<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Katie,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The source context is only non-null for those abstractions that are generated directly at the sources. For all abstractions that are propagated through the program, the source context is null. Instead, those derived abstractions have a predecessor and a (possibly null) set of neighbors. The idea is that you get a graph of taint abstractions. Only the root needs to know the source to which it belongs. From all other abstractions, you can walk up the tree to find the respective root(s) and get the sources from there.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The concept is as follows. If a variable “a” is tainted at some statement “a = b + c”, the predecessor is the taint on “b” or “c” that existed before and that lead to “a” being tainted. In case both “b” and “c” were tainted before, we have one of them as predecessor and the taint on “a” has a neighbor with the other one as a predecessor. Essentially, neighbors capture non-unique predecessor relationships.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> soot-list-bounces@CS.McGill.CA [mailto:soot-list-bounces@CS.McGill.CA] <b>Im Auftrag von </b>kaunder<br><b>Gesendet:</b> Donnerstag, 5. November 2015 00:33<br><b>An:</b> soot-list@CS.McGill.CA<br><b>Betreff:</b> [Soot-list] FlowDroid - null SourceContext when Abstraction is instantiated with the copy constructor<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hello all,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am working on using FlowDroid to track how many statements each taint propagates across before eventually reaching a sink. To this end, I have implemented a TaintPropagationHandler and am using the notifyFlowOut function to capture and examine each Abstraction object generated during FlowDroid's analysis. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In the output of the notifyFlowOut handler function, I have noticed that whenever the incoming Abstraction is not the zero Abstraction, the outgoing Abstraction will have a null SourceContext.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In addition, it appears that this case is consistent with the Abstraction copy constructor being using to instantiate a new Abstraction object (I added a couple of lines to the Abstraction constructors in order to identify which constructor was used to instantiate a given Abstraction object).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm curious about why SourceContext is null in these cases. Is there a way to recover SourceContext for these Abstractions?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>An example of my handler function output:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Case where outgoing source context is not null - Incoming Abstraction is the zero Abstraction<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>***Incoming Abstraction Data***<o:p></o:p></p></div><div><p class=MsoNormal>Soot statement: $r1 := @parameter1: android.view.KeyEvent<o:p></o:p></p></div><div><p class=MsoNormal>Incoming Source Context: null<o:p></o:p></p></div><div><p class=MsoNormal>Incoming Abstraction Hash: 1217330535 <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>***Outgoing Abstraction Set Data***<o:p></o:p></p></div><div><p class=MsoNormal>Outgoing set 0:<o:p></o:p></p></div><div><p class=MsoNormal>Outgoing Abstraction Source Context: $r1(android.view.KeyEvent) * <+length> in $r1 := @parameter1: android.view.KeyEvent <o:p></o:p></p></div><div><p class=MsoNormal>Outgoing Abstraction Hash: -285378327 <o:p></o:p></p></div></div><div><p class=MsoNormal>Constructor: public<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>Case where outgoing source context is null - Incoming Abstraction is not the zero Abstraction<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>***Incoming Abstraction Data***<o:p></o:p></p></div><div><div><p class=MsoNormal>Soot statement: $r1 = virtualinvoke $r1.<android.os.Bundle: android.os.Bundle getBundle(java.lang.String)>($r5)<o:p></o:p></p></div></div><div><p class=MsoNormal>Incoming Source Context: $r1(android.os.Bundle) * <+length> in $r1 := @parameter0: android.os.Bundle<o:p></o:p></p></div><div><p class=MsoNormal>Incoming Abstraction Hash: -437298944 <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>***Outgoing Abstraction Set Data***<o:p></o:p></p></div><div><p class=MsoNormal>Outgoing set 0:<o:p></o:p></p></div><div><p class=MsoNormal>Outgoing Abstraction Source Context: null <o:p></o:p></p></div><div><p class=MsoNormal>Outgoing Abstraction Hash: 2043788688 <o:p></o:p></p></div></div><div><p class=MsoNormal>Constructor: copy<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thank you for your time! Please let me know if I can provide any additional clarification about my implementation.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Best Regards,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Katie Underwood<o:p></o:p></p></div></div></div></body></html>