From cf7657f1cce612352ea309e314ab9819b074cbbc Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Wed, 28 Oct 2020 13:57:30 +0100 Subject: [PATCH 01/10] Core analysis project pom file updated, SeedFactory renamed and SingleFlowBoomerang updated. --- de.fraunhofer.iem.secucheck.analysis/pom.xml | 42 ++++++++++++++++++- ...tory.java => SingleFlowAnalysisScope.java} | 0 .../internal/SingleFlowBoomerang.java | 35 ++++++---------- 3 files changed, 53 insertions(+), 24 deletions(-) rename de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/{SingleFlowSeedFactory.java => SingleFlowAnalysisScope.java} (100%) diff --git a/de.fraunhofer.iem.secucheck.analysis/pom.xml b/de.fraunhofer.iem.secucheck.analysis/pom.xml index bd14f22..c9ee399 100644 --- a/de.fraunhofer.iem.secucheck.analysis/pom.xml +++ b/de.fraunhofer.iem.secucheck.analysis/pom.xml @@ -21,21 +21,33 @@ + + + ca.mcgill.sable soot 3.2.0 + + + org.apache.logging.log4j 2.11.0 @@ -46,6 +58,9 @@ 2.11.0 log4j-core + + + + + + + de.fraunhofer.iem + boomerangScope + 3.1.1 + + + + de.fraunhofer.iem + boomerangPDS + 3.1.1 + + @@ -85,10 +117,18 @@ false + + + + github + CodeShield-Security + https://maven.pkg.github.com/CodeShield-Security/SPDS/ + + - ../de.fraunhofer.iem.secucheck.analysis/src + maven-compiler-plugin diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowSeedFactory.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java similarity index 100% rename from de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowSeedFactory.java rename to de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java index f93b9ab..5d3a420 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java @@ -1,31 +1,20 @@ package de.fraunhofer.iem.secucheck.analysis.internal; import boomerang.Boomerang; -import boomerang.callgraph.ObservableICFG; -import boomerang.seedfactory.SeedFactory; -import soot.SootMethod; -import soot.Unit; -import wpds.impl.Weight.NoWeight; +import boomerang.scene.AnalysisScope; +import boomerang.scene.SootDataFlowScope; +import boomerang.scene.jimple.SootCallGraph; +import soot.Scene; public class SingleFlowBoomerang extends Boomerang { - private final SeedFactory seedFactory; - private final ObservableICFG icfg; + private final AnalysisScope analysisScope; + private final SootCallGraph sootCallGraph; - public SingleFlowBoomerang(SeedFactory seedFactory, - ObservableICFG icfg, TaintAnalysisOptions options){ - super(options); - this.seedFactory = seedFactory; - this.icfg = icfg; - } - - @Override - public ObservableICFG icfg() { - return this.icfg; - } - - @Override - public SeedFactory getSeedFactory() { - return this.seedFactory; - } + public SingleFlowBoomerang(AnalysisScope analysisScope, + SootCallGraph sootCallGraph, TaintAnalysisOptions options){ + super(sootCallGraph, SootDataFlowScope.make(Scene.v()), options); + this.analysisScope = analysisScope; + this.sootCallGraph = sootCallGraph; + } } From fc844d6536769c70e861963a05ee6201cbfd2534 Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Wed, 28 Oct 2020 14:01:55 +0100 Subject: [PATCH 02/10] TaintAnalysisBase and internal analysis classes updated with the Boomerang 3.x.x API. --- .../analysis/SecucheckTaintAnalysisBase.java | 31 +++- .../internal/CompositeTaintFlowAnalysis.java | 9 +- .../analysis/internal/SingleFlowAnalysis.java | 169 +++++++++--------- .../internal/SingleFlowAnalysisScope.java | 150 ++++++++-------- .../internal/TaintAnalysisOptions.java | 5 - 5 files changed, 181 insertions(+), 183 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java index 6327662..5ec13c8 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java @@ -1,6 +1,8 @@ package de.fraunhofer.iem.secucheck.analysis; import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.Iterator; import java.util.LinkedList; @@ -8,7 +10,17 @@ import java.util.Map; import java.util.concurrent.locks.ReentrantLock; -import boomerang.preanalysis.BoomerangPretransformer; +import boomerang.BackwardQuery; +import boomerang.Boomerang; +import boomerang.DefaultBoomerangOptions; +import boomerang.Query; +import boomerang.results.BackwardBoomerangResults; +import boomerang.scene.AnalysisScope; +import boomerang.scene.SootDataFlowScope; +import boomerang.scene.Statement; +import boomerang.scene.Val; +import boomerang.scene.jimple.BoomerangPretransformer; +import boomerang.scene.jimple.SootCallGraph; import de.fraunhofer.iem.secucheck.analysis.internal.CompositeTaintFlowAnalysis; import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQueryImpl; import de.fraunhofer.iem.secucheck.analysis.query.EntryPoint; @@ -32,13 +44,13 @@ import soot.util.cfgcmd.CFGToDotGraph; import soot.util.dot.DotGraph; import test.core.selfrunning.ImprecisionException; +import wpds.impl.Weight; public abstract class SecucheckTaintAnalysisBase implements SecucheckAnalysis { protected final ReentrantLock lock; protected long analysisTime; - protected BiDiInterproceduralCFG icfg; private OS os; private String appClassPath; @@ -180,6 +192,8 @@ private SecucheckTaintAnalysisResult analyze() { Transform transform = new Transform("wjtp.ifds", createAnalysisTransformer()); PackManager.v().getPack("wjtp").add(transform); PackManager.v().getPack("cg").apply(); + + BoomerangPretransformer.v().apply(); PackManager.v().getPack("wjtp").apply(); if (resultListener != null) { resultListener.reportCompleteResult(this.result); @@ -189,9 +203,9 @@ private SecucheckTaintAnalysisResult analyze() { private SceneTransformer createAnalysisTransformer() throws ImprecisionException { return new SceneTransformer() { - protected void internalTransform(String phaseName, Map options) { - BoomerangPretransformer.v().apply(); - icfg = new JimpleBasedInterproceduralCFG(true); + protected void internalTransform(String phaseName, + @SuppressWarnings("rawtypes") Map options) { + try { executeAnalysis(); } catch (Exception ex) { @@ -199,8 +213,7 @@ protected void internalTransform(String phaseName, Map options) { } } }; - } - + } private static void drawCallGraph(CallGraph callGraph){ DotGraph dot = new DotGraph("callgraph"); @@ -218,6 +231,8 @@ private static void drawCallGraph(CallGraph callGraph){ private void executeAnalysis() throws Exception { + SootCallGraph sootCallGraph = new SootCallGraph(); + // For dumping the call graph for debugging purposes. //drawCallGraph(Scene.v().getCallGraph()); @@ -225,7 +240,7 @@ private void executeAnalysis() throws Exception { if (resultListener != null && resultListener.isCancelled()) { break; } - Analysis analysis = new CompositeTaintFlowAnalysis(icfg, flowQuery, resultListener); + Analysis analysis = new CompositeTaintFlowAnalysis(sootCallGraph, flowQuery, resultListener); CompositeTaintFlowQueryResult singleResult = (CompositeTaintFlowQueryResult) analysis.run(); this.result.addResult(flowQuery, singleResult); if (resultListener != null) { diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/CompositeTaintFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/CompositeTaintFlowAnalysis.java index fe3e94a..9a96c63 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/CompositeTaintFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/CompositeTaintFlowAnalysis.java @@ -4,6 +4,7 @@ import boomerang.callgraph.ObservableICFG; import boomerang.callgraph.ObservableStaticICFG; +import boomerang.scene.jimple.SootCallGraph; import de.fraunhofer.iem.secucheck.analysis.Analysis; import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery; import de.fraunhofer.iem.secucheck.analysis.query.Method; @@ -20,14 +21,14 @@ public class CompositeTaintFlowAnalysis implements Analysis { private final CompositeTaintFlowQuery flowQuery; - private final ObservableICFG icfg; + private final SootCallGraph sootCallGraph; private final AnalysisResultListener resultListener; - public CompositeTaintFlowAnalysis(BiDiInterproceduralCFG icfg, + public CompositeTaintFlowAnalysis(SootCallGraph sootCallGraph, CompositeTaintFlowQuery flowQuery, AnalysisResultListener resultListener) throws Exception { this.flowQuery = flowQuery; - this.icfg = new ObservableStaticICFG(icfg); + this.sootCallGraph = sootCallGraph; this.resultListener = resultListener; // Resolve all methods. This is necessary if a flow participant is not part of // the user code... @@ -45,7 +46,7 @@ public AnalysisResult run() { if (this.resultListener != null && this.resultListener.isCancelled()) { break; } - Analysis analysis = new SingleFlowAnalysis(originalFlow, icfg, this.resultListener); + Analysis analysis = new SingleFlowAnalysis(originalFlow, sootCallGraph, this.resultListener); TaintFlowQueryResult retResult = (TaintFlowQueryResult) analysis.run(); if (retResult.size() == 0) { result.clear(); diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java index 58b9986..1cb6055 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java @@ -2,9 +2,7 @@ import java.util.ArrayList; import java.util.Collection; -import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -16,19 +14,14 @@ import boomerang.Boomerang; import boomerang.ForwardQuery; import boomerang.Query; -import boomerang.callgraph.ObservableICFG; -import boomerang.jimple.Statement; -import boomerang.jimple.Val; -import boomerang.seedfactory.SeedFactory; +import boomerang.scene.AnalysisScope; +import boomerang.scene.ControlFlowGraph.Edge; +import boomerang.scene.Val; +import boomerang.scene.jimple.SootCallGraph; import de.fraunhofer.iem.secucheck.analysis.Analysis; import de.fraunhofer.iem.secucheck.analysis.datastructures.DifferentTypedPair; -import de.fraunhofer.iem.secucheck.analysis.datastructures.Pair; import de.fraunhofer.iem.secucheck.analysis.datastructures.SameTypedPair; -import de.fraunhofer.iem.secucheck.analysis.query.InputParameter; import de.fraunhofer.iem.secucheck.analysis.query.Method; -import de.fraunhofer.iem.secucheck.analysis.query.MethodImpl; -import de.fraunhofer.iem.secucheck.analysis.query.OutputParameter; -import de.fraunhofer.iem.secucheck.analysis.query.ReturnValue; import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowQuery; import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowQueryImpl; import de.fraunhofer.iem.secucheck.analysis.result.AnalysisResult; @@ -38,31 +31,21 @@ import de.fraunhofer.iem.secucheck.analysis.result.TaintFlowQueryResult; import soot.Body; import soot.SootMethod; -import soot.Unit; -import soot.Value; -import soot.jimple.AssignStmt; -import soot.jimple.IdentityStmt; -import soot.jimple.InstanceInvokeExpr; import soot.jimple.JimpleBody; -import soot.jimple.ParameterRef; -import soot.jimple.Stmt; import soot.jimple.internal.JNopStmt; -import soot.tagkit.Host; -import soot.tagkit.PositionTag; -import soot.tagkit.AbstractHost; import wpds.impl.Weight.NoWeight; class SingleFlowAnalysis implements Analysis { private final TaintFlowQueryImpl singleFlow; - private final ObservableICFG icfg; + private final SootCallGraph sootCallGraph; private final AnalysisResultListener resultListener; public SingleFlowAnalysis(TaintFlowQueryImpl singleFlow, - ObservableICFG icfg, + SootCallGraph sootCallGraph, AnalysisResultListener resultListener) { this.singleFlow = singleFlow; - this.icfg = icfg; + this.sootCallGraph = sootCallGraph; this.resultListener = resultListener; } @@ -86,11 +69,11 @@ public AnalysisResult run() { analyzePlainFlow(TaintFlowQueryImpl singleFlow){ List>> - reachMap = new ArrayList>>(); + reachMap = new ArrayList<>(); - SeedFactory seedFactory = getSeedFactory(singleFlow); - Boomerang boomerang = getBoomerang(seedFactory); - Seeds seeds = computeSeeds(seedFactory); + AnalysisScope analysisScope = getAnalysisScope(singleFlow); + Boomerang boomerang = getBoomerang(analysisScope); + Seeds seeds = computeSeeds(analysisScope); if (seeds.getSources().size() != 0 && seeds.getSinks().size() != 0) { List sanitizers = getSanitizers(singleFlow); @@ -127,8 +110,7 @@ public AnalysisResult run() { newQuery2.getTo().addAll(singleFlow.getTo()); List>> - originalReachMap = - new ArrayList>>(), + originalReachMap = new ArrayList<>(), reachMap1 = analyzePlainFlow(newQuery1), reachMap2 = analyzePlainFlow(newQuery2); @@ -158,39 +140,49 @@ public AnalysisResult run() { Set sinks) { List>> reachMap = - new ArrayList>>(); + new ArrayList<>(); if (sources.size() != 0 && sinks.size() != 0) { - // Found more sinks than sources, running forward analysis - if (sources.size() <= sinks.size()) { - sources.forEach(source -> boomerang.solve(source)); - reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); - } else { - // Found less sinks than sources, running backward analysis - sinks.forEach(sink -> boomerang.solve(sink)); - reachMap = getReachingPairs(boomerang, partialFlow, sinks, sources); - } + + sources.forEach(source -> boomerang.solve(source)); + reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); + + + // TODO: Discuss this. + // Found more sinks than sources, running forward analysis +// if (sources.size() <= sinks.size()) { +// sources.forEach(source -> boomerang.solve(source)); +// reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); +// } else { +// // Found less sinks than sources, running backward analysis +// sinks.forEach(sink -> boomerang.solve(sink)); +// reachMap = getReachingPairs(boomerang, partialFlow, sinks, sources); +// } } return reachMap; } private List>> - getReachingPairs(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set queries, - Set reachable) { + getReachingPairs(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set queries, + Set reachable) { List>> reachMap = - new ArrayList>>(); + new ArrayList<>(); - for (Query start : queries) { - for (Query end : reachable) { + for (ForwardQuery start : queries) { + for (BackwardQuery end : reachable) { if (isValidPath(boomerang, start, end)) { - if (start instanceof ForwardQuery) { - reachMap.add(new DifferentTypedPair>( - flowQuery, getLocationDetailsPair(flowQuery, start, end))); - } else if (start instanceof BackwardQuery) { - reachMap.add(new DifferentTypedPair>( - flowQuery, getLocationDetailsPair(flowQuery, end, start))); - } + reachMap.add(new DifferentTypedPair<>( + flowQuery, getLocationDetailsPair(flowQuery, start, end))); + + // TODO: Discuss this. +// if (start instanceof ForwardQuery) { +// reachMap.add(new DifferentTypedPair<>( +// flowQuery, getLocationDetailsPair(flowQuery, start, end))); +// } else if (start instanceof BackwardQuery) { +// reachMap.add(new DifferentTypedPair<>( +// flowQuery, getLocationDetailsPair(flowQuery, end, start))); +// } } } } @@ -201,40 +193,44 @@ private SameTypedPair getLocationDetailsPair(TaintFlowQueryImpl Query start, Query end){ LocationDetails startDetails = new LocationDetails(); - SootMethod sourceMethodDefinition = Utility.findSourceMethodDefinition(flowQuery, start.stmt().getMethod(), - start.stmt().getUnit().get()); - startDetails.setSourceClassName(sourceMethodDefinition.getDeclaringClass().getName()); - startDetails.setMethodSignature(sourceMethodDefinition.getSignature()); - - AbstractHost sourceHost = (AbstractHost) start.asNode().stmt().getUnit().get(); - startDetails.setUsageLineNumber(sourceHost.getJavaSourceStartLineNumber()); - startDetails.setUsageColumnNumber(sourceHost.getJavaSourceStartColumnNumber()); - startDetails.setUsageMethodSignature(start.stmt().getMethod().getSignature()); - startDetails.setUsageClassName(start.stmt().getMethod().getDeclaringClass().getName()); + startDetails.setSourceClassName(start.cfgEdge().getMethod().getDeclaringClass().getName()); + startDetails.setMethodSignature(start.cfgEdge().getMethod().getSubSignature()); + + // TODO: Confirm that the destination is always Y. + startDetails.setUsageLineNumber(start.cfgEdge().getY().getStartLineNumber()); + startDetails.setUsageColumnNumber(start.cfgEdge().getY().getStartColumnNumber()); + + //TODO: Extend the Location details to + //contain the start and end of line and column number. + + startDetails.setUsageMethodSignature(start.cfgEdge().getY().getMethod().getSubSignature()); + startDetails.setUsageClassName(start.cfgEdge().getY().getMethod().getDeclaringClass().getName()); startDetails.setType(LocationType.Source); LocationDetails endDetails = new LocationDetails(); - SootMethod sinkMethodDefinition = Utility.findSinkMethodDefinition(flowQuery, end.stmt().getMethod(), - end.stmt().getUnit().get()); - endDetails.setSourceClassName(sinkMethodDefinition.getDeclaringClass().getName()); - endDetails.setMethodSignature(sinkMethodDefinition.getSignature()); - - AbstractHost sinkHost = (AbstractHost) end.asNode().stmt().getUnit().get(); - endDetails.setUsageLineNumber(sinkHost.getJavaSourceStartLineNumber()); - endDetails.setUsageColumnNumber(sinkHost.getJavaSourceStartColumnNumber()); - endDetails.setUsageMethodSignature(end.stmt().getMethod().getSignature()); - endDetails.setUsageClassName(end.stmt().getMethod().getDeclaringClass().getName()); + endDetails.setSourceClassName(end.cfgEdge().getMethod().getDeclaringClass().getName()); + endDetails.setMethodSignature(end.cfgEdge().getMethod().getSubSignature()); + + // TODO: Confirm that the destination is always Y. + endDetails.setUsageLineNumber(end.cfgEdge().getY().getStartLineNumber()); + endDetails.setUsageColumnNumber(end.cfgEdge().getY().getStartColumnNumber()); + + //TODO: Extend the Location details to + //contain the start and end of line and column number. + + endDetails.setUsageMethodSignature(end.cfgEdge().getY().getMethod().getSubSignature()); + endDetails.setUsageClassName(end.cfgEdge().getY().getMethod().getDeclaringClass().getName()); endDetails.setType(LocationType.Sink); return new SameTypedPair(startDetails, endDetails); } - private SeedFactory getSeedFactory(TaintFlowQuery taintFlow) { - return new SingleFlowSeedFactory(taintFlow, this.icfg); + private AnalysisScope getAnalysisScope(TaintFlowQuery taintFlow) { + return new SingleFlowAnalysisScope(taintFlow, this.sootCallGraph); } - private Boomerang getBoomerang(SeedFactory seedFactory) { - return new SingleFlowBoomerang(seedFactory, this.icfg, new TaintAnalysisOptions()); + private Boomerang getBoomerang(AnalysisScope analysisScope) { + return new SingleFlowBoomerang(analysisScope, this.sootCallGraph, new TaintAnalysisOptions()); } private List getSanitizers(TaintFlowQuery partFlow) { @@ -244,10 +240,10 @@ private List getSanitizers(TaintFlowQuery partFlow) { return sanitizers; } - private Seeds computeSeeds(SeedFactory seedFactory) { + private Seeds computeSeeds(AnalysisScope analysisScope) { Set sources = Sets.newHashSet(); Set sinks = Sets.newHashSet(); - Collection computeSeeds = seedFactory.computeSeeds(); + Collection computeSeeds = analysisScope.computeSeeds(); for (Query q : computeSeeds) { if (q instanceof BackwardQuery) { sinks.add((BackwardQuery) q); @@ -259,7 +255,7 @@ private Seeds computeSeeds(SeedFactory seedFactory) { } private Map setEmptySootBodies(List methods){ - Map oldBodies = new HashMap(); + Map oldBodies = new HashMap<>(); for (Method method : methods) { SootMethod sootMethod = Utility.getSootMethod(method); if (sootMethod != null) { @@ -281,6 +277,13 @@ private boolean isPropogatorless(TaintFlowQueryImpl singleFlow) { return singleFlow.getThrough() == null || singleFlow.getThrough().size() == 0; } + private boolean isValidPath(Boomerang boomerang, ForwardQuery start, BackwardQuery end) { + Edge edge = end.cfgEdge(); + Val value = end.var(); + Table results = boomerang.getResults(start); + return results.get(edge, value) == null ? false : true; + } + private boolean isSourceAndSinkMatching(SameTypedPair sourcePair, SameTypedPair sinkPair) { @@ -317,12 +320,4 @@ private SameTypedPair stitchSourceAndSink( new SameTypedPair<>(sourcePair.getFirst(), sinkPair.getSecond()); return stichedPair; } - - private boolean isValidPath(Boomerang boomerang, Query start, Query end) { - // Quick check: Is the "end" included in the Table at all? - Statement s = end.asNode().stmt(); - Val v = end.asNode().fact(); - Table results = boomerang.getResults(start); - return results.get(s, v) == null ? false : true; - } } \ No newline at end of file diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java index bf4de8d..48d8459 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java @@ -2,7 +2,6 @@ import java.util.Collection; import java.util.Collections; -import java.util.HashMap; import java.util.HashSet; import java.util.Set; @@ -11,48 +10,44 @@ import boomerang.BackwardQuery; import boomerang.ForwardQuery; import boomerang.Query; -import boomerang.callgraph.ObservableICFG; -import boomerang.jimple.Statement; -import boomerang.jimple.Val; -import boomerang.seedfactory.SeedFactory; +import boomerang.scene.AnalysisScope; +import boomerang.scene.ControlFlowGraph.Edge; +import boomerang.scene.Statement; +import boomerang.scene.Val; +import boomerang.scene.jimple.SootCallGraph; import de.fraunhofer.iem.secucheck.analysis.query.InputParameter; import de.fraunhofer.iem.secucheck.analysis.query.Method; import de.fraunhofer.iem.secucheck.analysis.query.OutputParameter; import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowQuery; -import soot.SootMethod; -import soot.Unit; -import soot.Value; -import soot.jimple.AssignStmt; -import soot.jimple.IdentityStmt; -import soot.jimple.InstanceInvokeExpr; -import soot.jimple.ParameterRef; -import soot.jimple.Stmt; -import wpds.impl.Weight.NoWeight; -public class SingleFlowSeedFactory extends SeedFactory{ +public class SingleFlowAnalysisScope extends AnalysisScope { private final TaintFlowQuery taintFlow; - private final ObservableICFG icfg; + private final SootCallGraph sootCallGraph; - private final Set sourceMethods = new HashSet(); - private final Set sinkMethods = new HashSet(); + private final Set sourceMethods = new HashSet<>(); + private final Set sinkMethods = new HashSet<>(); - public SingleFlowSeedFactory(TaintFlowQuery taintFlow, ObservableICFG icfg) { + public SingleFlowAnalysisScope(TaintFlowQuery taintFlow, SootCallGraph sootCallGraph) { + super(sootCallGraph); this.taintFlow = taintFlow; - this.icfg = icfg; + this.sootCallGraph = sootCallGraph; } @Override - protected Collection generate(SootMethod method, Stmt u) { + protected Collection generate(Edge cfgEdge) { + + boomerang.scene.Method method = cfgEdge.getMethod(); + Statement statement = cfgEdge.getTarget(); + Set out = Sets.newHashSet(); - Collection sourceVariables = generateSourceVariables(this.taintFlow, method, u); - sourceVariables.forEach(v -> - out.add(new ForwardQuery(new Statement(u, method), new Val(v, method))) ); + // Inconsistency between instantiations of Forward and Backward queries. + Collection sourceVariables = generateSourceVariables(this.taintFlow, method, statement); + sourceVariables.forEach(v -> out.add(new ForwardQuery(cfgEdge, v))); - Collection sinkVariables = generatedSinkVariables(this.taintFlow, method, u); - sinkVariables.forEach(v -> - out.add(new BackwardQuery(new Statement(u, method), new Val(v, method)))); + Collection sinkVariables = generatedSinkVariables(this.taintFlow, method, statement); + sinkVariables.forEach(v -> out.add(BackwardQuery.make(cfgEdge, v))); // Find source method for (Method flowMethod : this.taintFlow.getFrom()) { @@ -70,67 +65,66 @@ protected Collection generate(SootMethod method, Stmt u) { return out; } - @Override - public ObservableICFG icfg() { return this.icfg; } - - private Collection generateSourceVariables(TaintFlowQuery partialFlow, - SootMethod method, Stmt actualStatement) { - - for (Object object : partialFlow.getFrom()) { - Method sourceMethod = (Method) object; + private Collection generateSourceVariables(TaintFlowQuery partialFlow, + boomerang.scene.Method method, Statement statement) { + for (Method sourceMethod : partialFlow.getFrom()) { String sourceSootSignature = "<" + sourceMethod.getSignature() + ">"; - Collection out = Sets.newHashSet(); - - if (method.getSignature().equals(sourceSootSignature) && - actualStatement instanceof IdentityStmt) { + Collection out = Sets.newHashSet(); + + // method.getSignature(); + if (method.getSubSignature().equals(sourceSootSignature) && + statement.isIdentityStmt()) { + +// IdentityStmt identity = (IdentityStmt) statement; +// Value right = identity.getRightOp(); +// +// if (right instanceof ParameterRef) { +// ParameterRef parameterRef = (ParameterRef) right; +// if (sourceMethod.getOutputParameters() != null) { +// for (OutputParameter output : sourceMethod.getOutputParameters()) { +// int parameterIndex = output.getNumber(); +// if (parameterRef.getIndex() == parameterIndex +// && method.getParameterCount() >= parameterIndex) { +// out.add(identity.getLeftOp()); +// } +// } +// } +// +// } - IdentityStmt identity = (IdentityStmt) actualStatement; - Value right = identity.getRightOp(); - if (right instanceof ParameterRef) { - - ParameterRef parameterRef = (ParameterRef) right; - if (sourceMethod.getOutputParameters() != null) { - for (OutputParameter output : sourceMethod.getOutputParameters()) { - int parameterIndex = output.getNumber(); - if (parameterRef.getIndex() == parameterIndex - && method.getParameterCount() >= parameterIndex) { - out.add(identity.getLeftOp()); - } + if (sourceMethod.getOutputParameters() != null) { + for (OutputParameter output : sourceMethod.getOutputParameters()) { + int parameterIndex = output.getNumber(); + if (statement.getRightOp().isParameterLocal(parameterIndex)){ + out.add(statement.getLeftOp()); } } - } return out; - } else if (actualStatement.containsInvokeExpr() - && actualStatement.toString().contains(sourceSootSignature)) { - + } else if (statement.containsInvokeExpr() + && statement.toString().contains(sourceSootSignature)) { // taint the return value - if (sourceMethod.getReturnValue() != null && actualStatement instanceof AssignStmt) { - out.add(((AssignStmt) actualStatement).getLeftOp()); + if (sourceMethod.getReturnValue() != null && statement.isAssign()) { + out.add(statement.getLeftOp()); } - if (sourceMethod.getOutputParameters() != null) { for (OutputParameter output : sourceMethod.getOutputParameters()) { int parameterIndex = output.getNumber(); - if (actualStatement.getInvokeExpr().getArgCount() >= parameterIndex) { - out.add(actualStatement.getInvokeExpr().getArg(parameterIndex)); + if (statement.getInvokeExpr().getArgs().size() >= parameterIndex) { + out.add(statement.getInvokeExpr().getArg(parameterIndex)); } } } - // taint this object - if (sourceMethod.isOutputThis() && actualStatement.getInvokeExpr() instanceof InstanceInvokeExpr) { - InstanceInvokeExpr instanceInvoke = (InstanceInvokeExpr) actualStatement.getInvokeExpr(); - out.add(instanceInvoke.getBase()); + if (sourceMethod.isOutputThis() && statement.getInvokeExpr().isInstanceInvokeExpr()) { + out.add(statement.getInvokeExpr().getBase()); } return out; } } - - // if (this.flow.getSource().getValueSource() != null) // a single value source // { // // TODO:handle this @@ -138,30 +132,28 @@ private Collection generateSourceVariables(TaintFlowQuery partialFlow, return Collections.emptySet(); } - private Collection generatedSinkVariables(TaintFlowQuery partialFlow, - SootMethod method, Stmt actualStatement) { - for (Object object : partialFlow.getTo()) { - Method sourceMethod = (Method) object; + private Collection generatedSinkVariables(TaintFlowQuery partialFlow, + boomerang.scene.Method method, Statement statement) { + for (Method sourceMethod : partialFlow.getTo()) { String sourceSootSignature = "<" + sourceMethod.getSignature() + ">"; - Collection out = Sets.newHashSet(); + Collection out = Sets.newHashSet(); - if (actualStatement.containsInvokeExpr() - && actualStatement.toString().contains(sourceSootSignature)) { + if (statement.containsInvokeExpr() && statement.toString() + .contains(sourceSootSignature)) { // taint the return value if (sourceMethod.getInputParameters() != null) { for (InputParameter input : sourceMethod.getInputParameters()) { int parameterIndex = input.getNumber(); - if (actualStatement.getInvokeExpr().getArgCount() >= parameterIndex) { - out.add(actualStatement.getInvokeExpr().getArg(parameterIndex)); + if (statement.getInvokeExpr().getArgs().size() >= parameterIndex) { + out.add(statement.getInvokeExpr().getArg(parameterIndex)); } } } - + // taint this object - if (sourceMethod.isInputThis() && actualStatement.getInvokeExpr() instanceof InstanceInvokeExpr) { - InstanceInvokeExpr instanceInvoke = (InstanceInvokeExpr) actualStatement.getInvokeExpr(); - out.add(instanceInvoke.getBase()); + if (sourceMethod.isInputThis() && statement.getInvokeExpr().isInstanceInvokeExpr()) { + out.add(statement.getInvokeExpr().getBase()); } return out; diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java index e9ba7ae..a4afd5e 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java @@ -8,9 +8,4 @@ class TaintAnalysisOptions extends DefaultBoomerangOptions { public boolean trackStrings() { return true; } - - @Override - public boolean arrayFlows() { - return true; - } } From fc9a291563dfba4818d80c13f65bf95dee48d04e Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Sat, 31 Oct 2020 13:02:33 +0100 Subject: [PATCH 03/10] Some issues in analysis scope and options are fixed. --- .../internal/SingleFlowAnalysisScope.java | 131 ++++++++++-------- .../internal/TaintAnalysisOptions.java | 5 + 2 files changed, 80 insertions(+), 56 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java index 48d8459..c415c3f 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java @@ -10,11 +10,13 @@ import boomerang.BackwardQuery; import boomerang.ForwardQuery; import boomerang.Query; +import boomerang.scene.AllocVal; import boomerang.scene.AnalysisScope; import boomerang.scene.ControlFlowGraph.Edge; import boomerang.scene.Statement; import boomerang.scene.Val; import boomerang.scene.jimple.SootCallGraph; +import de.fraunhofer.iem.secucheck.analysis.datastructures.SameTypedPair; import de.fraunhofer.iem.secucheck.analysis.query.InputParameter; import de.fraunhofer.iem.secucheck.analysis.query.Method; import de.fraunhofer.iem.secucheck.analysis.query.OutputParameter; @@ -36,89 +38,92 @@ public SingleFlowAnalysisScope(TaintFlowQuery taintFlow, SootCallGraph sootCallG @Override protected Collection generate(Edge cfgEdge) { + Set out = Sets.newHashSet(); - boomerang.scene.Method method = cfgEdge.getMethod(); + // The target statement for the current edge. Statement statement = cfgEdge.getTarget(); - Set out = Sets.newHashSet(); - // Inconsistency between instantiations of Forward and Backward queries. - Collection sourceVariables = generateSourceVariables(this.taintFlow, method, statement); - sourceVariables.forEach(v -> out.add(new ForwardQuery(cfgEdge, v))); + Collection> sourceVariables = + generateSourceVariables(this.taintFlow, statement); + + // AllocVal + sourceVariables.forEach(v -> out.add(new ForwardQuery(cfgEdge, + new AllocVal(v.getFirst(), statement, v.getSecond())))); - Collection sinkVariables = generatedSinkVariables(this.taintFlow, method, statement); + Collection sinkVariables = generatedSinkVariables(this.taintFlow, statement); + + // AllocVal sinkVariables.forEach(v -> out.add(BackwardQuery.make(cfgEdge, v))); - // Find source method + // Find source methods. for (Method flowMethod : this.taintFlow.getFrom()) { - if (method.toString().equals("<" + flowMethod.getSignature() + ">")) { - sourceMethods.add(method); + if (ToStringEquals(statement.getMethod(), + WrapInAngularBrackets(flowMethod.getSignature()))) { + sourceMethods.add(statement.getMethod()); } } - // Find target method + // Find target methods. for (Method flowMethod : this.taintFlow.getTo()) { - if (method.toString().equals("<" + flowMethod.getSignature() + ">")) { - sinkMethods.add(method); + if (ToStringEquals(statement.getMethod(), + WrapInAngularBrackets(flowMethod.getSignature()))) { + sinkMethods.add(statement.getMethod()); } } + return out; } - private Collection generateSourceVariables(TaintFlowQuery partialFlow, - boomerang.scene.Method method, Statement statement) { + private Collection> generateSourceVariables(TaintFlowQuery partialFlow, + Statement statement) { + for (Method sourceMethod : partialFlow.getFrom()) { - String sourceSootSignature = "<" + sourceMethod.getSignature() + ">"; - Collection out = Sets.newHashSet(); - // method.getSignature(); - if (method.getSubSignature().equals(sourceSootSignature) && + String sourceSootSignature = WrapInAngularBrackets(sourceMethod.getSignature()); + Collection> out = Sets.newHashSet(); + + if (ToStringEquals(statement.getMethod(), sourceSootSignature) && statement.isIdentityStmt()) { - -// IdentityStmt identity = (IdentityStmt) statement; -// Value right = identity.getRightOp(); -// -// if (right instanceof ParameterRef) { -// ParameterRef parameterRef = (ParameterRef) right; -// if (sourceMethod.getOutputParameters() != null) { -// for (OutputParameter output : sourceMethod.getOutputParameters()) { -// int parameterIndex = output.getNumber(); -// if (parameterRef.getIndex() == parameterIndex -// && method.getParameterCount() >= parameterIndex) { -// out.add(identity.getLeftOp()); -// } -// } -// } -// -// } if (sourceMethod.getOutputParameters() != null) { for (OutputParameter output : sourceMethod.getOutputParameters()) { int parameterIndex = output.getNumber(); - if (statement.getRightOp().isParameterLocal(parameterIndex)){ - out.add(statement.getLeftOp()); + if (statement.getRightOp().isParameterLocal(parameterIndex)){ + out.add(new SameTypedPair(statement.getLeftOp(), + statement.getRightOp())); } } } + return out; } else if (statement.containsInvokeExpr() - && statement.toString().contains(sourceSootSignature)) { - // taint the return value + && ToStringEquals(statement.getInvokeExpr().getMethod(), + sourceSootSignature)) { + + // Taint the return value if (sourceMethod.getReturnValue() != null && statement.isAssign()) { - out.add(statement.getLeftOp()); - } + out.add(new SameTypedPair(statement.getLeftOp(), + statement.getRightOp())); + } + if (sourceMethod.getOutputParameters() != null) { for (OutputParameter output : sourceMethod.getOutputParameters()) { int parameterIndex = output.getNumber(); if (statement.getInvokeExpr().getArgs().size() >= parameterIndex) { - out.add(statement.getInvokeExpr().getArg(parameterIndex)); + out.add(new SameTypedPair( + statement.getInvokeExpr().getArg(parameterIndex), + statement.getInvokeExpr().getArg(parameterIndex))); } } } - // taint this object - if (sourceMethod.isOutputThis() && statement.getInvokeExpr().isInstanceInvokeExpr()) { - out.add(statement.getInvokeExpr().getBase()); + + // Taint this object + if (sourceMethod.isOutputThis() && + statement.getInvokeExpr().isInstanceInvokeExpr()) { + out.add(new SameTypedPair(statement.getInvokeExpr().getBase(), + statement.getInvokeExpr().getBase())); } return out; @@ -133,17 +138,20 @@ private Collection generateSourceVariables(TaintFlowQuery partialFlow, } private Collection generatedSinkVariables(TaintFlowQuery partialFlow, - boomerang.scene.Method method, Statement statement) { - for (Method sourceMethod : partialFlow.getTo()) { - String sourceSootSignature = "<" + sourceMethod.getSignature() + ">"; + Statement statement) { + + for (Method sinkMethod : partialFlow.getTo()) { + + String sinkSootSignature = WrapInAngularBrackets(sinkMethod.getSignature()); Collection out = Sets.newHashSet(); - - if (statement.containsInvokeExpr() && statement.toString() - .contains(sourceSootSignature)) { + + if (statement.containsInvokeExpr() && + ToStringEquals(statement.getInvokeExpr().getMethod(), + sinkSootSignature)) { - // taint the return value - if (sourceMethod.getInputParameters() != null) { - for (InputParameter input : sourceMethod.getInputParameters()) { + // Taint the return value. + if (sinkMethod.getInputParameters() != null) { + for (InputParameter input : sinkMethod.getInputParameters()) { int parameterIndex = input.getNumber(); if (statement.getInvokeExpr().getArgs().size() >= parameterIndex) { out.add(statement.getInvokeExpr().getArg(parameterIndex)); @@ -151,8 +159,9 @@ private Collection generatedSinkVariables(TaintFlowQuery partialFlow, } } - // taint this object - if (sourceMethod.isInputThis() && statement.getInvokeExpr().isInstanceInvokeExpr()) { + // Taint this object. + if (sinkMethod.isInputThis() && + statement.getInvokeExpr().isInstanceInvokeExpr()) { out.add(statement.getInvokeExpr().getBase()); } @@ -160,7 +169,17 @@ private Collection generatedSinkVariables(TaintFlowQuery partialFlow, } } + // TODO: re-check the sink structure!! return Collections.emptySet(); } + + private static String WrapInAngularBrackets(String value) { + return "<" + value + ">"; + } + + private static boolean ToStringEquals(Object object1, Object object2) { + return object1.toString().equals(object2.toString()); + } + } diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java index a4afd5e..91b1c03 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/TaintAnalysisOptions.java @@ -8,4 +8,9 @@ class TaintAnalysisOptions extends DefaultBoomerangOptions { public boolean trackStrings() { return true; } + + @Override + public boolean allowMultipleQueries() { + return true; + } } From 5f336c406c69b7fd3debb891d47d86e2c0f8188e Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Sun, 1 Nov 2020 16:12:24 +0100 Subject: [PATCH 04/10] Analysis result location details now has start and end points. --- .../analysis/internal/SingleFlowAnalysis.java | 60 ++++++++++--------- .../internal/SingleFlowAnalysisScope.java | 5 -- .../analysis/result/LocationDetails.java | 19 +++--- 3 files changed, 45 insertions(+), 39 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java index 1cb6055..806b426 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java @@ -145,19 +145,18 @@ public AnalysisResult run() { if (sources.size() != 0 && sinks.size() != 0) { sources.forEach(source -> boomerang.solve(source)); - reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); - - - // TODO: Discuss this. - // Found more sinks than sources, running forward analysis -// if (sources.size() <= sinks.size()) { -// sources.forEach(source -> boomerang.solve(source)); -// reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); -// } else { -// // Found less sinks than sources, running backward analysis -// sinks.forEach(sink -> boomerang.solve(sink)); -// reachMap = getReachingPairs(boomerang, partialFlow, sinks, sources); -// } + reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); + + //TODO: Discuss this. +// // Found more sinks than sources, running forward analysis +// if (sources.size() <= sinks.size()) { +// sources.forEach(source -> boomerang.solve(source)); +// reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); +// } else { +// // Found less sinks than sources, running backward analysis +// sinks.forEach(sink -> boomerang.solve(sink)); +// reachMap = getReachingPairs(boomerang, partialFlow, sinks, sources); +// } } return reachMap; } @@ -197,11 +196,10 @@ private SameTypedPair getLocationDetailsPair(TaintFlowQueryImpl startDetails.setMethodSignature(start.cfgEdge().getMethod().getSubSignature()); // TODO: Confirm that the destination is always Y. - startDetails.setUsageLineNumber(start.cfgEdge().getY().getStartLineNumber()); - startDetails.setUsageColumnNumber(start.cfgEdge().getY().getStartColumnNumber()); - - //TODO: Extend the Location details to - //contain the start and end of line and column number. + startDetails.setUsageStartLineNumber(start.cfgEdge().getY().getStartLineNumber()); + startDetails.setUsageEndLineNumber(start.cfgEdge().getY().getEndLineNumber()); + startDetails.setUsageStartColumnNumber(start.cfgEdge().getY().getStartColumnNumber()); + startDetails.setUsageEndColumnNumber(start.cfgEdge().getY().getEndColumnNumber()); startDetails.setUsageMethodSignature(start.cfgEdge().getY().getMethod().getSubSignature()); startDetails.setUsageClassName(start.cfgEdge().getY().getMethod().getDeclaringClass().getName()); @@ -212,17 +210,17 @@ private SameTypedPair getLocationDetailsPair(TaintFlowQueryImpl endDetails.setMethodSignature(end.cfgEdge().getMethod().getSubSignature()); // TODO: Confirm that the destination is always Y. - endDetails.setUsageLineNumber(end.cfgEdge().getY().getStartLineNumber()); - endDetails.setUsageColumnNumber(end.cfgEdge().getY().getStartColumnNumber()); - - //TODO: Extend the Location details to - //contain the start and end of line and column number. + endDetails.setUsageStartLineNumber(end.cfgEdge().getY().getStartLineNumber()); + endDetails.setUsageEndLineNumber(end.cfgEdge().getY().getEndLineNumber()); + endDetails.setUsageStartColumnNumber(end.cfgEdge().getY().getStartColumnNumber()); + endDetails.setUsageEndColumnNumber(end.cfgEdge().getY().getEndColumnNumber()); endDetails.setUsageMethodSignature(end.cfgEdge().getY().getMethod().getSubSignature()); endDetails.setUsageClassName(end.cfgEdge().getY().getMethod().getDeclaringClass().getName()); endDetails.setType(LocationType.Sink); return new SameTypedPair(startDetails, endDetails); + } private AnalysisScope getAnalysisScope(TaintFlowQuery taintFlow) { @@ -303,12 +301,20 @@ private boolean isSourceAndSinkMatching(SameTypedPair sourcePai sinkPair.getFirst().getMethodSignature())) return false; - if (sourcePair.getSecond().getUsageLineNumber() != - sinkPair.getFirst().getUsageLineNumber()) + if (sourcePair.getSecond().getUsageStartLineNumber() != + sinkPair.getFirst().getUsageStartLineNumber()) + return false; + + if (sourcePair.getSecond().getUsageEndLineNumber() != + sinkPair.getFirst().getUsageEndLineNumber()) + return false; + + if (sourcePair.getSecond().getUsageStartColumnNumber() != + sinkPair.getFirst().getUsageStartColumnNumber()) return false; - if (sourcePair.getSecond().getUsageColumnNumber() != - sinkPair.getFirst().getUsageColumnNumber()) + if (sourcePair.getSecond().getUsageEndColumnNumber() != + sinkPair.getFirst().getUsageEndColumnNumber()) return false; return true; diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java index c415c3f..7cf0bfa 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java @@ -25,7 +25,6 @@ public class SingleFlowAnalysisScope extends AnalysisScope { private final TaintFlowQuery taintFlow; - private final SootCallGraph sootCallGraph; private final Set sourceMethods = new HashSet<>(); private final Set sinkMethods = new HashSet<>(); @@ -33,7 +32,6 @@ public class SingleFlowAnalysisScope extends AnalysisScope { public SingleFlowAnalysisScope(TaintFlowQuery taintFlow, SootCallGraph sootCallGraph) { super(sootCallGraph); this.taintFlow = taintFlow; - this.sootCallGraph = sootCallGraph; } @Override @@ -43,17 +41,14 @@ protected Collection generate(Edge cfgEdge) { // The target statement for the current edge. Statement statement = cfgEdge.getTarget(); - // Inconsistency between instantiations of Forward and Backward queries. Collection> sourceVariables = generateSourceVariables(this.taintFlow, statement); - // AllocVal sourceVariables.forEach(v -> out.add(new ForwardQuery(cfgEdge, new AllocVal(v.getFirst(), statement, v.getSecond())))); Collection sinkVariables = generatedSinkVariables(this.taintFlow, statement); - // AllocVal sinkVariables.forEach(v -> out.add(BackwardQuery.make(cfgEdge, v))); // Find source methods. diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/result/LocationDetails.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/result/LocationDetails.java index 0e9702f..5bd359a 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/result/LocationDetails.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/result/LocationDetails.java @@ -8,8 +8,10 @@ public class LocationDetails { private String methodSignature; private String usageMethodSignature; - private int usageLineNumber; - private int usageColNumber; + private int usageStartLineNumber; + private int usageEndLineNumber; + private int usageStartColNumber; + private int usageEndColNumber; private LocationType type; @@ -23,9 +25,10 @@ public LocationDetails() { } public LocationType getType() { return type; } - public int getUsageLineNumber() { return usageLineNumber; } - public int getUsageColumnNumber() { return usageColNumber; } - + public int getUsageStartLineNumber() { return usageStartLineNumber; } + public int getUsageEndLineNumber() { return usageEndLineNumber; } + public int getUsageStartColumnNumber() { return usageStartColNumber; } + public int getUsageEndColumnNumber() { return usageEndColNumber; } public void setSourceClassName(String sourceClassName) { this.sourceClassName = sourceClassName; } public void setUsageClassName(String usageClassName) { this.usageClassName = usageClassName; } @@ -35,6 +38,8 @@ public LocationDetails() { } public void setType(LocationType type) { this.type = type; } - public void setUsageLineNumber(int usageLineNumber) { this.usageLineNumber = usageLineNumber; } - public void setUsageColumnNumber(int usageColNumber) { this.usageColNumber = usageColNumber; } + public void setUsageStartLineNumber(int usageStartLineNumber) { this.usageStartLineNumber = usageStartLineNumber; } + public void setUsageEndLineNumber(int usageEndLineNumber) { this.usageEndLineNumber = usageEndLineNumber; } + public void setUsageStartColumnNumber(int usageStartColNumber) { this.usageStartColNumber = usageStartColNumber; } + public void setUsageEndColumnNumber(int usageEndColNumber) { this.usageEndColNumber = usageEndColNumber; } } \ No newline at end of file From 05b632aaa8a7576247145adddc765e9a6f6cbe62 Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Fri, 6 Nov 2020 01:38:28 +0100 Subject: [PATCH 05/10] BackwardQuery execution based analysis partial change. --- .../analysis/internal/SingleFlowAnalysis.java | 84 +++++++++++++------ 1 file changed, 59 insertions(+), 25 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java index 806b426..d8bad58 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java @@ -14,10 +14,13 @@ import boomerang.Boomerang; import boomerang.ForwardQuery; import boomerang.Query; +import boomerang.results.BackwardBoomerangResults; +import boomerang.results.AbstractBoomerangResults.Context; import boomerang.scene.AnalysisScope; import boomerang.scene.ControlFlowGraph.Edge; import boomerang.scene.Val; import boomerang.scene.jimple.SootCallGraph; +import boomerang.util.AccessPath; import de.fraunhofer.iem.secucheck.analysis.Analysis; import de.fraunhofer.iem.secucheck.analysis.datastructures.DifferentTypedPair; import de.fraunhofer.iem.secucheck.analysis.datastructures.SameTypedPair; @@ -33,6 +36,7 @@ import soot.SootMethod; import soot.jimple.JimpleBody; import soot.jimple.internal.JNopStmt; +import wpds.impl.Weight; import wpds.impl.Weight.NoWeight; class SingleFlowAnalysis implements Analysis { @@ -136,7 +140,7 @@ public AnalysisResult run() { private List>> analyzeInternal(Boomerang boomerang, - TaintFlowQueryImpl partialFlow, Set sources, + TaintFlowQueryImpl flowQuery, Set sources, Set sinks) { List>> reachMap = @@ -144,8 +148,11 @@ public AnalysisResult run() { if (sources.size() != 0 && sinks.size() != 0) { - sources.forEach(source -> boomerang.solve(source)); - reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); + List>> backwardResults = new ArrayList<>(); + sinks.forEach(sink -> backwardResults.add( + new DifferentTypedPair<>(sink, boomerang.solve(sink)))); + reachMap = getReachingPairs(boomerang, flowQuery, sources, backwardResults); //TODO: Discuss this. // // Found more sinks than sources, running forward analysis @@ -162,30 +169,64 @@ public AnalysisResult run() { } private List>> - getReachingPairs(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set queries, - Set reachable) { + getReachingPairs(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set sources, + List>> sinkResults) { List>> reachMap = new ArrayList<>(); - for (ForwardQuery start : queries) { - for (BackwardQuery end : reachable) { - if (isValidPath(boomerang, start, end)) { + for (DifferentTypedPair> sinkResult : sinkResults) { + + for (ForwardQuery source : sources) { + + if (hasSourceAliased(sinkResult.getSecond(), source)) { reachMap.add(new DifferentTypedPair<>( - flowQuery, getLocationDetailsPair(flowQuery, start, end))); - - // TODO: Discuss this. -// if (start instanceof ForwardQuery) { -// reachMap.add(new DifferentTypedPair<>( -// flowQuery, getLocationDetailsPair(flowQuery, start, end))); -// } else if (start instanceof BackwardQuery) { -// reachMap.add(new DifferentTypedPair<>( -// flowQuery, getLocationDetailsPair(flowQuery, end, start))); -// } + flowQuery, getLocationDetailsPair(flowQuery, source, sinkResult.getFirst()))); } } } + return reachMap; + +// for (ForwardQuery start : queries) { +// for (BackwardQuery end : reachable) { +// if (isValidPath(boomerang, start, end)) { +// reachMap.add(new DifferentTypedPair<>( +// flowQuery, getLocationDetailsPair(flowQuery, start, end))); +// +// // TODO: Discuss this. +//// if (start instanceof ForwardQuery) { +//// reachMap.add(new DifferentTypedPair<>( +//// flowQuery, getLocationDetailsPair(flowQuery, start, end))); +//// } else if (start instanceof BackwardQuery) { +//// reachMap.add(new DifferentTypedPair<>( +//// flowQuery, getLocationDetailsPair(flowQuery, end, start))); +//// } +// } +// } +// } +// return reachMap; + } + + private boolean hasSourceAliased(BackwardBoomerangResults sinkResult, + ForwardQuery source) { + + Map allocationSites = sinkResult.getAllocationSites(); + Set alaises = sinkResult.getAllAliases(); + + +// Edge edge = end.cfgEdge(); +// Val value = end.var(); +// Table results = boomerang.getResults(start); + return 1==1; + } + + private boolean isValidPath(Boomerang boomerang, ForwardQuery start, BackwardQuery end) { + Edge edge = end.cfgEdge(); + Val value = end.var(); + Table results = boomerang.getResults(start); + return results.get(edge, value) == null ? false : true; } private SameTypedPair getLocationDetailsPair(TaintFlowQueryImpl flowQuery, @@ -275,13 +316,6 @@ private boolean isPropogatorless(TaintFlowQueryImpl singleFlow) { return singleFlow.getThrough() == null || singleFlow.getThrough().size() == 0; } - private boolean isValidPath(Boomerang boomerang, ForwardQuery start, BackwardQuery end) { - Edge edge = end.cfgEdge(); - Val value = end.var(); - Table results = boomerang.getResults(start); - return results.get(edge, value) == null ? false : true; - } - private boolean isSourceAndSinkMatching(SameTypedPair sourcePair, SameTypedPair sinkPair) { From 07e872c8e48761253743e26119651be21f321ea5 Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Sat, 14 Nov 2020 14:34:33 +0100 Subject: [PATCH 06/10] Usage of WeightedForwardQuery instead of BackwardQuery. --- .../.attach_pid66076 | 0 .../analysis/internal/SingleFlowAnalysis.java | 33 +++++++++---------- .../internal/SingleFlowAnalysisScope.java | 7 ++-- .../internal/SingleFlowBoomerang.java | 2 +- 4 files changed, 21 insertions(+), 21 deletions(-) create mode 100644 de.fraunhofer.iem.secucheck.analysis.releng/.attach_pid66076 diff --git a/de.fraunhofer.iem.secucheck.analysis.releng/.attach_pid66076 b/de.fraunhofer.iem.secucheck.analysis.releng/.attach_pid66076 new file mode 100644 index 0000000..e69de29 diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java index d8bad58..2e53348 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java @@ -15,6 +15,7 @@ import boomerang.ForwardQuery; import boomerang.Query; import boomerang.results.BackwardBoomerangResults; +import boomerang.results.ForwardBoomerangResults; import boomerang.results.AbstractBoomerangResults.Context; import boomerang.scene.AnalysisScope; import boomerang.scene.ControlFlowGraph.Edge; @@ -148,11 +149,9 @@ public AnalysisResult run() { if (sources.size() != 0 && sinks.size() != 0) { - List>> backwardResults = new ArrayList<>(); - sinks.forEach(sink -> backwardResults.add( - new DifferentTypedPair<>(sink, boomerang.solve(sink)))); - reachMap = getReachingPairs(boomerang, flowQuery, sources, backwardResults); + List> forwardResults = new ArrayList<>(); + sources.forEach(source -> forwardResults.add(boomerang.solve(source))); + reachMap = getReachingPairs(boomerang, flowQuery, sinks, forwardResults); //TODO: Discuss this. // // Found more sinks than sources, running forward analysis @@ -169,20 +168,17 @@ public AnalysisResult run() { } private List>> - getReachingPairs(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set sources, - List>> sinkResults) { + getReachingPairs(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set sinks, + List> sourceResults) { List>> reachMap = new ArrayList<>(); - for (DifferentTypedPair> sinkResult : sinkResults) { - - for (ForwardQuery source : sources) { - - if (hasSourceAliased(sinkResult.getSecond(), source)) { + for (ForwardBoomerangResults sourceResult : sourceResults) { + for (BackwardQuery sink : sinks) { + if (hasSourceAliased(sourceResult, sink)) { reachMap.add(new DifferentTypedPair<>( - flowQuery, getLocationDetailsPair(flowQuery, source, sinkResult.getFirst()))); + flowQuery, getLocationDetailsPair(flowQuery, null, sink))); } } } @@ -209,12 +205,13 @@ public AnalysisResult run() { // return reachMap; } - private boolean hasSourceAliased(BackwardBoomerangResults sinkResult, - ForwardQuery source) { + private boolean hasSourceAliased(ForwardBoomerangResults sourceResult, + BackwardQuery sink) { - Map allocationSites = sinkResult.getAllocationSites(); - Set alaises = sinkResult.getAllAliases(); + Table table = sourceResult.asStatementValWeightTable(); +// Map allocationSites = sinkResult.getAllocationSites(); +// Set alaises = sinkResult.getAllAliases(); // Edge edge = end.cfgEdge(); // Val value = end.var(); diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java index 7cf0bfa..6e36394 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java @@ -10,6 +10,7 @@ import boomerang.BackwardQuery; import boomerang.ForwardQuery; import boomerang.Query; +import boomerang.WeightedForwardQuery; import boomerang.scene.AllocVal; import boomerang.scene.AnalysisScope; import boomerang.scene.ControlFlowGraph.Edge; @@ -21,6 +22,8 @@ import de.fraunhofer.iem.secucheck.analysis.query.Method; import de.fraunhofer.iem.secucheck.analysis.query.OutputParameter; import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowQuery; +import wpds.impl.Weight; +import wpds.impl.Weight; public class SingleFlowAnalysisScope extends AnalysisScope { @@ -44,8 +47,8 @@ protected Collection generate(Edge cfgEdge) { Collection> sourceVariables = generateSourceVariables(this.taintFlow, statement); - sourceVariables.forEach(v -> out.add(new ForwardQuery(cfgEdge, - new AllocVal(v.getFirst(), statement, v.getSecond())))); + sourceVariables.forEach(v -> out.add( + new WeightedForwardQuery(cfgEdge, v.getFirst(), Weight.NO_WEIGHT_ONE))); Collection sinkVariables = generatedSinkVariables(this.taintFlow, statement); diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java index 5d3a420..d0e3a93 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowBoomerang.java @@ -16,5 +16,5 @@ public SingleFlowBoomerang(AnalysisScope analysisScope, super(sootCallGraph, SootDataFlowScope.make(Scene.v()), options); this.analysisScope = analysisScope; this.sootCallGraph = sootCallGraph; - } + } } From a2553c75521342bac31c8e8bcc45d1100193e0e0 Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Sat, 14 Nov 2020 18:04:48 +0100 Subject: [PATCH 07/10] Wieghtless ForwardQuery is used for analysis, AllocVal issues in AnalysisScope fixed and some commented code is removed. --- de.fraunhofer.iem.secucheck.analysis/pom.xml | 1 + .../analysis/internal/SingleFlowAnalysis.java | 101 ++++++++---------- .../internal/SingleFlowAnalysisScope.java | 60 +++++++---- 3 files changed, 82 insertions(+), 80 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis/pom.xml b/de.fraunhofer.iem.secucheck.analysis/pom.xml index c9ee399..401d3da 100644 --- a/de.fraunhofer.iem.secucheck.analysis/pom.xml +++ b/de.fraunhofer.iem.secucheck.analysis/pom.xml @@ -53,6 +53,7 @@ 2.11.0 log4j-api + org.apache.logging.log4j 2.11.0 diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java index 2e53348..2628ef8 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java @@ -5,6 +5,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Map.Entry; import java.util.Set; import com.google.common.collect.Sets; @@ -56,6 +57,7 @@ public SingleFlowAnalysis(TaintFlowQueryImpl singleFlow, @Override public AnalysisResult run() { + TaintFlowQueryResult result = new TaintFlowQueryResult(); List>> reachMap; @@ -66,7 +68,6 @@ public AnalysisResult run() { reachMap = analyzePropogatorFlow(singleFlow); } - result.addQueryResultPairs(reachMap); return result; } @@ -81,8 +82,10 @@ public AnalysisResult run() { Seeds seeds = computeSeeds(analysisScope); if (seeds.getSources().size() != 0 && seeds.getSinks().size() != 0) { + List sanitizers = getSanitizers(singleFlow); Map oldMethodBodies = new HashMap(); + try { oldMethodBodies = setEmptySootBodies(sanitizers); reachMap = analyzeInternal(boomerang, singleFlow, seeds.getSources(), @@ -92,6 +95,7 @@ public AnalysisResult run() { entry.getKey().setActiveBody(entry.getValue())); } } + return reachMap; } @@ -106,12 +110,16 @@ public AnalysisResult run() { newQuery2 = new TaintFlowQueryImpl(); newQuery1.getFrom().addAll(singleFlow.getFrom()); + if (singleFlow.getNotThrough() != null) newQuery1.getNotThrough().addAll(singleFlow.getNotThrough()); + newQuery1.getTo().addAll(singleFlow.getThrough()); newQuery2.getFrom().addAll(singleFlow.getThrough()); + if (singleFlow.getNotThrough() != null) newQuery2.getNotThrough().addAll(singleFlow.getNotThrough()); + newQuery2.getTo().addAll(singleFlow.getTo()); List>> @@ -122,8 +130,10 @@ public AnalysisResult run() { if (reachMap1.size() != 0 && reachMap2.size() != 0) { for (DifferentTypedPair> sourcePair : reachMap1) { + for (DifferentTypedPair> sinkPair : reachMap2) { + if (isSourceAndSinkMatching(sourcePair.getSecond(), sinkPair.getSecond())) { SameTypedPair stichedPair = stitchSourceAndSink(sourcePair.getSecond(), sinkPair.getSecond()); @@ -133,6 +143,7 @@ public AnalysisResult run() { (singleFlow, stichedPair)); } } + } } @@ -140,92 +151,58 @@ public AnalysisResult run() { } private List>> - analyzeInternal(Boomerang boomerang, - TaintFlowQueryImpl flowQuery, Set sources, + analyzeInternal(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set sources, Set sinks) { List>> reachMap = new ArrayList<>(); if (sources.size() != 0 && sinks.size() != 0) { - - List> forwardResults = new ArrayList<>(); - sources.forEach(source -> forwardResults.add(boomerang.solve(source))); + + Map> forwardResults = new HashMap<>(); + sources.forEach(source -> forwardResults.put(source, boomerang.solve(source))); reachMap = getReachingPairs(boomerang, flowQuery, sinks, forwardResults); - //TODO: Discuss this. -// // Found more sinks than sources, running forward analysis -// if (sources.size() <= sinks.size()) { -// sources.forEach(source -> boomerang.solve(source)); -// reachMap = getReachingPairs(boomerang, partialFlow, sources, sinks); -// } else { -// // Found less sinks than sources, running backward analysis -// sinks.forEach(sink -> boomerang.solve(sink)); -// reachMap = getReachingPairs(boomerang, partialFlow, sinks, sources); -// } - } + } + return reachMap; } private List>> getReachingPairs(Boomerang boomerang, TaintFlowQueryImpl flowQuery, Set sinks, - List> sourceResults) { + Map> sourceResults) { List>> reachMap = new ArrayList<>(); - for (ForwardBoomerangResults sourceResult : sourceResults) { + for (Entry> sourceEntry + : sourceResults.entrySet()) { + for (BackwardQuery sink : sinks) { - if (hasSourceAliased(sourceResult, sink)) { + + if (isValidPath(sourceEntry.getValue(), sink)) { reachMap.add(new DifferentTypedPair<>( - flowQuery, getLocationDetailsPair(flowQuery, null, sink))); + flowQuery, getLocationDetailsPair(flowQuery, sourceEntry.getKey(), sink))); } + } } return reachMap; - -// for (ForwardQuery start : queries) { -// for (BackwardQuery end : reachable) { -// if (isValidPath(boomerang, start, end)) { -// reachMap.add(new DifferentTypedPair<>( -// flowQuery, getLocationDetailsPair(flowQuery, start, end))); -// -// // TODO: Discuss this. -//// if (start instanceof ForwardQuery) { -//// reachMap.add(new DifferentTypedPair<>( -//// flowQuery, getLocationDetailsPair(flowQuery, start, end))); -//// } else if (start instanceof BackwardQuery) { -//// reachMap.add(new DifferentTypedPair<>( -//// flowQuery, getLocationDetailsPair(flowQuery, end, start))); -//// } -// } -// } -// } -// return reachMap; } - private boolean hasSourceAliased(ForwardBoomerangResults sourceResult, + private boolean isValidPath(ForwardBoomerangResults sourceResult, BackwardQuery sink) { Table table = sourceResult.asStatementValWeightTable(); -// Map allocationSites = sinkResult.getAllocationSites(); -// Set alaises = sinkResult.getAllAliases(); + Edge sinkEdge = sink.cfgEdge(); + Val sinValue = sink.var(); + + return table.contains(sinkEdge, sinValue); -// Edge edge = end.cfgEdge(); -// Val value = end.var(); -// Table results = boomerang.getResults(start); - return 1==1; - } - - private boolean isValidPath(Boomerang boomerang, ForwardQuery start, BackwardQuery end) { - Edge edge = end.cfgEdge(); - Val value = end.var(); - Table results = boomerang.getResults(start); - return results.get(edge, value) == null ? false : true; } - + private SameTypedPair getLocationDetailsPair(TaintFlowQueryImpl flowQuery, Query start, Query end){ @@ -270,16 +247,21 @@ private Boomerang getBoomerang(AnalysisScope analysisScope) { } private List getSanitizers(TaintFlowQuery partFlow) { + List sanitizers = new ArrayList(); + if (partFlow.getNotThrough() != null) partFlow.getNotThrough().forEach(y -> sanitizers.add((Method)y)); + return sanitizers; } private Seeds computeSeeds(AnalysisScope analysisScope) { + Set sources = Sets.newHashSet(); Set sinks = Sets.newHashSet(); Collection computeSeeds = analysisScope.computeSeeds(); + for (Query q : computeSeeds) { if (q instanceof BackwardQuery) { sinks.add((BackwardQuery) q); @@ -287,11 +269,13 @@ private Seeds computeSeeds(AnalysisScope analysisScope) { sources.add((ForwardQuery) q); } } + return new Seeds(sources, sinks); } private Map setEmptySootBodies(List methods){ Map oldBodies = new HashMap<>(); + for (Method method : methods) { SootMethod sootMethod = Utility.getSootMethod(method); if (sootMethod != null) { @@ -305,7 +289,8 @@ private Map setEmptySootBodies(List methods){ replacementBody.insertIdentityStmts(); sootMethod.setActiveBody(replacementBody); } - } + } + return oldBodies; } @@ -353,8 +338,6 @@ private boolean isSourceAndSinkMatching(SameTypedPair sourcePai private SameTypedPair stitchSourceAndSink( SameTypedPair sourcePair, SameTypedPair sinkPair) { - SameTypedPair stichedPair = - new SameTypedPair<>(sourcePair.getFirst(), sinkPair.getSecond()); - return stichedPair; + return new SameTypedPair<>(sourcePair.getFirst(), sinkPair.getSecond()); } } \ No newline at end of file diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java index 6e36394..8f2dc8c 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java @@ -16,12 +16,17 @@ import boomerang.scene.ControlFlowGraph.Edge; import boomerang.scene.Statement; import boomerang.scene.Val; +import boomerang.scene.jimple.JimpleStatement; +import boomerang.scene.jimple.JimpleVal; import boomerang.scene.jimple.SootCallGraph; import de.fraunhofer.iem.secucheck.analysis.datastructures.SameTypedPair; import de.fraunhofer.iem.secucheck.analysis.query.InputParameter; import de.fraunhofer.iem.secucheck.analysis.query.Method; import de.fraunhofer.iem.secucheck.analysis.query.OutputParameter; import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowQuery; +import soot.jimple.IdentityStmt; +import soot.jimple.ParameterRef; +import soot.jimple.internal.JIdentityStmt; import wpds.impl.Weight; import wpds.impl.Weight; @@ -44,11 +49,10 @@ protected Collection generate(Edge cfgEdge) { // The target statement for the current edge. Statement statement = cfgEdge.getTarget(); - Collection> sourceVariables = + Collection sourceVariables = generateSourceVariables(this.taintFlow, statement); - sourceVariables.forEach(v -> out.add( - new WeightedForwardQuery(cfgEdge, v.getFirst(), Weight.NO_WEIGHT_ONE))); + sourceVariables.forEach(v -> out.add(new ForwardQuery(cfgEdge, v ))); Collection sinkVariables = generatedSinkVariables(this.taintFlow, statement); @@ -73,27 +77,45 @@ protected Collection generate(Edge cfgEdge) { return out; } - private Collection> generateSourceVariables(TaintFlowQuery partialFlow, + private Collection generateSourceVariables(TaintFlowQuery partialFlow, Statement statement) { for (Method sourceMethod : partialFlow.getFrom()) { String sourceSootSignature = WrapInAngularBrackets(sourceMethod.getSignature()); - Collection> out = Sets.newHashSet(); + Collection out = Sets.newHashSet(); if (ToStringEquals(statement.getMethod(), sourceSootSignature) && - statement.isIdentityStmt()) { - - if (sourceMethod.getOutputParameters() != null) { - for (OutputParameter output : sourceMethod.getOutputParameters()) { - int parameterIndex = output.getNumber(); - if (statement.getRightOp().isParameterLocal(parameterIndex)){ - out.add(new SameTypedPair(statement.getLeftOp(), - statement.getRightOp())); + statement.isIdentityStmt()) { + + // Left and Right Op() methods don't work for JimpleIdentityStmt. + if (statement instanceof JimpleStatement) { + + JimpleStatement jimpleStament = (JimpleStatement) statement; + IdentityStmt identityStmt = (IdentityStmt)jimpleStament.getDelegate(); + + if (identityStmt.getRightOp() instanceof ParameterRef) { + ParameterRef parameterRef = (ParameterRef) identityStmt.getRightOp(); + + if (sourceMethod.getOutputParameters() != null) { + for (OutputParameter output : sourceMethod.getOutputParameters()) { + + int parameterIndex = output.getNumber(); + if (statement.getMethod().getParameterLocals().size() >= parameterIndex + && parameterRef.getIndex() == parameterIndex) { + + out.add(new AllocVal( + new JimpleVal(identityStmt.getLeftOp(), statement.getMethod()), + statement, + new JimpleVal(identityStmt.getRightOp(), statement.getMethod()) + )); + + } + } } } } - + return out; } else if (statement.containsInvokeExpr() @@ -102,17 +124,14 @@ && ToStringEquals(statement.getInvokeExpr().getMethod(), // Taint the return value if (sourceMethod.getReturnValue() != null && statement.isAssign()) { - out.add(new SameTypedPair(statement.getLeftOp(), - statement.getRightOp())); + out.add(new AllocVal(statement.getLeftOp(), statement, statement.getRightOp())); } if (sourceMethod.getOutputParameters() != null) { for (OutputParameter output : sourceMethod.getOutputParameters()) { int parameterIndex = output.getNumber(); if (statement.getInvokeExpr().getArgs().size() >= parameterIndex) { - out.add(new SameTypedPair( - statement.getInvokeExpr().getArg(parameterIndex), - statement.getInvokeExpr().getArg(parameterIndex))); + out.add(statement.getInvokeExpr().getArg(parameterIndex)); } } } @@ -120,8 +139,7 @@ && ToStringEquals(statement.getInvokeExpr().getMethod(), // Taint this object if (sourceMethod.isOutputThis() && statement.getInvokeExpr().isInstanceInvokeExpr()) { - out.add(new SameTypedPair(statement.getInvokeExpr().getBase(), - statement.getInvokeExpr().getBase())); + out.add(statement.getInvokeExpr().getBase()); } return out; From f57c805a2bf4648877b649581892c2903dc98a20 Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Sun, 15 Nov 2020 12:10:53 +0100 Subject: [PATCH 08/10] Results return and some minor issues fixed. --- .../de/fraunhofer/iem/secucheck/analysis/sample/Main.java | 6 +++--- .../secucheck/analysis/SecucheckTaintAnalysisBase.java | 8 +++++++- .../secucheck/analysis/internal/SingleFlowAnalysis.java | 5 +++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/de/fraunhofer/iem/secucheck/analysis/sample/Main.java b/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/de/fraunhofer/iem/secucheck/analysis/sample/Main.java index f38a07f..da42884 100644 --- a/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/de/fraunhofer/iem/secucheck/analysis/sample/Main.java +++ b/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/de/fraunhofer/iem/secucheck/analysis/sample/Main.java @@ -143,9 +143,9 @@ private static void runDemoSet3(SecucheckAnalysis secucheckAnalysis, getTaintFlowQuery4())); runAnalysisQuery(secucheckAnalysis, compositeOfFirst, 1, null); - runAnalysisQuery(secucheckAnalysis, compositeOfFirstTwo, 2, null); - runAnalysisQuery(secucheckAnalysis, compositeOfFirstThree, 3, null); - runAnalysisQuery(secucheckAnalysis, compositeOfAll, 4, null); + runAnalysisQuery(secucheckAnalysis, compositeOfFirstTwo, 12, null); + runAnalysisQuery(secucheckAnalysis, compositeOfFirstThree, 13, null); + runAnalysisQuery(secucheckAnalysis, compositeOfAll, 14, null); } private static void runAnalysisQuery(SecucheckAnalysis secucheckAnalysis, diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java index 5ec13c8..5492f2f 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java @@ -237,12 +237,18 @@ private void executeAnalysis() throws Exception { //drawCallGraph(Scene.v().getCallGraph()); for (CompositeTaintFlowQueryImpl flowQuery : this.flowQueries) { + if (resultListener != null && resultListener.isCancelled()) { break; } + Analysis analysis = new CompositeTaintFlowAnalysis(sootCallGraph, flowQuery, resultListener); CompositeTaintFlowQueryResult singleResult = (CompositeTaintFlowQueryResult) analysis.run(); - this.result.addResult(flowQuery, singleResult); + + if (singleResult.size() != 0) { + this.result.addResult(flowQuery, singleResult); + } + if (resultListener != null) { resultListener.reportCompositeFlowResult((CompositeTaintFlowQueryResult) singleResult); } diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java index 2628ef8..3f8ba10 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java @@ -68,6 +68,7 @@ public AnalysisResult run() { reachMap = analyzePropogatorFlow(singleFlow); } + result.addQueryResultPairs(reachMap); return result; } @@ -197,9 +198,9 @@ private boolean isValidPath(ForwardBoomerangResults sourceResul Table table = sourceResult.asStatementValWeightTable(); Edge sinkEdge = sink.cfgEdge(); - Val sinValue = sink.var(); + Val sinkValue = sink.var(); - return table.contains(sinkEdge, sinValue); + return table.contains(sinkEdge, sinkValue); } From 58c32d95fb0fae6717db14968456545facdcbff0 Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Sun, 15 Nov 2020 13:03:16 +0100 Subject: [PATCH 09/10] Reporting location fix to source methods with tainted parameters. --- .../analysis/internal/SingleFlowAnalysis.java | 29 ++++++++++++++----- .../internal/SingleFlowAnalysisScope.java | 2 +- .../secucheck/analysis/internal/Utility.java | 22 +++++++++----- 3 files changed, 37 insertions(+), 16 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java index 3f8ba10..6758d7a 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java @@ -21,6 +21,7 @@ import boomerang.scene.AnalysisScope; import boomerang.scene.ControlFlowGraph.Edge; import boomerang.scene.Val; +import boomerang.scene.jimple.JimpleStatement; import boomerang.scene.jimple.SootCallGraph; import boomerang.util.AccessPath; import de.fraunhofer.iem.secucheck.analysis.Analysis; @@ -36,7 +37,9 @@ import de.fraunhofer.iem.secucheck.analysis.result.TaintFlowQueryResult; import soot.Body; import soot.SootMethod; +import soot.jimple.IdentityStmt; import soot.jimple.JimpleBody; +import soot.jimple.ParameterRef; import soot.jimple.internal.JNopStmt; import wpds.impl.Weight; import wpds.impl.Weight.NoWeight; @@ -211,11 +214,24 @@ private SameTypedPair getLocationDetailsPair(TaintFlowQueryImpl startDetails.setSourceClassName(start.cfgEdge().getMethod().getDeclaringClass().getName()); startDetails.setMethodSignature(start.cfgEdge().getMethod().getSubSignature()); - // TODO: Confirm that the destination is always Y. - startDetails.setUsageStartLineNumber(start.cfgEdge().getY().getStartLineNumber()); - startDetails.setUsageEndLineNumber(start.cfgEdge().getY().getEndLineNumber()); - startDetails.setUsageStartColumnNumber(start.cfgEdge().getY().getStartColumnNumber()); - startDetails.setUsageEndColumnNumber(start.cfgEdge().getY().getEndColumnNumber()); + // When parameter is tainted. + // Left and Right Op() methods don't work for IdentityStmt inside JimpleStatement. + if (start.cfgEdge().getY().isIdentityStmt() && start.cfgEdge().getY() instanceof JimpleStatement) { + JimpleStatement jimpleStament = (JimpleStatement) start.cfgEdge().getY(); + IdentityStmt identityStmt = (IdentityStmt)jimpleStament.getDelegate(); + if (identityStmt.getRightOp() instanceof ParameterRef) { + SootMethod sootMethod = Utility.getSootMethod(start.cfgEdge().getY().getMethod()); + startDetails.setUsageStartLineNumber(sootMethod.getJavaSourceStartLineNumber()); + startDetails.setUsageEndLineNumber(-1); + startDetails.setUsageStartColumnNumber(sootMethod.getJavaSourceStartColumnNumber()); + startDetails.setUsageEndColumnNumber(-1); + } + } else { + startDetails.setUsageStartLineNumber(start.cfgEdge().getY().getStartLineNumber()); + startDetails.setUsageEndLineNumber(start.cfgEdge().getY().getEndLineNumber()); + startDetails.setUsageStartColumnNumber(start.cfgEdge().getY().getStartColumnNumber()); + startDetails.setUsageEndColumnNumber(start.cfgEdge().getY().getEndColumnNumber()); + } startDetails.setUsageMethodSignature(start.cfgEdge().getY().getMethod().getSubSignature()); startDetails.setUsageClassName(start.cfgEdge().getY().getMethod().getDeclaringClass().getName()); @@ -224,8 +240,7 @@ private SameTypedPair getLocationDetailsPair(TaintFlowQueryImpl LocationDetails endDetails = new LocationDetails(); endDetails.setSourceClassName(end.cfgEdge().getMethod().getDeclaringClass().getName()); endDetails.setMethodSignature(end.cfgEdge().getMethod().getSubSignature()); - - // TODO: Confirm that the destination is always Y. + endDetails.setUsageStartLineNumber(end.cfgEdge().getY().getStartLineNumber()); endDetails.setUsageEndLineNumber(end.cfgEdge().getY().getEndLineNumber()); endDetails.setUsageStartColumnNumber(end.cfgEdge().getY().getStartColumnNumber()); diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java index 8f2dc8c..e342c5a 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java @@ -88,7 +88,7 @@ private Collection generateSourceVariables(TaintFlowQuery partialFlow, if (ToStringEquals(statement.getMethod(), sourceSootSignature) && statement.isIdentityStmt()) { - // Left and Right Op() methods don't work for JimpleIdentityStmt. + // Left and Right Op() methods don't work for IdentityStmt inside JimpleStatement. if (statement instanceof JimpleStatement) { JimpleStatement jimpleStament = (JimpleStatement) statement; diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/Utility.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/Utility.java index 1691801..c04454b 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/Utility.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/Utility.java @@ -4,9 +4,9 @@ import java.util.ArrayList; import java.util.List; +import boomerang.scene.WrappedClass; import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery; import de.fraunhofer.iem.secucheck.analysis.query.Method; -import de.fraunhofer.iem.secucheck.analysis.query.MethodImpl; import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowQuery; import soot.Scene; import soot.SootClass; @@ -15,16 +15,16 @@ class Utility { - static List getMethods(CompositeTaintFlowQuery flowQuery) { - List methods = new ArrayList(); + static List getMethods(CompositeTaintFlowQuery flowQuery) { + List methods = new ArrayList<>(); for (TaintFlowQuery singleFlow: flowQuery.getTaintFlowQueries()) { methods.addAll(getMethods(singleFlow)); } return methods; } - static List getMethods(TaintFlowQuery flowQuery) { - List methods = new ArrayList(); + static List getMethods(TaintFlowQuery flowQuery) { + List methods = new ArrayList<>(); flowQuery.getFrom().forEach(y -> methods.add((Method)y)); flowQuery.getTo().forEach(y -> methods.add((Method)y)); @@ -37,7 +37,13 @@ static List getMethods(TaintFlowQuery flowQuery) { return methods; } - static SootMethod getSootMethod(Method method) { + static SootMethod getSootMethod(boomerang.scene.Method method) { + WrappedClass wrappedClass = method.getDeclaringClass(); + SootClass clazz = (SootClass) wrappedClass.getDelegate(); + return clazz.getMethod(method.getSubSignature()); + } + + static SootMethod getSootMethod(de.fraunhofer.iem.secucheck.analysis.query.Method method) { String[] signatures = method.getSignature().split(":"); SootClass sootClass = Scene.v().forceResolve(signatures[0], SootClass.BODIES); if (sootClass != null && signatures.length >= 2) { @@ -48,7 +54,7 @@ static SootMethod getSootMethod(Method method) { static SootMethod findSourceMethodDefinition(TaintFlowQuery partialFlow, SootMethod method, Stmt actualStatement) { - for (Method sourceMethod : partialFlow.getFrom()) { + for (de.fraunhofer.iem.secucheck.analysis.query.Method sourceMethod : partialFlow.getFrom()) { String sourceSootSignature = "<" + sourceMethod.getSignature() + ">"; if (method.getSignature().equals(sourceSootSignature)) { return method; @@ -62,7 +68,7 @@ static SootMethod findSourceMethodDefinition(TaintFlowQuery partialFlow, static SootMethod findSinkMethodDefinition(TaintFlowQuery partialFlow, SootMethod method, Stmt actualStatement) { - for (Method sinkMethod : partialFlow.getTo()) { + for (de.fraunhofer.iem.secucheck.analysis.query.Method sinkMethod : partialFlow.getTo()) { String sinkSootSignature = "<" + sinkMethod.getSignature() + ">"; if (actualStatement.containsInvokeExpr() && actualStatement.toString().contains(sinkSootSignature)) { From 6c12d2af542ae6621a253091c2e92ce552544afd Mon Sep 17 00:00:00 2001 From: Abdul Rehman Date: Mon, 16 Nov 2020 12:00:03 +0100 Subject: [PATCH 10/10] Anaylsis Scope is now explicitly asking for method signature from invoke expressions. --- .../internal/SingleFlowAnalysisScope.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java index e342c5a..ce9094f 100644 --- a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java +++ b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java @@ -60,16 +60,16 @@ protected Collection generate(Edge cfgEdge) { // Find source methods. for (Method flowMethod : this.taintFlow.getFrom()) { - if (ToStringEquals(statement.getMethod(), - WrapInAngularBrackets(flowMethod.getSignature()))) { + if (toStringEquals(statement.getMethod(), + wrapInAngularBrackets(flowMethod.getSignature()))) { sourceMethods.add(statement.getMethod()); } } // Find target methods. for (Method flowMethod : this.taintFlow.getTo()) { - if (ToStringEquals(statement.getMethod(), - WrapInAngularBrackets(flowMethod.getSignature()))) { + if (toStringEquals(statement.getMethod(), + wrapInAngularBrackets(flowMethod.getSignature()))) { sinkMethods.add(statement.getMethod()); } } @@ -82,10 +82,10 @@ private Collection generateSourceVariables(TaintFlowQuery partialFlow, for (Method sourceMethod : partialFlow.getFrom()) { - String sourceSootSignature = WrapInAngularBrackets(sourceMethod.getSignature()); + String sourceSootSignature = wrapInAngularBrackets(sourceMethod.getSignature()); Collection out = Sets.newHashSet(); - if (ToStringEquals(statement.getMethod(), sourceSootSignature) && + if (toStringEquals(statement.getMethod(), sourceSootSignature) && statement.isIdentityStmt()) { // Left and Right Op() methods don't work for IdentityStmt inside JimpleStatement. @@ -119,7 +119,7 @@ private Collection generateSourceVariables(TaintFlowQuery partialFlow, return out; } else if (statement.containsInvokeExpr() - && ToStringEquals(statement.getInvokeExpr().getMethod(), + && toStringEquals(statement.getInvokeExpr().getMethod().getSignature(), sourceSootSignature)) { // Taint the return value @@ -158,11 +158,11 @@ private Collection generatedSinkVariables(TaintFlowQuery partialFlow, for (Method sinkMethod : partialFlow.getTo()) { - String sinkSootSignature = WrapInAngularBrackets(sinkMethod.getSignature()); + String sinkSootSignature = wrapInAngularBrackets(sinkMethod.getSignature()); Collection out = Sets.newHashSet(); if (statement.containsInvokeExpr() && - ToStringEquals(statement.getInvokeExpr().getMethod(), + toStringEquals(statement.getInvokeExpr().getMethod().getSignature(), sinkSootSignature)) { // Taint the return value. @@ -190,11 +190,11 @@ private Collection generatedSinkVariables(TaintFlowQuery partialFlow, return Collections.emptySet(); } - private static String WrapInAngularBrackets(String value) { + private static String wrapInAngularBrackets(String value) { return "<" + value + ">"; } - private static boolean ToStringEquals(Object object1, Object object2) { + private static boolean toStringEquals(Object object1, Object object2) { return object1.toString().equals(object2.toString()); }