We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I think I've found a case where Boomerang misses some dataflow (3.1.2).
The reproducer below is based on FlowDroid Listing 2 (PLDI '14), but uses a static setter/getter instead of direct field writes.
boomerangPDS/src/main/java/boomerang/example/BoomerangExampleTarget1.java
public class BoomerangExampleTarget1 { public static void main(String... args) { Data p = new Data(); taintIt(customSource(), p); } private static String customSource() { return "I'm tainted"; } private static void customSink(String sunk) { System.out.println(sunk); } private static void taintIt(String in, Data out) { Data x = out; Data.setter(x, in); customSink(Data.getter(out)); } static class Data { private String f; static void setter(Data self, String value) { self.f = value; } static String getter(Data self) { return self.f; } } }
If I change Data.setter(x, in); to Data.setter(out, in);, then I get a path from the source to the sink.
Data.setter(x, in);
Data.setter(out, in);
boomerangPDS/src/main/java/boomerang/example/ExampleMain1.java: createAnalysisTransformer()
createAnalysisTransformer()
private static Transformer createAnalysisTransformer() { return new SceneTransformer() { protected void internalTransform( String phaseName, @SuppressWarnings("rawtypes") Map options) { SootCallGraph sootCallGraph = new SootCallGraph(); AnalysisScope scope = new AnalysisScope(sootCallGraph) { @Override protected Collection<? extends Query> generate(Edge cfgEdge) { Statement statement = cfgEdge.getStart(); if (statement.toString().contains("customSource") && statement.containsInvokeExpr()) { Val arg = statement.getLeftOp(); return Collections.singleton(new ForwardQuery(cfgEdge, new AllocVal(arg, statement, arg))); } return Collections.emptySet(); } }; Boomerang solver = new Boomerang( sootCallGraph, SootDataFlowScope.make(Scene.v()), new DefaultBoomerangOptions() { @Override public int analysisTimeoutMS() { return 10000; } }); Collection<Query> seeds = scope.computeSeeds(); for (Query query : seeds) { System.out.println("Solving query: " + query); ForwardBoomerangResults<Weight.NoWeight> res = solver.solve((ForwardQuery) query); if (res.isTimedout()) { throw new RuntimeException("Timed out"); } res.asStatementValWeightTable().cellSet().forEach(cell -> { if (cell.getRowKey().getStart().containsInvokeExpr() && cell.getRowKey().getStart().getInvokeExpr().getMethod().getName().contains("customSink") && cell.getRowKey().getStart().uses(cell.getColumnKey())) { System.out.println("SOURCE: " + query.cfgEdge().getStart().toString()); System.out.println("SINK: " + cell.getRowKey().getStart().toString()); } }); } } }; }
The text was updated successfully, but these errors were encountered:
No branches or pull requests
I think I've found a case where Boomerang misses some dataflow (3.1.2).
The reproducer below is based on FlowDroid Listing 2 (PLDI '14), but uses a static setter/getter instead of direct field writes.
boomerangPDS/src/main/java/boomerang/example/BoomerangExampleTarget1.java
If I change
Data.setter(x, in);toData.setter(out, in);, then I get a path from the source to the sink.boomerangPDS/src/main/java/boomerang/example/ExampleMain1.java:
createAnalysisTransformer()The text was updated successfully, but these errors were encountered: