@Override public void runIncrementalPathCompuation() { Set<AbstractionAtSink> incrementalAbs = new HashSet<>(); for (Abstraction abs : pathCache.keySet()) for (SourceContextAndPath scap : pathCache.get(abs)) { if (abs.getNeighbors() != null && abs.getNeighbors().size() != scap.getNeighborCounter()) { // This is a path for which we have to process the new // neighbors scap.setNeighborCounter(abs.getNeighbors().size()); for (Abstraction neighbor : abs.getNeighbors()) incrementalAbs.add(new AbstractionAtSink(scap.getDefinition(), neighbor, scap.getStmt())); } } if (!incrementalAbs.isEmpty()) this.computeTaintPaths(incrementalAbs); }
@Override public void runIncrementalPathCompuation() { Set<AbstractionAtSink> incrementalAbs = new HashSet<>(); for (Abstraction abs : pathCache.keySet()) for (SourceContextAndPath scap : pathCache.get(abs)) { if (abs.getNeighbors() != null && abs.getNeighbors().size() != scap.getNeighborCounter()) { // This is a path for which we have to process the new // neighbors scap.setNeighborCounter(abs.getNeighbors().size()); for (Abstraction neighbor : abs.getNeighbors()) incrementalAbs.add(new AbstractionAtSink(scap.getDefinition(), neighbor, scap.getStmt())); } } if (!incrementalAbs.isEmpty()) this.computeTaintPaths(incrementalAbs); }
AbstractionAtSink neighborAtSink = new AbstractionAtSink(abs.getSinkDefinition(), neighbor, abs.getSinkStmt()); task = getTaintPathTask(neighborAtSink);
pathBuilder.reset(); pathBuilder.computeTaintPaths( Collections.singleton(new AbstractionAtSink(null, a, a.getCurrentStmt())));
/** * Checks whether the given taint abstraction at the given satement triggers a * sink. If so, a new result is recorded * * @param d1 The context abstraction * @param source The abstraction that has reached the given statement * @param stmt The statement that was reached * @param retVal The value to check */ private void checkForSink(Abstraction d1, Abstraction source, Stmt stmt, final Value retVal) { // The incoming value may be a complex expression. We have to look at // every simple value contained within it. for (Value val : BaseSelector.selectBaseList(retVal, false)) { final AccessPath ap = source.getAccessPath(); final ISourceSinkManager sourceSinkManager = getManager().getSourceSinkManager(); if (ap != null && sourceSinkManager != null && source.isAbstractionActive() && getAliasing().mayAlias(val, ap.getPlainValue())) { SinkInfo sinkInfo = sourceSinkManager.getSinkInfo(stmt, getManager(), source.getAccessPath()); if (sinkInfo != null && !getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt))) killState = true; } } }
@Override public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstraction source, Stmt stmt, ByReferenceBoolean killSource, ByReferenceBoolean killAll) { // We only report leaks for active taints, not for alias queries if (source.isAbstractionActive() && !source.getAccessPath().isStaticFieldRef()) { // Is the taint even visible inside the callee? if (!stmt.containsInvokeExpr() || isTaintVisibleInCallee(stmt, source)) { // Is this a sink? if (getManager().getSourceSinkManager() != null) { // Get the sink descriptor SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(stmt, getManager(), source.getAccessPath()); // If we have already seen the same taint at the same sink, there is no need to // propagate this taint any further. if (sinkInfo != null && !getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt))) { killState = true; } } } } // If we are in the kill state, we stop the analysis if (killAll != null) killAll.value |= killState; return null; }
@Override public Collection<Abstraction> propagateReturnFlow(Collection<Abstraction> callerD1s, Abstraction source, Stmt stmt, Stmt retSite, Stmt callSite, ByReferenceBoolean killAll) { // Check whether this return is treated as a sink if (stmt instanceof ReturnStmt) { final ReturnStmt returnStmt = (ReturnStmt) stmt; boolean matches = source.getAccessPath().isLocal() || source.getAccessPath().getTaintSubFields(); if (matches && source.isAbstractionActive() && getManager().getSourceSinkManager() != null && getAliasing().mayAlias(source.getAccessPath().getPlainValue(), returnStmt.getOp())) { SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(returnStmt, getManager(), source.getAccessPath()); if (sinkInfo != null && !getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, returnStmt))) killState = true; } } // If we are in the kill state, we stop the analysis if (killAll != null) killAll.value |= killState; return null; }
SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(stmt, getManager(), null); if (sinkInfo != null) getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt)); } else { SootMethod curMethod = getManager().getICFG().getMethodOf(stmt); SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(stmt, getManager(), null); if (sinkInfo != null) getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt));
resultAbs = new AbstractionAtSink(resultAbs.getSinkDefinition(), abs, resultAbs.getSinkStmt()); Abstraction newAbs = this.results.putIfAbsentElseGet(resultAbs, resultAbs.getAbstraction()); if (newAbs != resultAbs.getAbstraction())