<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 2.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:394159396;
mso-list-type:hybrid;
mso-list-template-ids:-875762556 -1 68157443 68157445 68157441 68157443 68157445 68157441 68157443 68157445;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:53.55pt;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:89.55pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:125.55pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:161.55pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:197.55pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:233.55pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:269.55pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:305.55pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:341.55pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:879171603;
mso-list-type:hybrid;
mso-list-template-ids:-1477035510 -1 68157443 68157445 68157441 68157443 68157445 68157441 68157443 68157445;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:53.55pt;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:89.55pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:125.55pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:161.55pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:197.55pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:233.55pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:269.55pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:305.55pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:341.55pt;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=IT link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi Steven,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thank you for your reply.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>I followed your guidelines and tried different approaches. So far the best one seems to be to create a dummy main, using SequantialEntryPointCreator class from soot-infoflow repository.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Though some issues arise and I think some may interest you:<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='margin-left:17.55pt;mso-list:l0 level1 lfo2'><span lang=EN-US>Using the soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG class to generate the ICFG a NullPointerException is raised, while everything works using </span>soot.jimple.toolkits.ide.icfg.OnTheFlyJimpleBasedICFG. I don’t know if it is my fault, but I thought it may intereset you in case it is a bug (I can send you the stack trace if you want)<span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:17.55pt;mso-list:l0 level1 lfo2'><span lang=EN-US>While executing the Heros solver a RuntimeException arises saying there is no body present for a native method (ie. <java.lang.System: void arraycopy(java.lang.Object,int,java.lang.Object,int,int)>). I can’t get around this issue and have no idea why I get it (heros should ignore native methods, right?)<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>For my analysis I’ll try to use soot-infoflow, it seems there are a lot of useful methods already implemented (thanks!).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thank you very much for your answer again.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Darius<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>Da: </b><a href="mailto:steven.arzt@sit.fraunhofer.de">Arzt, Steven</a><br><b>Inviato: </b>lunedì 20 novembre 2017 12:04<br><b>A: </b><a href="mailto:d.sas@campus.unimib.it">Darius</a>; <a href="mailto:soot-list@cs.mcgill.ca">soot-list@CS.McGill.CA</a><br><b>Oggetto: </b>AW: [Soot-list] Inter-procedural info-flow analysis for Javalibraries</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=DE style='color:#1F497D;mso-fareast-language:EN-US'>Hi Darius,<o:p></o:p></span></p><p class=MsoNormal><span lang=DE style='color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'>For performing anm IFDS analysis, you need a callgraph. Traditionally, callgraphs are built iteratively from a set of entry points. Since you did not specify any entry points, there is nowhere to start for SPARK, Soot’s callgraph generator, and consequently, you do not have a callgraph. Without one, there is no interprocedural control flow graph (ICFG). IFDS, however, propagates data flow abstractions over an ICFG. To cut a long story short, you need to get a callgraph.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'>You have several options how to proceed here. One is to over-approximate the callgraph by treating all public methods as entry points for a CHA callgraph. That is the easiest option, but as imprecise as it can be. If you nevertheless want to go down that (dark) road, look up Soot’s “all-reachables” CG option. A better alternative is to create a dummy main method as an entry point that calls the various library method in an order that makes sense for your library. With that concept, you can model API restrictions such as “foo() is always called before bar()”. Look at FlowDroid’s various entry point creators such as the SequentialEntryPointCreator class for that option. The third option is to use SPARK’s library mode, which has a quite particular semantics. Have a look at “Library mode” in the Soot command-line documentation [1].<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'> Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D;mso-fareast-language:EN-US'>[1] https://soot-build.cs.uni-paderborn.de/public/origin/develop/soot/soot-develop/options/soot_options.htm<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>Von:</span></b><span lang=EN-US> Soot-list [mailto:soot-list-bounces@cs.mcgill.ca] <b>Im Auftrag von </b>D</span><span lang=DE>arius<br><b>Gesendet:</b> Montag, 20. November 2017 11:03<br><b>An:</b> soot-list@CS.McGill.CA<br><b>Betreff:</b> [Soot-list] Inter-procedural info-flow analysis for Java libraries<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=DE><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Hello,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>My name is Darius and I’m currently working on my M.Sc. thesis.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>I need to perform inter-procedural info-flow analysis for a given Java library and I hope you can help me getting on the right track.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>For my analysis I need to compute inter-procedural info-flow analysis for a given method of the given library, to see how the data from the method’s parameters flows in the library. Specifically I need to see which sensible sinks it reaches.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>So far I’ve tried using HEROS in combination with Soot, specifically using the following code:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> </span><span lang=EN-US style='font-family:Consolas'>SootMethod sm = [the starting point of my analysis]</span><span style='font-family:Consolas'><o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:53.55pt'><span style='font-family:Consolas'>IFDSTabulationProblem<Unit, ?, SootMethod, InterproceduralCFG<Unit,SootMethod>> lif = lif = new IFDSLocalInfoFlow(new OnTheFlyJimpleBasedICFG(sm));<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:53.55pt'><span style='font-family:Consolas'>JimpleIFDSSolver<?, InterproceduralCFG<Unit, SootMethod>> solver = new JimpleIFDSSolver(lif);<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:53.55pt'><span style='font-family:Consolas'> solver.solve();<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:53.55pt'><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US>But it throws this exception:<br></span><span lang=EN-US style='font-family:Consolas'> Exception in thread "main" java.lang.RuntimeException: There is no main class set!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>from the IFDSLocalInfoFlow.initialSeeds() methods.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Even if I overload the initialSeeds() method to return the initial seeds I want it gives me the same Exception (no main class set).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>So my questions are:<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoNormal style='margin-left:17.55pt;mso-list:l1 level1 lfo1'><span lang=EN-US>Since I want to analyze libraries, is there a way to avoid Soot asking for main class/method?<o:p></o:p></span></li><li class=MsoNormal style='margin-left:17.55pt;mso-list:l1 level1 lfo1'><span lang=EN-US>Is my approach the correct approach?<o:p></o:p></span></li><li class=MsoNormal style='margin-left:17.55pt;mso-list:l1 level1 lfo1'><span lang=EN-US>Is there a better way to do this?<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thank you for your time.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Darius<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='margin-left:53.55pt'><o:p> </o:p></p><p class=MsoListParagraph style='margin-left:53.55pt'><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>