Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Have any suggestion for back taint propagation in param var #99

Closed
hillwangsec opened this issue Apr 7, 2024 · 3 comments
Closed

Have any suggestion for back taint propagation in param var #99

hillwangsec opened this issue Apr 7, 2024 · 3 comments

Comments

@hillwangsec
Copy link

Description

Hi,

I saw the test cases in resources, including TaintParam, CSBackPropagation, but not found case for back taint propagation.

One case I test shown below:

    public static void main(String[] args) {
        String taint = SourceSink.source();
        ArrayList<String> aa = new ArrayList<String>();
        interfunc(taint, aa);
        for (String elem : aa) {
            SourceSink.sink(elem);
        }
    }

    private static void interfunc(String s1, ArrayList target) {
        target.add(s1);
    }

Also configured the rules:

  - { method: "<java.util.ArrayList: boolean add(java.lang.Object)>", from: 0, to: base }
 - { method: "<java.util.ArrayList: java.util.Iterator iterator()>", from: base, to: result }
 - { method: "<java.util.Iterator: java.lang.Object next()>", from: base, to: result, type: "java.lang.String" }

In pta-results.txt, I found the second param has tainted in the method interfunc,
but the caller point (interfunc(taint, aa);), the var aa is not tainted now.

Here have any propose suggestion to resolve. Thanks.

@zhangt2333
Copy link
Member

Set the pointer analysis option only-app to false to process ArrayList related methods.

@hillwangsec
Copy link
Author

thanks a lot.

if active the only-app flag, the analysis time is increased more.
I just temp resolve it through taint Obj propagation when taint propagate to method param (set/list/map.. type) and translate it to the PARAMETER_PASSING source.
maybe it's not make sense.

@zhangt2333
Copy link
Member

zhangt2333 commented May 21, 2024

When only-app=true, the analysis is not sound, and unable to benifit from various plugins of Tai-e.

In your case, this problem can be naturally resolved through a sound/complete whole program analysis without the need for using Taint Transfer (another form of code modeling); Otherwise, I am worried that the modeling will be endless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants