@Override public String toString() { return (isAbstractionActive() ? "" : "_") + accessPath.toString() + " | " + (activationUnit == null ? "" : activationUnit.toString()) + ">>"; }
public Abstraction getActiveCopy() { if (this.isAbstractionActive()) return this; Abstraction a = clone(); a.sourceContext = null; a.activationUnit = null; return a; }
/** * Handles a taint that leaves a method at an exit node * * @param stmt * The statement at which the taint leaves the method * @param abs * The taint abstraction that leaves the method * @param cfg * The control flow graph */ protected void handleReturnFlow(Stmt stmt, Abstraction abs, IInfoflowCFG cfg) { // Check whether we must register the abstraction for post-processing // We ignore inactive abstractions if (!abs.isAbstractionActive()) return; // We record all results during the taint propagation. At this point in // time, we cannot yet decide whether a gap that references the respective // base local will later be created. addResult(abs, stmt); }
public Abstraction deriveConditionalAbstractionEnter(UnitContainer postdom, Stmt conditionalUnit) { assert this.isAbstractionActive(); if (postdominators != null && postdominators.contains(postdom)) return this; Abstraction abs = deriveNewAbstractionMutable(AccessPath.getEmptyAccessPath(), conditionalUnit); if (abs == null) return null; if (abs.postdominators == null) abs.postdominators = Collections.singletonList(postdom); else abs.postdominators.add(0, postdom); return abs; }
public Abstraction deriveInactiveAbstraction(Stmt activationUnit) { if (!flowSensitiveAliasing) { assert this.isAbstractionActive(); return this; } // If this abstraction is already inactive, we keep it if (!this.isAbstractionActive()) return this; Abstraction a = deriveNewAbstractionMutable(accessPath, null); if (a == null) return null; a.postdominators = null; a.activationUnit = activationUnit; a.dependsOnCutAP |= a.getAccessPath().isCutOffApproximation(); return a; }
public Abstraction deriveConditionalAbstractionCall(Unit conditionalCallSite) { assert this.isAbstractionActive(); assert conditionalCallSite != null; Abstraction abs = deriveNewAbstractionMutable(AccessPath.getEmptyAccessPath(), (Stmt) conditionalCallSite); if (abs == null) return null; // Postdominators are only kept intraprocedurally in order to not // mess up the summary functions with caller-side information abs.postdominators = null; return abs; }
protected Abstraction deriveNewAbstractionMutable(AccessPath p, Stmt currentStmt) { // An abstraction needs an access path if (p == null) return null; if (this.accessPath.equals(p) && this.currentStmt == currentStmt) { Abstraction abs = clone(); abs.currentStmt = currentStmt; return abs; } Abstraction abs = new Abstraction(p, this); abs.predecessor = this; abs.currentStmt = currentStmt; abs.propagationPathLength = propagationPathLength + 1; if (!abs.getAccessPath().isEmpty()) abs.postdominators = null; if (!abs.isAbstractionActive()) abs.dependsOnCutAP = abs.dependsOnCutAP || p.isCutOffApproximation(); abs.sourceContext = null; return abs; }
protected boolean registerActivationCallSite(Unit callSite, SootMethod callee, Abstraction activationAbs) { if (!manager.getConfig().getFlowSensitiveAliasing()) return false; Unit activationUnit = activationAbs.getActivationUnit(); if (activationUnit == null) return false; Set<Unit> callSites = activationUnitsToCallSites.putIfAbsentElseGet(activationUnit, new ConcurrentHashSet<Unit>()); if (callSites.contains(callSite)) return false; if (!activationAbs.isAbstractionActive()) if (!callee.getActiveBody().getUnits().contains(activationUnit)) { boolean found = false; for (Unit au : callSites) if (callee.getActiveBody().getUnits().contains(au)) { found = true; break; } if (!found) return false; } return callSites.add(callSite); }
if (!taintedPath.isAbstractionActive()) return Collections.singleton(taintedPath);
if (!abs.isAbstractionActive()) return false;
if (source.isAbstractionActive()) { if(call.getInvokeExpr().getMethod().getSignature().equals(SIG_ARRAYCOPY)) { if(params[0].equals(source.getAccessPath().getPlainValue())) {
if (source.isAbstractionActive()) { if(call.getInvokeExpr().getMethod().getSignature().equals(SIG_ARRAYCOPY)) { if(params[0].equals(source.getAccessPath().getPlainValue())) {
if (!source.isAbstractionActive()) return null;
/** * Checks whether the given taint abstraction at the given satement triggers a * sink. If so, a new result is recorded * * @param d1 The context abstraction * @param source The abstraction that has reached the given statement * @param stmt The statement that was reached * @param retVal The value to check */ private void checkForSink(Abstraction d1, Abstraction source, Stmt stmt, final Value retVal) { // The incoming value may be a complex expression. We have to look at // every simple value contained within it. for (Value val : BaseSelector.selectBaseList(retVal, false)) { final AccessPath ap = source.getAccessPath(); final ISourceSinkManager sourceSinkManager = getManager().getSourceSinkManager(); if (ap != null && sourceSinkManager != null && source.isAbstractionActive() && getAliasing().mayAlias(val, ap.getPlainValue())) { SinkInfo sinkInfo = sourceSinkManager.getSinkInfo(stmt, getManager(), source.getAccessPath()); if (sinkInfo != null && !getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt))) killState = true; } } }
@Override public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstraction source, Stmt stmt, ByReferenceBoolean killSource, ByReferenceBoolean killAll) { // We only report leaks for active taints, not for alias queries if (source.isAbstractionActive() && !source.getAccessPath().isStaticFieldRef()) { // Is the taint even visible inside the callee? if (!stmt.containsInvokeExpr() || isTaintVisibleInCallee(stmt, source)) { // Is this a sink? if (getManager().getSourceSinkManager() != null) { // Get the sink descriptor SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(stmt, getManager(), source.getAccessPath()); // If we have already seen the same taint at the same sink, there is no need to // propagate this taint any further. if (sinkInfo != null && !getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt))) { killState = true; } } } } // If we are in the kill state, we stop the analysis if (killAll != null) killAll.value |= killState; return null; }
@Override public Collection<Abstraction> propagateReturnFlow(Collection<Abstraction> callerD1s, Abstraction source, Stmt stmt, Stmt retSite, Stmt callSite, ByReferenceBoolean killAll) { // Check whether this return is treated as a sink if (stmt instanceof ReturnStmt) { final ReturnStmt returnStmt = (ReturnStmt) stmt; boolean matches = source.getAccessPath().isLocal() || source.getAccessPath().getTaintSubFields(); if (matches && source.isAbstractionActive() && getManager().getSourceSinkManager() != null && getAliasing().mayAlias(source.getAccessPath().getPlainValue(), returnStmt.getOp())) { SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(returnStmt, getManager(), source.getAccessPath()); if (sinkInfo != null && !getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, returnStmt))) killState = true; } } // If we are in the kill state, we stop the analysis if (killAll != null) killAll.value |= killState; return null; }
if (!source.isAbstractionActive() && source.getCurrentStmt() == stmt) return null; if (source.getPredecessor() != null && !source.getPredecessor().isAbstractionActive() && source.isAbstractionActive() && source.getPredecessor().getActivationUnit() == stmt && source.getAccessPath().equals(source.getPredecessor().getAccessPath())) return null; InstanceFieldRef leftRef = (InstanceFieldRef) assignStmt.getLeftOp(); boolean baseAliases; if (source.isAbstractionActive()) baseAliases = getAliasing().mustAlias((Local) leftRef.getBase(), source.getAccessPath().getPlainValue(), assignStmt);
boolean aliasOverwritten = !addLeftValue && !newSource.isAbstractionActive() && Aliasing.baseMatchesStrict(rightValue, newSource) && rightValue.getType() instanceof RefType && !newSource.dependsOnCutAP(); if (!newSource.isAbstractionActive() && (assignStmt.getLeftOp().getType() instanceof PrimType || (TypeUtils.isStringType(assignStmt.getLeftOp().getType()) && !newSource.getAccessPath().getCanHaveImmutableAliases())))
AccessPath newAP = mapAccessPathIntoCallee(scap.curAP, stmt, callSite, callee, !abs.isAbstractionActive()); if (newAP != null) { scap.curAP = newAP; scap.validate(); return scap; } else if (abs.isAbstractionActive()) return null;
if (source.isAbstractionActive()) { if (source.getAccessPath().isEmpty() || source.getTopPostdominator() != null) { SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(stmt, getManager(), null);