<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Wei, Hi Yu,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Wei’s explanation of why there are no call edges in the callgraph is correct. The taint wrapper however does not add any edges to the callgraph. Instead, it tells the taint propagation algorithm how to continue when it encounters a call site for which there are no callees. In other words, the callgraph does not contain these edges in FlowDroid either. FlowDroid however checks if such a situation happens and then consults the taint wrapper which is able to answer questions such as “if a.b.c is tainted on a call to c.foo(a), what will be tainted afterwards?” Therefore, taint wrappers are not oblivious to the type of analysis you are conducting. If you are doing taint analysis, feel free to use the taint wrapper infrastructure from FlowDroid – otherwise, you can take the concept and create your own wrapper semantics.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Technically, we map the taint wrappers against InvokeExpr.getMethod() if there are no call edges.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:13.5pt;font-family:"Courier New";color:black'>M.Sc. M.Sc. Steven Arzt</span><span lang=EN-US style='font-size:11.0pt;font-family:"Helvetica","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";color:black'>Secure Software Engineering Group (SSE)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";color:black'>European Center for Security and Privacy by Design (EC SPRIDE) <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black'>Rheinstraße 75<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black'>D-64293 Darmstadt<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black'>Phone: +49 61 51 869-336<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black'>Fax: +49 61 51 16-72118<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";color:black'>eMail: </span><span style='font-size:10.0pt;font-family:"Courier New";color:black'><a href="mailto:steven.arzt@ec-spride.de"><span lang=EN-US>steven.arzt@ec-spride.de</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black'>Web: <a href="http://sse.ec-spride.de/">http://sse.ec-spride.de</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> soot-list-bounces@CS.McGill.CA [mailto:soot-list-bounces@CS.McGill.CA] <b>Im Auftrag von </b>Yu Feng<br><b>Gesendet:</b> Montag, 9. Februar 2015 20:11<br><b>An:</b> Wei Yang<br><b>Cc:</b> soot-list@CS.McGill.CA<br><b>Betreff:</b> Re: [Soot-list] Missing call edges(For Spark, not CHA) while invoking Android APIs in FlowDroid<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hi Wei,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Good to hear from you again and thanks for the suggestion!<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Actually even if I add those signatures to EasyTaintWrapperConversion.txt(in both infoflow and infoflow-android), the edge is still missing in the call graph generated by Spark. Any idea?<o:p></o:p></p></div><div><div><p class=MsoNormal><android.content.Context: java.lang.Object getSystemService(java.lang.String)><o:p></o:p></p></div><div><p class=MsoNormal><android.content.ContextWrapper: java.lang.Object getSystemService(java.lang.String)><o:p></o:p></p></div><div><p class=MsoNormal><android.app.Activity: java.lang.Object getSystemService(java.lang.String)><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Best,<o:p></o:p></p></div><div><p class=MsoNormal>Yu<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Feb 9, 2015 at 12:27 PM, Wei Yang <<a href="mailto:davidyoung8906@gmail.com" target="_blank">davidyoung8906@gmail.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal>Hi! Yu,<o:p></o:p></p></div><div><p class=MsoNormal> I met the same issue before. I think it is because in "<span style='font-size:9.5pt'> $r3 = virtualinvoke $r0.<com.GoldDream.zj.zjService: java.lang.Object getSystemService(java.lang.String)>($r2);</span>", <span style='font-size:9.5pt'>getSystemService is a factory method belonging to Android SDK, so</span> Spark cannot know where "r3" is constructed and the actual type of it. <o:p></o:p></p></div><div><p class=MsoNormal> One solution is to add a entry in the taint wrapper where flowdroid will perform a lookup when it encounters a library method.<o:p></o:p></p></div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><p class=MsoNormal>Best wishes,<o:p></o:p></p><div><p class=MsoNormal>David <o:p></o:p></p></div></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>2015-02-09 12:04 GMT-06:00 Yu Feng <<a href="mailto:fengyu8299@gmail.com" target="_blank">fengyu8299@gmail.com</a>>:<o:p></o:p></p><div><div><div><div><p class=MsoNormal><span style='font-size:9.5pt'>Hi,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>I have a quick question regarding FlowDroid:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>Suppose 'foo' is reachable from the "dummyMain" in FlowDroid,<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:9.5pt'>foo() { <o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:9.5pt'> $r3 = virtualinvoke $r0.<com.GoldDream.zj.zjService: java.lang.Object getSystemService(java.lang.String)>($r2);<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'> $r1 = $r3;<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'> $r4 = (android.telephony.TelephonyManager) $r1;<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'> $r5 = virtualinvoke $r4.<android.telephony.TelephonyManager: java.lang.String getDeviceId()>();<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>}<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>If I build the call graph for this code snippet, it should have at least two edges:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>1. foo -> getSystemService<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>2. foo-> getDeviceId<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>For CHA it looks correct, but for Spark, the second edge is missing because the points-to set of $r3 is empty. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>I thought most of the Android APIs(like getSystemService) are handled properly in FlowDroid and why it still returns an empty set regarding this case.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>What should I do if I need to get a sound call graph(based on Spark, not CHA) from FlowDroid?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>Thanks so much,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>Yu <o:p></o:p></span></p></div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'>_______________________________________________<br>Soot-list mailing list<br><a href="mailto:Soot-list@CS.McGill.CA" target="_blank">Soot-list@CS.McGill.CA</a><br><a href="https://mailman.CS.McGill.CA/mailman/listinfo/soot-list" target="_blank">https://mailman.CS.McGill.CA/mailman/listinfo/soot-list</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Soot-list mailing list<br><a href="mailto:Soot-list@CS.McGill.CA">Soot-list@CS.McGill.CA</a><br><a href="https://mailman.CS.McGill.CA/mailman/listinfo/soot-list" target="_blank">https://mailman.CS.McGill.CA/mailman/listinfo/soot-list</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal>--Yu<o:p></o:p></p></div></div></div></body></html>