<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Steven,</p>
<p>Thank you for your reply.</p>
<p><br>
</p>
<p>I thought about doing what you suggest. However, I also need to
have a relation between the local assigned from method1 and the
base object used to call method 2. So Ideally, assuming that
method1 and 2 have the same source, I also need to be sure that
the assigned value form method1 is the same one I use to call
method2 from. <br>
</p>
<p>In a post processing phase, would it be enough to do something
like: <br>
</p>
<p><b>if</b> method1 has same source has method2; <b>then</b> <br>
stm1.getLeftOp().equals(stm2.getBase())</p>
<p>?</p>
<p><br>
</p>
<p>Bests,</p>
<p>Claudio<br>
</p>
<br>
<div class="moz-cite-prefix">On 09/02/18 16:30, Arzt, Steven wrote:<br>
</div>
<blockquote type="cite"
cite="mid:72554BC2B275D5419CAE35494C16CEF5520A4F7A@exch2010c.sit.fraunhofer.de">
<pre wrap="">Hi Claudio,
FlowDroid does not propagate the sources along with the individual taints for scalability reasons. If one method is called multiple times with different sources, the method would have to be analyzed once per source, if we would propagate the source as part of the taint. That's a waste of time, because the behavior of the method doesn't change depending on the source. Therefore, we only propagate source-agnostic taints through the program. Each taint knows its predecessor(s). After the taint propagation is done, FlowDroid takes the list of taint abstractions that have reached a sink, and scans this tree backwards (i.e., the links from a given abstraction to its predecessor) to find the corresponding source. Consequently, you can't easily ask for the source during taint propagation.
What you can do is the following: You can define method1() and method2() as sources and run the taint propagation as usual. After the results are available, you can check whether the sources are identical for the two methods. In that case, you would have a standard taint propagation problem with a post-processing and would circumvent the problem of not having access to sources _during_ propagation.
Best regards,
Steven
-----Original Message-----
From: Soot-list [<a class="moz-txt-link-freetext" href="mailto:soot-list-bounces@cs.mcgill.ca">mailto:soot-list-bounces@cs.mcgill.ca</a>] On Behalf Of claudio
Sent: Friday, February 9, 2018 5:21 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:soot-list@cs.mcgill.ca">soot-list@cs.mcgill.ca</a>
Subject: Re: [Soot-list] [Flowdroid taint propagation]
of course it was y = method1(...);
Claudio
On 09/02/18 16:19, claudio wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Dear all,
I am currently using Flowdroid to analyze Android app. However, I need
to detect particular situations. For example consider this method
sequence:
x = method1(....);
y.method2(...);
now assume that method 1 is called with tainted value from a known
source.
If method2 is called as well with tainted value, then I want to check
whether the taint as input in method2 comes from the same source as
the one that is tainting its base object y.
Is there a way to achieve it? I was looking for some sort of taint Map
where all the taints are stored, but I couldn't find it.
Thanks,
Claudio
_______________________________________________
Soot-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Soot-list@CS.McGill.CA">Soot-list@CS.McGill.CA</a>
<a class="moz-txt-link-freetext" href="https://mailman.CS.McGill.CA/mailman/listinfo/soot-list">https://mailman.CS.McGill.CA/mailman/listinfo/soot-list</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Soot-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Soot-list@CS.McGill.CA">Soot-list@CS.McGill.CA</a>
<a class="moz-txt-link-freetext" href="https://mailman.CS.McGill.CA/mailman/listinfo/soot-list">https://mailman.CS.McGill.CA/mailman/listinfo/soot-list</a>
</pre>
</blockquote>
<br>
</body>
</html>