@Override public FlowFunction<Value> getReturnFlowFunction(final Unit callSite, SootMethod calleeMethod, final Unit exitStmt, Unit returnSite) { Stmt s = (Stmt) callSite; InvokeExpr ie = s.getInvokeExpr(); final List<Value> callArgs = ie.getArgs(); final List<Local> paramLocals = new ArrayList<Local>(); for (int i = 0; i < calleeMethod.getParameterCount(); i++) { paramLocals.add(calleeMethod.getActiveBody().getParameterLocal(i)); } return new FlowFunction<Value>() { public Set<Value> computeTargets(Value source) { Set<Value> liveParamsAtCallee = new HashSet<Value>(); for (int i = 0; i < paramLocals.size(); i++) { if (paramLocals.get(i).equivTo(source)) { liveParamsAtCallee.add(callArgs.get(i)); } } return liveParamsAtCallee; } }; }
public FlowFunction<Pair<Value, Type>> getCallFlowFunction(final Unit src, final SootMethod dest) { Stmt stmt = (Stmt) src; InvokeExpr ie = stmt.getInvokeExpr(); final List<Value> callArgs = ie.getArgs(); final List<Local> paramLocals = new ArrayList<Local>(); for (int i = 0; i < dest.getParameterCount(); i++) { paramLocals.add(dest.getActiveBody().getParameterLocal(i)); } return new FlowFunction<Pair<Value, Type>>() { public Set<Pair<Value, Type>> computeTargets(Pair<Value, Type> source) { if (!dest.getName().equals("<clinit>") && !dest.getSubSignature().equals("void run()")) { Value value = source.getO1(); int argIndex = callArgs.indexOf(value); if (argIndex > -1) { return Collections.singleton(new Pair<Value, Type>(paramLocals.get(argIndex), source.getO2())); } } return Collections.emptySet(); } }; }
@Override public FlowFunction<Local> getCallFlowFunction(Unit src, final SootMethod dest) { Stmt s = (Stmt) src; InvokeExpr ie = s.getInvokeExpr(); final List<Value> callArgs = ie.getArgs(); final List<Local> paramLocals = new ArrayList<Local>(); for (int i = 0; i < dest.getParameterCount(); i++) { paramLocals.add(dest.getActiveBody().getParameterLocal(i)); } return new FlowFunction<Local>() { public Set<Local> computeTargets(Local source) { // ignore implicit calls to static initializers if (dest.getName().equals(SootMethod.staticInitializerName) && dest.getParameterCount() == 0) { return Collections.emptySet(); } Set<Local> taintsInCaller = new HashSet<Local>(); for (int i = 0; i < callArgs.size(); i++) { if (callArgs.get(i).equivTo(source)) { taintsInCaller.add(paramLocals.get(i)); } } return taintsInCaller; } }; }
if (sm.getActiveBody().getParameterLocal(i) == l) {
paramLocals.add(dest.getActiveBody().getParameterLocal(i));
/** * Gets the parameter index to which the given access path refers * * @param sm The method in which to check the parameter locals * @param curAP The access path * @return The parameter index to which the given access path refers if it * exists. Otherwise, if the given access path does not refer to a * parameter, -1 is returned. */ private int getParameterIndex(SootMethod sm, AccessPath curAP) { if (curAP.isStaticFieldRef()) return -1; for (int i = 0; i < sm.getParameterCount(); i++) if (curAP.getPlainValue() == sm.getActiveBody().getParameterLocal(i)) return i; return -1; }
@Override public Local[] load(SootMethod method) throws Exception { if (!method.isConcrete() || !method.hasActiveBody()) return new Local[0]; List<Local> lcs = new ArrayList<Local>(method.getParameterCount() + (method.isStatic() ? 0 : 1)); for (Unit u : method.getActiveBody().getUnits()) useBox: for (ValueBox vb : u.getUseBoxes()) { // Check for parameters for (int i = 0; i < method.getParameterCount(); i++) { if (method.getActiveBody().getParameterLocal(i) == vb.getValue()) { lcs.add((Local) vb.getValue()); continue useBox; } } } // Add the "this" local if (!method.isStatic()) lcs.add(method.getActiveBody().getThisLocal()); return lcs.toArray(new Local[lcs.size()]); } });
@Override public void injectCode(Body body, Local messageLocal) { body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldWhat.makeRef()), body.getParameterLocal(1))); }
@Override public void injectCode(Body body, Local messageLocal) { body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldWhat.makeRef()), body.getParameterLocal(1))); body.getUnits().add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldObj.makeRef()), body.getParameterLocal(2))); }
@Override public void injectCode(Body body, Local messageLocal) { body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldWhat.makeRef()), body.getParameterLocal(1))); body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldArg1.makeRef()), body.getParameterLocal(2))); body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldArg2.makeRef()), body.getParameterLocal(3))); }
@Override public void injectCode(Body body, Local messageLocal) { body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldWhat.makeRef()), body.getParameterLocal(1))); body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldArg1.makeRef()), body.getParameterLocal(2))); body.getUnits() .add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldArg2.makeRef()), body.getParameterLocal(3))); body.getUnits().add(Jimple.v().newAssignStmt( Jimple.v().newInstanceFieldRef(messageLocal, fldObj.makeRef()), body.getParameterLocal(4))); }
@Override public Map<Local, Constant> callEntryFlowFunction(Context<SootMethod, Unit, Map<Local, Constant>> context, SootMethod calledMethod, Unit unit, Map<Local, Constant> inValue) { // Initialise result to empty map Map<Local, Constant> entryValue = topValue(); // Map arguments to parameters InvokeExpr ie = ((Stmt) unit).getInvokeExpr(); for (int i = 0; i < ie.getArgCount(); i++) { Value arg = ie.getArg(i); Local param = calledMethod.getActiveBody().getParameterLocal(i); assign(param, arg, inValue, entryValue); } // And instance of the this local if (ie instanceof InstanceInvokeExpr) { Value instance = ((InstanceInvokeExpr) ie).getBase(); Local thisLocal = calledMethod.getActiveBody().getThisLocal(); assign(thisLocal, instance, inValue, entryValue); } // Return the entry value at the called method return entryValue; }
@Override public Map<Local, SignAnalysis.Sign> callEntryFlowFunction( Context<SootMethod, Unit, Map<Local, SignAnalysis.Sign>> context, SootMethod calledMethod, Unit unit, Map<Local, SignAnalysis.Sign> inValue) { // Initialise result to empty map Map<Local, SignAnalysis.Sign> entryValue = topValue(); // Map arguments to parameters InvokeExpr ie = ((Stmt) unit).getInvokeExpr(); for (int i = 0; i < ie.getArgCount(); i++) { Value arg = ie.getArg(i); Local param = calledMethod.getActiveBody().getParameterLocal(i); assign(param, arg, inValue, entryValue); } // And instance of the this local if (ie instanceof InstanceInvokeExpr) { Value instance = ((InstanceInvokeExpr) ie).getBase(); Local thisLocal = calledMethod.getActiveBody().getThisLocal(); assign(thisLocal, instance, inValue, entryValue); } // Return the entry value at the called method return entryValue; }
/** * Converts a taint into an access path that is valid inside a given method. * This models that a taint is propagated into the method and from there on in * normal IFDS. * * @param t The taint to convert * @param sm The method in which the access path shall be created * @return The access path derived from the given taint and method */ private AccessPath createAccessPathInMethod(Taint t, SootMethod sm) { // Convert the taints to Soot objects SootField[] fields = safeGetFields(t.getAccessPath()); Type[] types = safeGetTypes(t.getAccessPathTypes(), fields); Type baseType = TypeUtils.getTypeFromString(t.getBaseType()); // A return value cannot be propagated into a method if (t.isReturn()) throw new RuntimeException("Unsupported taint type"); if (t.isParameter()) { Local l = sm.getActiveBody().getParameterLocal(t.getParameterIndex()); return manager.getAccessPathFactory().createAccessPath(l, fields, baseType, types, true, false, true, ArrayTaintType.ContentsAndLength); } if (t.isField() || t.isGapBaseObject()) { Local l = sm.getActiveBody().getThisLocal(); return manager.getAccessPathFactory().createAccessPath(l, fields, baseType, types, true, false, true, ArrayTaintType.ContentsAndLength); } throw new RuntimeException("Failed to convert taint " + t); }
if (isConstant[i] && propagatedParameters.add(new Pair<>(sm, i))) { Local paramLocal = sm.getActiveBody().getParameterLocal(i); Unit point = getFirstNonIdentityStmt(sm); Unit assignConst = Jimple.v().newAssignStmt(paramLocal, values[i]);
/** * Returns a points-to graph with the locals of main initialised to * <tt>null</tt>, except the command-line arguments which are * initialised to an array of strings. */ @Override public PointsToGraph boundaryValue(SootMethod entryPoint) { // For now we only support entry to the main method assert(entryPoint == Scene.v().getMainMethod()); // Ok, start setting up entry value PointsToGraph entryValue = new PointsToGraph(); // Locals of main... (only reference types) SootMethod mainMethod = Scene.v().getMainMethod(); for (Local local : mainMethod.getActiveBody().getLocals()) { if (local.getType() instanceof RefLikeType) { entryValue.assign(local, null); } } // Command-line arguments to main... Local argsLocal = mainMethod.getActiveBody().getParameterLocal(0); NewArrayExpr argsExpr = new JNewArrayExpr(Scene.v().getRefType("java.lang.String"), IntConstant.v(0)); entryValue.assignNew(argsLocal, argsExpr); entryValue.setFieldConstant(argsLocal, PointsToGraph.ARRAY_FIELD, PointsToGraph.STRING_CONST); return entryValue; }
if (parameterTaintMethods.contains(currentMethod)) targetAP = manager.getAccessPathFactory().createAccessPath(currentMethod.getActiveBody() .getParameterLocal(pref.getIndex()), true);
|| apAtReturn.getBaseType() instanceof ArrayType) for (int i = 0; i < m.getParameterCount(); i++) { Local p = m.getActiveBody().getParameterLocal(i); if (apAtReturn.getPlainValue() == p) { FlowSink sink = sourceSinkFactory.createParameterSink(i, apAtReturn);
if (parameterTaintMethods != null && parameterTaintMethods.contains(currentMethod)) targetAP = manager.getAccessPathFactory() .createAccessPath(currentMethod.getActiveBody().getParameterLocal(pref.getIndex()), true);
for (int i = 0; i < callSite.getInvokeExpr().getArgCount(); i++) { if (callSite.getInvokeExpr().getArg(i) == curAP.getPlainValue()) { Local paramLocal = callee.getActiveBody().getParameterLocal(i); return manager.getAccessPathFactory().copyWithNewValue(curAP, paramLocal); SootMethod curMethod = manager.getICFG().getMethodOf(stmt); for (int i = 0; i < callSite.getInvokeExpr().getArgCount(); i++) { Local paramLocal = curMethod.getActiveBody().getParameterLocal(i); if (paramLocal == curAP.getPlainValue()) { return manager.getAccessPathFactory().copyWithNewValue(curAP, callSite.getInvokeExpr().getArg(i),