<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Sprechblasentext Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;
mso-fareast-language:DE;}
span.E-MailFormatvorlage19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.SprechblasentextZchn
{mso-style-name:"Sprechblasentext Zchn";
mso-style-priority:99;
mso-style-link:Sprechblasentext;
font-family:"Tahoma","sans-serif";
mso-fareast-language:DE;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Denis,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I‘ m not totally sure about the state of Paddle in Soot. Somehow, it never made it as the new default callgraph builder though it was originally intended to be a more modern replacement. I guess there were just not enough cases of false positives due to context-insensitivity to make people go that extra mile and enable and configure Paddle. Honestly, I have never used Paddle ^^<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Denis Bogdanas [mailto:denis.bogdanas@gmail.com] <br><b>Gesendet:</b> Freitag, 4. März 2016 23:59<br><b>An:</b> Steven Arzt<br><b>Cc:</b> soot-list@cs.mcgill.ca<br><b>Betreff:</b> Re: [Soot-list] FlowDroid: call graph doesn't look context sensitive<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Hi Steven,<br>Makes sense now.<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>What was the reason you didn't use Paddle in FlowDroid? Was it scalability?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 4 March 2016 at 01:41, Steven Arzt <<a href="mailto:Steven.Arzt@cased.de" target="_blank">Steven.Arzt@cased.de</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Denis,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Now I understand your question. This was actually my mistake. If you only take FlowDroid to construct the dummy main method which is then fed into Soot for generating the callgraph for your app, it will, by default, use SPARK, which is context-insensitive. There is only one node for Thread.run() and this has outgoing edges to whatever any instance of Thread can call in its run() methods. That’s by design. You can also try to use Soot’s Paddle instead of SPARK to have a context-sensitive callgraph, but that’s not supported by default. If you are willing to implement and test it, feel free to share your code changes with the community. There is already a switch for using different callgraph algorithms in FlowDroid (CHA, RTA, VTA, full-blown SPARK), an option for Paddle would fit in there quite nicely.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Now for the source of the misunderstanding. FlowDroid propagates the types of tainted objects during taint propagation. If you call a method on a tainted object, it will filter all edges from the callgraph that do not match the type information in the taint abstraction. If you, for instance, store tainted data in your anonymous Runnable instance and then access it from sensitive(), FlowDroid will be able to distinguish the two different anonymous Runnable classes due to the type information propagated along with the taint. That#s something we built on top of the context-insensitive callgraph to improve precision.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Steven</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Denis Bogdanas [mailto:<a href="mailto:denis.bogdanas@gmail.com" target="_blank">denis.bogdanas@gmail.com</a>] <br><b>Gesendet:</b> Freitag, 4. März 2016 00:15<br><b>An:</b> Steven Arzt<br><b>Cc:</b> <a href="mailto:soot-list@cs.mcgill.ca" target="_blank">soot-list@cs.mcgill.ca</a><br><b>Betreff:</b> Re: [Soot-list] FlowDroid: call graph doesn't look context sensitive</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Also please notice the format: those are all SootMethod. Shouldn't they be MethodContext?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 3 March 2016 at 15:13, Denis Bogdanas <<a href="mailto:denis.bogdanas@gmail.com" target="_blank">denis.bogdanas@gmail.com</a>> wrote:<o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi Steven,<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Default settings produce the same result. From my logs:<br><br>From <edu.oregonstate.ex.flowdroidtest.TestActivity: void onCreate(android.os.Bundle)><br> to <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()><br>--------------------------------------------<br><edu.oregonstate.ex.flowdroidtest.TestActivity: void onCreate(android.os.Bundle)><br><edu.oregonstate.ex.flowdroidtest.TestActivity: void threadWithSensitive()><br><java.lang.Thread: void run()><br><edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()><br><edu.oregonstate.ex.flowdroidtest.TestActivity: void access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)><br><edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()><br><br>From <edu.oregonstate.ex.flowdroidtest.TestActivity: boolean onOptionsItemSelected(android.view.MenuItem)><br> to <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()><br>--------------------------------------------<br><edu.oregonstate.ex.flowdroidtest.TestActivity: boolean onOptionsItemSelected(android.view.MenuItem)><br><edu.oregonstate.ex.flowdroidtest.TestActivity: void emptyThread()><br><java.lang.Thread: void run()><br><edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()><br><edu.oregonstate.ex.flowdroidtest.TestActivity: void access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)><br><edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Paths are produced by navigating the call graph upwards until a callback is reached. FlowDroid and soot on my machine are 2 weeks old.<o:p></o:p></p></div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 3 March 2016 at 14:28, Steven Arzt <<a href="mailto:Steven.Arzt@cased.de" target="_blank">Steven.Arzt@cased.de</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Denis,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You don’t actually need an implementation of java.* in your Android platform JAR file, because FlowDroid provides explicit models for threads. If you use FlowDroid’s default models, your callgraph should be able to distinguish the two calls, i.e., there should not be a path from emptyThread() to sensitive(). You have two different instances of the Thread class, two different implementations (and thus also instances thereof) of Runnable, and I don’t see any good reason for FlowDroid to combine the two paths.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Steven</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:soot-list-bounces@CS.McGill.CA" target="_blank">soot-list-bounces@CS.McGill.CA</a> [mailto:<a href="mailto:soot-list-bounces@CS.McGill.CA" target="_blank">soot-list-bounces@CS.McGill.CA</a>] <b>Im Auftrag von </b>Denis Bogdanas<br><b>Gesendet:</b> Donnerstag, 3. März 2016 23:04<br><b>An:</b> <a href="mailto:soot-list@CS.McGill.CA" target="_blank">soot-list@CS.McGill.CA</a><br><b>Betreff:</b> [Soot-list] FlowDroid: call graph doesn't look context sensitive</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Suppose we have 2 threads called from 2 UI callbacks. One of them calls method sensitive(), another one is empty. In the call graph, both events will have a path to sensitive(), as if the two Thread instances were modeled as one:<o:p></o:p></p></div><div><pre style='background:white'><b><span style='font-size:9.5pt;color:navy'>protected void </span></b><span style='font-size:9.5pt;color:black'>onCreate(Bundle savedInstanceState) {</span><i><span style='font-size:9.5pt;color:gray'><br> </span></i><span style='font-size:9.5pt;color:black'>threadWithSensitive();<br>}<br><br></span><span style='font-size:9.5pt;color:olive'>@Override<br></span><b><span style='font-size:9.5pt;color:navy'>public boolean </span></b><span style='font-size:9.5pt;color:black'>onOptionsItemSelected(MenuItem item) {</span><i><span style='font-size:9.5pt;color:gray'><br> </span></i><span style='font-size:9.5pt;color:black'>emptyThread();<br> </span><b><span style='font-size:9.5pt;color:navy'>return false</span></b><span style='font-size:9.5pt;color:black'>;<br>}</span><o:p></o:p></pre><pre style='background:white'><b><span style='font-size:9.5pt;color:navy'>private void </span></b><span style='font-size:9.5pt;color:black'>threadWithSensitive() {<br> </span><b><span style='font-size:9.5pt;color:navy'>new </span></b><span style='font-size:9.5pt;color:black'>Thread(</span><b><span style='font-size:9.5pt;color:navy'>new </span></b><span style='font-size:9.5pt;color:black'>Runnable() {</span><span style='font-size:9.5pt;color:olive'><br> </span><b><span style='font-size:9.5pt;color:navy'>public void </span></b><span style='font-size:9.5pt;color:black'>run() {<br> sensitive();<br> }<br> }).start();<br>}<br><br></span><b><span style='font-size:9.5pt;color:navy'>private void </span></b><span style='font-size:9.5pt;color:black'>emptyThread() {<br> </span><b><span style='font-size:9.5pt;color:navy'>new </span></b><span style='font-size:9.5pt;color:black'>Thread(</span><b><span style='font-size:9.5pt;color:navy'>new </span></b><span style='font-size:9.5pt;color:black'>Runnable() {</span><span style='font-size:9.5pt;color:olive'><br> </span><b><span style='font-size:9.5pt;color:navy'>public void </span></b><span style='font-size:9.5pt;color:black'>run() { }<br> }).start();<br>}</span><o:p></o:p></pre><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Shouldn't only onCreate() lead to sensitive() ?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>My setup: a crafted android.jar that has stubs for android classes but full implementation for java.* and javax.* packages.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>I also noticed that class <span style='background:#E4E4FF'>MethodContext</span> which is supposed to model a method in its context, is never instantiated, regardless of what call graph algorithm I use.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>What am I missing?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>thanks,<o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-- <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Denis<o:p></o:p></p></div></div></div></div></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br clear=all><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'>-- </span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'>Denis</span><o:p></o:p></p></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br clear=all><br>-- <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Denis<o:p></o:p></p></div></div></div></div></div></div></div></div><p class=MsoNormal><br><br clear=all><br>-- <o:p></o:p></p><div><div><p class=MsoNormal>Denis<o:p></o:p></p></div></div></div></div></body></html>