			if (this.layoutMatching == LayoutMatchingMode.MatchSensitiveOnly && control.isSensitive())
				return true;
	return false;
Example #5
Source File:    From JAADAS with GNU General Public License v3.0 4 votes vote down vote up
 * Finds the last assignment to the given local representing a resource ID
 * by searching upwards from the given statement
 * @param stmt
 *            The statement from which to look backwards
 * @param local
 *            The variable for which to look for assignments
 * @return The last value assigned to the given variable
private Integer findLastResIDAssignment(Stmt stmt, Local local, BiDiInterproceduralCFG<Unit, SootMethod> cfg, Set<Stmt> doneSet) {
	if (!doneSet.add(stmt))
		return null;

	// If this is an assign statement, we need to check whether it changes
	// the variable we're looking for
	if (stmt instanceof AssignStmt) {
		AssignStmt assign = (AssignStmt) stmt;
		if (assign.getLeftOp() == local) {
			// ok, now find the new value from the right side
			if (assign.getRightOp() instanceof IntConstant)
				return ((IntConstant) assign.getRightOp()).value;
			else if (assign.getRightOp() instanceof FieldRef) {
				SootField field = ((FieldRef) assign.getRightOp()).getField();
				for (Tag tag : field.getTags())
					if (tag instanceof IntegerConstantValueTag)
						return ((IntegerConstantValueTag) tag).getIntValue();
						System.err.println("Constant " + field + " was of unexpected type");
			} else if (assign.getRightOp() instanceof InvokeExpr) {
				InvokeExpr inv = (InvokeExpr) assign.getRightOp();
				if (inv.getMethod().getName().equals("getIdentifier") && inv.getMethod().getDeclaringClass().getName().equals("android.content.res.Resources") && this.resourcePackages != null) {
					// The right side of the assignment is a call into the
					// well-known
					// Android API method for resource handling
					if (inv.getArgCount() != 3) {
						System.err.println("Invalid parameter count for call to getIdentifier");
						return null;

					// Find the parameter values
					String resName = "";
					String resID = "";
					String packageName = "";

					// In the trivial case, these values are constants
					if (inv.getArg(0) instanceof StringConstant)
						resName = ((StringConstant) inv.getArg(0)).value;
					if (inv.getArg(1) instanceof StringConstant)
						resID = ((StringConstant) inv.getArg(1)).value;
					if (inv.getArg(2) instanceof StringConstant)
						packageName = ((StringConstant) inv.getArg(2)).value;
					else if (inv.getArg(2) instanceof Local)
						packageName = findLastStringAssignment(stmt, (Local) inv.getArg(2), cfg);
					else {
						System.err.println("Unknown parameter type in call to getIdentifier");
						return null;

					// Find the resource
					ARSCFileParser.AbstractResource res = findResource(resName, resID, packageName);
					if (res != null)
						return res.getResourceID();

	// Continue the search upwards
	for (Unit pred : cfg.getPredsOf(stmt)) {
		if (!(pred instanceof Stmt))
		Integer lastAssignment = findLastResIDAssignment((Stmt) pred, local, cfg, doneSet);
		if (lastAssignment != null)
			return lastAssignment;
	return null;
Example #6
Source File:    From JAADAS with GNU General Public License v3.0 4 votes vote down vote up
public BackwardsInfoflowProblem(BiDiInterproceduralCFG<Unit, SootMethod> icfg,
		ISourceSinkManager sourceSinkManager) {
	super(icfg, sourceSinkManager);
Example #7
Source File:    From JAADAS with GNU General Public License v3.0 4 votes vote down vote up
public AbstractInfoflowProblem(BiDiInterproceduralCFG<Unit, SootMethod> icfg,
		ISourceSinkManager sourceSinkManager) {
	this.sourceSinkManager = sourceSinkManager;
Example #8
Source File:    From JAADAS with GNU General Public License v3.0 4 votes vote down vote up
public InfoflowCFG(BiDiInterproceduralCFG<Unit, SootMethod> delegate) {
	this.delegate = delegate;
Example #9
Source File:    From SPDS with Eclipse Public License 2.0 4 votes vote down vote up
public void createPOI(BiDiInterproceduralCFG<Unit, SootMethod> icfg, AbstractBoomerangSolver<W> baseSolver,
        AbstractBoomerangSolver<W> flowSolver, WeightedBoomerang<W>.FieldReadPOI fieldReadPOI, Statement succ) {
    // TODO Auto-generated method stub

Example #10
Source File:    From DroidForce with GNU Lesser General Public License v2.1 4 votes vote down vote up
private List<Unit> instrumentIntentAddings(BiDiInterproceduralCFG<Unit, SootMethod> cfg,
		Unit unit, InvokeExpr sinkExpr, Set<ResultSourceInfo> sourceInfo){
		SootMethod method = cfg.getMethodOf(unit);
		Body body = null;
			body = method.retrieveActiveBody();
			throw new RuntimeException("No body found!");
		Set<String> sourceCategories = getDataIdList(sourceInfo);
		final String hashSetType = "java.util.HashSet";
		List<Unit> generated = new ArrayList<Unit>();
		//HashSet initialization
		Local hashSetLocal = generateFreshLocal(body, RefType.v(hashSetType));
		NewExpr newExpr = Jimple.v().newNewExpr(RefType.v(hashSetType));
		AssignStmt assignStmt = Jimple.v().newAssignStmt(hashSetLocal, newExpr);
		//constructor call
		SpecialInvokeExpr constructorCall = Jimple.v().newSpecialInvokeExpr(hashSetLocal, Scene.v().getMethod("<java.util.HashSet: void <init>()>").makeRef());
		InvokeStmt constructorCallStmt = Jimple.v().newInvokeStmt(constructorCall);
		//add categories to HashSet
		for(String cat : sourceCategories){
			InterfaceInvokeExpr addCall = Jimple.v().newInterfaceInvokeExpr(hashSetLocal, Scene.v().getMethod("<java.util.Set: boolean add(java.lang.Object)>").makeRef(), StringConstant.v(cat));
			InvokeStmt addCallStmt = Jimple.v().newInvokeStmt(addCall);
		//get Intent
		Value intent = sinkExpr.getArg(0);
		List<Object> args = new ArrayList<Object>();
		StaticInvokeExpr sie = Instrumentation.createJimpleStaticInvokeExpr(
		InvokeStmt invStmt = Jimple.v().newInvokeStmt(sie);
		return generated;
	return Collections.emptyList();
Example #11
Source File:    From JAADAS with GNU General Public License v3.0 3 votes vote down vote up
 * Handler function that is invoked when a new taint is generated in the data
 * flow engine
 * @param stmt The statement over which the taint is propagated
 * @param d1 The abstraction at the beginning of the current method
 * @param incoming The original abstraction from which the outgoing ones
 * were computed
 * @param outgoing The set of taints being propagated
 * @param cfg The interprocedural control flow graph containing the current
 * method
 * @param type The type of data flow edge being processed
 * @return The new abstractions to be propagated on. If you do not want to
 * change the normal propagation behavior, just return the value of the
 * "taints" parameter as-is.
public Set<Abstraction> notifyFlowOut(Unit stmt,
		Abstraction d1,
		Abstraction incoming,
		Set<Abstraction> outgoing,
		BiDiInterproceduralCFG<Unit, SootMethod> cfg,
		FlowFunctionType type);
Example #12
Source File:    From JAADAS with GNU General Public License v3.0 2 votes vote down vote up
 * Handler function that is invoked when a taint is proagated in the data
 * flow engine
 * @param stmt The statement over which the taint is propagated
 * @param taint The taint being propagated
 * @param cfg The interprocedural control flow graph containing the current
 * method
 * @param type The type of data flow edge being processed
public void notifyFlowIn
		(Unit stmt,
		Abstraction taint,
		BiDiInterproceduralCFG<Unit, SootMethod> cfg,
		FlowFunctionType type);