public AccessPath createAccessPath(Value val, SootField[] appendingFields, Type valType, Type[] appendingFieldTypes, boolean taintSubFields, boolean cutFirstField, boolean reduceBases, ArrayTaintType arrayTaintType) { return createAccessPath(val, appendingFields, valType, appendingFieldTypes, taintSubFields, cutFirstField, reduceBases, arrayTaintType, false); }
/** * value val gets new base, fields are preserved. * * @param original The original access path * @param val The new base value * @return This access path with the base replaced by the value given in the val * parameter */ public AccessPath copyWithNewValue(AccessPath original, Value val, Type newType, boolean cutFirstField) { return copyWithNewValue(original, val, newType, cutFirstField, true); }
/** * Initializes the data flow manager with which propagation rules can interact * with the data flow engine * * @param sourcesSinks The source/sink definitions * @param iCfg The interprocedural control flow graph * @param globalTaintManager The manager object for storing and processing * global taints * @return The data flow manager */ protected InfoflowManager initializeInfoflowManager(final ISourceSinkManager sourcesSinks, IInfoflowCFG iCfg, GlobalTaintManager globalTaintManager) { return new InfoflowManager(config, null, iCfg, sourcesSinks, taintWrapper, hierarchy, new AccessPathFactory(config), globalTaintManager); }
newAbs = source.deriveNewAbstraction(manager.getAccessPathFactory().createAccessPath(leftValue, BooleanType.v(), true, ArrayTaintType.ContentsAndLength), assignStmt); } else if (source.getAccessPath().isEmpty()) newAbs = source.deriveNewAbstraction( manager.getAccessPathFactory().createAccessPath(leftValue, true), assignStmt, true); else { AccessPath ap = manager.getAccessPathFactory().copyWithNewValue(source.getAccessPath(), leftValue, targetType, cutFirstField, true, arrayTaintType); newAbs = source.deriveNewAbstraction(ap, assignStmt);
return manager.getAccessPathFactory().createAccessPath(base, new SootField[] { field }, true); } else { final Collection<BasePair> bases = manager.getAccessPathFactory().getBaseForType(base.getType()); if (bases != null) { for (BasePair xbase : bases) { curAP.getFieldCount()); return manager.getAccessPathFactory().createAccessPath(curAP.getPlainValue(), cutFields, curAP.getBaseType(), cutFieldTypes, curAP.getTaintSubFields(), false, false, curAP.getArrayTaintType());
@Override public void computeAliasTaints(Abstraction d1, Stmt src, Value targetValue, Set<Abstraction> taintSet, SootMethod method, Abstraction newAbs) { // Use global aliasing Value baseValue = ((InstanceFieldRef) targetValue).getBase(); Set<AccessPath> aliases = methodToAliases.getUnchecked(method).get (manager.getAccessPathFactory().createAccessPath(baseValue, true)); if (aliases != null) for (AccessPath ap : aliases) { AccessPath newAP = manager.getAccessPathFactory().merge(ap, newAbs.getAccessPath()); Abstraction aliasAbs = newAbs.deriveNewAbstraction(newAP, null); if (taintSet.add(aliasAbs)) // We have found a new alias. This new base object may however yet // again alias with something, so we need to check again if (ap.isInstanceFieldRef()) { InstanceFieldRef aliasBaseVal = Jimple.v().newInstanceFieldRef (ap.getPlainValue(), ap.getFirstField().makeRef()); computeAliasTaints(d1, src, aliasBaseVal, taintSet, method, aliasAbs); } } }
AccessPath newAP = manager.getAccessPathFactory().appendFields (newAbs.getAccessPath(), appendFieldsA, appendTypesA, taintSubFields); Abstraction absCallee = newAbs.deriveNewAbstraction(newAP, stmt); && (appendFields != null && appendFields.size() > 0)) { Abstraction aliasAbsLeft = newAbs.deriveNewAbstraction( manager.getAccessPathFactory().createAccessPath(assign.getLeftOp(), appendFieldsA, taintSubFields), stmt); if (beforeActUnit) if (isAliasedAtStmt(ptsTaint, assign.getLeftOp())) { Abstraction aliasAbsRight = newAbs.deriveNewAbstraction( manager.getAccessPathFactory().createAccessPath(assign.getRightOp(), appendFieldsA, taintSubFields), stmt); if (beforeActUnit)
/** * Merges the two given access paths , i.e., adds the fields of ap2 to ap1. * * @param ap1 The access path to which to append the fields * @param ap2 The access path whose fields to append to ap1 * @return The new access path */ public AccessPath merge(AccessPath ap1, AccessPath ap2) { return appendFields(ap1, ap2.getFields(), ap2.getFieldTypes(), ap2.getTaintSubFields()); }
System.arraycopy(fields, ei, base, 0, base.length); System.arraycopy(fieldTypes, ei, baseTypes, 0, base.length); registerBase(eiType, base, baseTypes);
AccessPath ap = getManager().getAccessPathFactory().createAccessPath(leftVal, null, IntType.v(), (Type[]) null, true, false, true, ArrayTaintType.ContentsAndLength); newAbs = source.deriveNewAbstraction(ap, assignStmt); AccessPath ap = getManager().getAccessPathFactory().copyWithNewValue(source.getAccessPath(), leftVal, targetType, false, true, arrayTaintType); newAbs = source.deriveNewAbstraction(ap, assignStmt); AccessPath ap = getManager().getAccessPathFactory().copyWithNewValue(source.getAccessPath(), leftVal, null, false, true, arrayTaintType); newAbs = source.deriveNewAbstraction(ap, assignStmt); if (getAliasing().mayAlias(source.getAccessPath().getPlainValue(), newArrayExpr.getSize())) { AccessPath ap = getManager().getAccessPathFactory().copyWithNewValue(source.getAccessPath(), leftVal, null, false, true, ArrayTaintType.Length); newAbs = source.deriveNewAbstraction(ap, assignStmt);
? manager.getAccessPathFactory().getBaseForType(taintedAP.getFirstFieldType()) : manager.getAccessPathFactory().getBaseForType(taintedAP.getBaseType()); fieldIdx + base.getTypes().length, taintedAP.getFieldCount() - fieldIdx); return manager.getAccessPathFactory().createAccessPath(taintedAP.getPlainValue(), cutFields, taintedAP.getBaseType(), cutFieldTypes, taintedAP.getTaintSubFields(), false, false, taintedAP.getArrayTaintType());
public AccessPath createAccessPath(Value val, boolean taintSubFields) { return createAccessPath(val, (SootField[]) null, null, (Type[]) null, taintSubFields, false, true, ArrayTaintType.ContentsAndLength); }
AccessPath newAP = null; if (newBase.getType() instanceof PrimType || curAP.getBaseType() instanceof PrimType) newAP = manager.getAccessPathFactory().createAccessPath(newBase, true); else newAP = manager.getAccessPathFactory().copyWithNewValue(scap.curAP, newBase); if (newAP != null) { scap.curAP = newAP; newAP = manager.getAccessPathFactory().createAccessPath(rop, false); else newAP = manager.getAccessPathFactory().copyWithNewValue(scap.curAP, rop, null, false); if (newAP != null) { scap.curAP = newAP; AccessPath matchedAP = matchAccessPath(scap.curAP, ifref.getBase(), ifref.getField()); if (matchedAP != null) { AccessPath newAP = manager.getAccessPathFactory().copyWithNewValue(matchedAP, assignStmt.getRightOp(), matchedAP.getFirstFieldType(), true); if (newAP != null) { scap.curAP = manager.getAccessPathFactory().copyWithNewValue(scap.curAP, lop, null, false); matched = true; } else if (assignStmt.getRightOp() instanceof InstanceFieldRef) { AccessPath matchedAP = matchAccessPath(scap.curAP, ifref.getBase(), ifref.getField()); if (matchedAP != null) { scap.curAP = manager.getAccessPathFactory().copyWithNewValue(matchedAP, assignStmt.getLeftOp(), matchedAP.getFirstFieldType(), true); matched = true;
/** * Copies the given access path with a new base value, but retains the base type * * @param original The original access path * @param val The new value * @return The new access path with the exchanged value */ public AccessPath copyWithNewValue(AccessPath original, Value val) { return copyWithNewValue(original, val, original.getBaseType(), false); }
/** * Runs all code optimizers * * @param sourcesSinks The SourceSinkManager */ private void eliminateDeadCode(ISourceSinkManager sourcesSinks) { InfoflowManager dceManager = new InfoflowManager(config, null, icfgFactory.buildBiDirICFG(config.getCallgraphAlgorithm(), config.getEnableExceptionTracking()), null, null, null, new AccessPathFactory(config), null); // We need to exclude the dummy main method and all other artificial methods // that the entry point creator may have generated as well Set<SootMethod> excludedMethods = new HashSet<>(); if (additionalEntryPointMethods != null) excludedMethods.addAll(additionalEntryPointMethods); excludedMethods.addAll(Scene.v().getEntryPoints()); ICodeOptimizer dce = new DeadCodeEliminator(); dce.initialize(config); dce.run(dceManager, excludedMethods, sourcesSinks, taintWrapper); }
public AccessPath createAccessPath(Value val, SootField[] appendingFields, boolean taintSubFields) { return createAccessPath(val, appendingFields, null, null, taintSubFields, false, true, ArrayTaintType.ContentsAndLength); }
/** * value val gets new base, fields are preserved. * * @param original The original access path * @param val The new base value * @param reduceBases True if circular types shall be reduced to bases * @return This access path with the base replaced by the value given in the val * parameter */ public AccessPath copyWithNewValue(AccessPath original, Value val, Type newType, boolean cutFirstField, boolean reduceBases) { return copyWithNewValue(original, val, newType, cutFirstField, reduceBases, original.getArrayTaintType()); }
public AccessPath createAccessPath(Value val, Type valType, boolean taintSubFields, ArrayTaintType arrayTaintType) { return createAccessPath(val, null, valType, null, taintSubFields, false, true, arrayTaintType); }
if(params[0].equals(source.getAccessPath().getPlainValue())) { if (manager.getTypeUtils().checkCast(source.getAccessPath(), params[2].getType())) { AccessPath ap = manager.getAccessPathFactory().copyWithNewValue(source.getAccessPath(), params[2], source.getAccessPath().getBaseType(), false); Abstraction abs = source.deriveNewAbstraction(ap, call); if(params[1].equals(source.getAccessPath().getPlainValue())) { if (manager.getTypeUtils().checkCast(source.getAccessPath(), params[1].getType())) { AccessPath ap = manager.getAccessPathFactory().copyWithNewValue(source.getAccessPath(), params[1], source.getAccessPath().getBaseType(), false, true, ArrayTaintType.Length); Abstraction abs = source.deriveNewAbstraction(ap, call);
/** * Gets whether two values may potentially point to the same runtime object * * @param val1 The first value * @param val2 The second value * @return True if the two values may potentially point to the same runtime * object, otherwise false */ public boolean mayAlias(Value val1, Value val2) { // What cannot be represented in an access path cannot alias if (!AccessPath.canContainValue(val1) || !AccessPath.canContainValue(val2)) return false; // Constants can never alias if (val1 instanceof Constant || val2 instanceof Constant) return false; // If the two values are equal, they alias by definition if (val1 == val2) return true; // If we have an interactive aliasing algorithm, we check that as well if (aliasingStrategy.isInteractive()) return aliasingStrategy.mayAlias(manager.getAccessPathFactory().createAccessPath(val1, false), manager.getAccessPathFactory().createAccessPath(val2, false)); return false; }