Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filtering sources by parameter values #668

Open
tgkokk opened this issue Nov 1, 2023 · 1 comment
Open

Filtering sources by parameter values #668

tgkokk opened this issue Nov 1, 2023 · 1 comment

Comments

@tgkokk
Copy link

tgkokk commented Nov 1, 2023

Hello,

I'm trying to add some kind of parameter filtering to the source definitions. To explain:

Given a Jimple statement such as:

r1 = staticinvoke <android.net.Uri: android.net.Uri parse(java.lang.String)>("content://com.android.calendar");

I would like to mark the RHS as a source (tainting r1, etc), only if the argument provided to android.net.Uri.parse is content://com.android.calendar. (I am aware that may not quite be the intended usage of the tool)

Having looked around the code, issues etc. I think I need to use StatementSourceSinkDefinition (AFAICT there's no way to do it out-of-the-box with PermissionMethodParser or XMLSourceSinkParser) but I am a bit confused as to:

  • The stmt parameter - that would be a StaticInvokeExpr, correct? I can create one using Jimple.v().newStaticInvokeExpr.
  • The local parameter - I don't necessary want to limit myself to a specific local (e.g. r1), as I would run it on multiple apps and the local name would not be the same (also I'm not quite sure how I would know the local without analyzing the code myself) - although it's entirely possible I've misunderstood the parameter's purpose.
  • How I would go about using it - AFAICT I would need to create a new ISourceSinkDefinitionProvider and return a StatementSourceSinkDefinition inside its getSources() - would that be enough? I would use that in conjunction with PermissionMethodParser.

Thanks for your help.
@StevenArzt
Copy link
Member

Your request is perfectly fine and FlowDroid can handle this. There are two approaches.

a) Implement your own ISourceSinkManager. For every reachable statement in the program, this class is queried whether the statement is a source, a sink, neither or both. You can then check whether it's a call to the method you want, check the parameter, and then return the correct indication. If you want the normal behavior for all other methods, just pass the query on to a normal AndroidSourceSinkManager if the statement doesn't need special-casing.

b) Implement a StatementSourceSinkDefinition and pass that to the existing ´´SourceSinkManager. The concept is a bit different here. The other definitions refer to APIs, e.g., match all calls to a method with a given signature. The StatementSourceSinkDefinition, on the other hand, reference a concrete statement in the Jimple code. That's your misunderstanding. You need to loop over the Jimple IR and creates instances of StatementSourceSinkDefinitionfor every statement that you want to consider as a source. In the constructor, you pass the respective statement and the local you want to track at that statement. You don't have oneStatementSourceSinkDefinition`` globally, but one per statement in the Jimple IR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgkokk @StevenArzt