Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do XML base and param sources work? #640

Open
CalixBarrus opened this issue Aug 31, 2023 · 1 comment
Open

How do XML base and param sources work? #640

CalixBarrus opened this issue Aug 31, 2023 · 1 comment

Comments

@CalixBarrus
Copy link

CalixBarrus commented Aug 31, 2023
edited
Loading

Hello,
I am working on using the XML source sink format to incorporate runtime intermediate flow information into Flowdroid's analysis.
I don't understand very well exactly how base and param tags labelled as a source cause taint to show up, especially in cases I'm working on where the method being labelled is in client code accessible to flowdroid.

Psuedo code example to illustrate my question:

void main() {
    String str = "safe";
    foo(str);
    sink(str);
}
void foo(String input) {
    sink(input);
}

Say the method foo, argument 0 is marked as a source for all access paths

<method signature="&lt;com.example.test.MainClass: void foo(java.lang.String)&gt;">
	<param index="0" type="java.lang.String">
		<accessPath isSource="true" isSink="false" />
	</param>
</method>

Would this result in 1 or 2 leaks? Would foo's argument be unconditionally tainted at the top of the function call, or would there just be a summary edge added for the caller?
I have similar questions about tainting a base object or fields on a base object in a similar manner; would a field become tainted at the top of a tainted function call? or after the call has returned?

On a similar note, is there any published work or other resource that includes a description of the features offered by the new(ish) XML source/sink files? For example, an explanation of how the additionalFlowConditions work?
@t1mlange
Copy link
Contributor

t1mlange commented Sep 2, 2023

Would this result in 1 or 2 leaks? Would foo's argument be unconditionally tainted at the top of the function call, or would there just be a summary edge added for the caller? I have similar questions about tainting a base object or fields on a base object in a similar manner; would a field become tainted at the top of a tainted function call? or after the call has returned?

By default, FlowDroid does not propagate the flow into sources and sinks. The taint is introduced in the caller (regardless of the flows in the source/sink). You can disable this behavior with config.setInspectSources(true) and config.setInspectSinks(true).

On a similar note, is there any published work or other resource that includes a description of the features offered by the new(ish) XML source/sink files? For example, an explanation of how the additionalFlowConditions work?

additionalFlowConditions are very much WIP and aren't really usable now, there will be documentation when things are ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t1mlange @CalixBarrus