Exemplo n.º 1
0
  /** Expensive! */
  private void dumpCallGraphReachablesCSV() {
    try {
      FileWriter fw =
          new FileWriter(Project.v().getOutputDir() + File.separator + "reachables-count.csv");

      fw.write("Method,Reachables");

      for (MethodOrMethodContext momc : getReachableMethodContexts()) {
        if ("<clinit>".equals(momc.method().getName())) continue;

        Set<MethodOrMethodContext> c = new HashSet<MethodOrMethodContext>();
        c.add(momc);
        Filter filter = new Filter(noStaticInits);
        // filter on static initializers, hopefully they won't show in the stats,
        // or any calls that they make...
        ReachableMethods rm = new ReachableMethods(callGraph, c.iterator(), filter);
        rm.update();

        QueueReader<MethodOrMethodContext> edges = rm.listener();
        int reachables = 0;
        while (edges.hasNext()) {
          MethodOrMethodContext reachable = edges.next();
          if ("<clinit>".equals(reachable.method().getName())) continue;
          reachables++;
        }

        fw.write(momc + "|" + reachables + "\n");
      }

      fw.close();

    } catch (IOException e) {

    }
  }
Exemplo n.º 2
0
  @Override
  protected void runInternal() {
    // don't print crap to screen!
    G.v().out = new PrintStream(NullOutputStream.NULL_OUTPUT_STREAM);
    Scene.v().loadDynamicClasses();

    setSparkPointsToAnalysis();

    // other passes can print crap now
    G.v().out = System.out;

    ptsProvider = (PAG) Scene.v().getPointsToAnalysis();

    typeManager = ptsProvider.getTypeManager();

    // cache the call graph
    callGraph = Scene.v().getCallGraph();

    createNewToAllocMap();

    /*
    for (SootMethod method : getReachableMethods()) {
        Set<MethodOrMethodContext> mcs = getMethodContexts(method);
        if (mcs.size() > 30)
            System.out.println(method + " " + mcs.size());
    }
     */

    // dumpReachablesAndAllocNodes();
    // dumpCallGraphReachablesCSV();
    // dumpOutdegreesCSV();

    if (Config.v().dumpPta) {
      dumpPTA(Project.v().getOutputDir() + File.separator + "pta.txt");
    }

    if (Config.v().dumpCallGraph) {
      // dumpCallGraph(Project.v().getOutputDir() + File.separator + "callgraph.dot");
      String fileName = String.format("callgraph%d.txt", runCount++);
      dumpTextGraph(Project.v().getOutputDir() + File.separator + fileName);
    }

    // System.out.println(SparkEvaluator.v().toString());
  }
Exemplo n.º 3
0
  public static void writeReport() {
    // make sure collapsed call graph has been run
    CollaspedCallGraph.v();

    FileWriter fw;
    try {
      String name = "";
      if ("".equals(Config.v().appName)) {
        name += "android-app";
      } else {
        name += Config.v().appName;
      }

      String additionalInfo = Config.v().additionalInfo;
      if (!"".equals(additionalInfo)) {
        additionalInfo = "_" + additionalInfo.replaceAll(" ", "_");
      }

      String fileName =
          name + "_" + getConfiguration().replaceAll(" ", "_") + additionalInfo + "_pta-report.txt";

      fw = new FileWriter(Project.v().getOutputDir() + File.separator + fileName);

      // write configuration details
      fw.write("App Name: " + name + "\n");
      fw.write("Config: " + getConfiguration() + "\n");
      fw.write("Cmdline supplied extra info: " + Config.v().additionalInfo + "\n");

      fw.write(refinementStats.toString());

      // write final run of pta
      fw.write(SparkEvaluator.v().toString());

      // write total lines of code
      fw.write("\nTotal Reachable LOC: " + getReachableLines() + "\n\n");

      // write information flow
      fw.write(infoFlowResults());

      // fw.write(finegrainedFlowResults());

      fw.close();
    } catch (IOException e) {

    }
  }
Exemplo n.º 4
0
  private String buildImportantAllocs() {
    StringBuffer sb = new StringBuffer();

    for (SootClass clz : Scene.v().getClasses()) {
      if (Project.v().isSrcClass(clz)
          ||
          /*isImportantJavaAlloc(clz) ||*/
          clz.getName().startsWith(Project.DS_GENERATED_CLASSES_PREFIX)
          || clz.getName().startsWith("droidsafe.runtime")) {
        logger.info("Adding class to important alloc list of spark: {}", clz);
        sb.append(clz + ",");
      }
    }
    String ret = sb.toString();

    ret = ret.substring(0, ret.length() - 1);

    return ret;
  }
Exemplo n.º 5
0
  private void dumpOutdegreesCSV() {
    try {
      FileWriter fw =
          new FileWriter(Project.v().getOutputDir() + File.separator + "reachables-outdegree.csv");

      fw.write("Method,Outdegree");

      for (MethodOrMethodContext momc : getReachableMethodContexts()) {
        int outdegree = 0;
        Iterator<Edge> edges = callGraph.edgesOutOf(momc);
        while (edges.hasNext()) {
          edges.next();
          outdegree++;
        }

        fw.write(momc + "|" + outdegree + "\n");
      }

      fw.close();

    } catch (IOException e) {

    }
  }
Exemplo n.º 6
0
  private void dumpReachablesAndAllocNodes() {
    try {
      FileWriter fw =
          new FileWriter(Project.v().getOutputDir() + File.separator + "spark-dump.log");

      fw.write("# Reachable Method Contexts:\n\n");

      for (MethodOrMethodContext momc : getReachableMethodContexts()) {
        fw.write(momc + "\n\n");
      }

      fw.write("\n\n# AllocNodes: \n\n");
      Iterator<AllocNode> nodes = ptsProvider.getAllocNodeNumberer().iterator();
      while (nodes.hasNext()) {
        AllocNode node = nodes.next();
        fw.write(node + "\n\n");
      }

      fw.close();

    } catch (IOException e) {

    }
  }
Exemplo n.º 7
0
  private static String infoFlowResults() {
    Hierarchy hierarchy = Scene.v().getActiveHierarchy();
    SootClass throwable = Scene.v().getSootClass("java.lang.Throwable");

    StringBuffer buf = new StringBuffer();

    // count number of flows
    // have to map it down to invoke statement because of context

    // key is invoke of sink -> sources
    Map<InvokeExpr, Set<Stmt>> invokeToSourcesMem = new HashMap<InvokeExpr, Set<Stmt>>();
    // key is invoke of sink -> sources
    Map<InvokeExpr, Set<Stmt>> invokeToSourcesRec = new HashMap<InvokeExpr, Set<Stmt>>();
    // key is invoke of sink -> sources
    Map<InvokeExpr, Set<Stmt>> invokeToSourcesArgs = new HashMap<InvokeExpr, Set<Stmt>>();
    // key is invoke of sink -> sources
    Map<InvokeExpr, Set<Stmt>> invokeToSourcesArgsPrecise = new HashMap<InvokeExpr, Set<Stmt>>();

    for (Map.Entry<Method, List<Method>> block :
        RCFGToSSL.v().getSpec().getEventBlocks().entrySet()) {
      // only count events in src classes, not in libraries
      boolean inSrc = false;
      for (IAllocNode recNode : block.getKey().getReceiverAllocNodes()) {
        if (recNode.getType() instanceof RefType) {
          SootClass clz = ((RefType) recNode.getType()).getSootClass();
          if (Project.v().isSrcClass(clz)) {
            inSrc = true;
            break;
          }
        }
      }

      if (!inSrc) continue;

      for (Method oe : block.getValue()) {
        if (oe.getSinkInfoKinds().size() > 0 && oe.getSourcesInfoKinds().size() > 0) {

          // only count sensitive sinks
          Stmt sinkInvoke = JimpleRelationships.v().getEnclosingStmt(oe.getInvokeExpr());
          if (!InfoKind.callsSensitiveSink(sinkInvoke)) continue;

          // we have a sink with connected sources
          InvokeExpr ie = oe.getInvokeExpr();

          // get args
          for (int i = 0; i < oe.getNumArgs(); i++) {

            Type formalArgType = oe.getActualArgType(i);
            // ignore method arguments that have a declared type of throwable or a subclass of
            // throwable
            if (formalArgType instanceof RefType
                && !((RefType) formalArgType).getSootClass().isInterface()
                && hierarchy.isClassSubclassOfIncluding(
                    ((RefType) formalArgType).getSootClass(), throwable)) continue;

            for (Map.Entry<InfoKind, Set<Stmt>> flows :
                oe.getArgSourceInfoUnitsConservative(i).entrySet()) {
              for (Stmt source : flows.getValue()) {
                if (InfoKind.callsSensitiveSource(source)) {
                  if (!invokeToSourcesArgs.containsKey(ie)) {
                    invokeToSourcesArgs.put(ie, new HashSet<Stmt>());
                  }
                  invokeToSourcesArgs.get(ie).add(source);
                }
              }
            }

            for (Map.Entry<InfoKind, Set<Stmt>> flows :
                oe.getArgSourceInfoUnitsPrecise(i).entrySet()) {
              for (Stmt source : flows.getValue()) {
                if (InfoKind.callsSensitiveSource(source)) {
                  if (!invokeToSourcesArgsPrecise.containsKey(ie)) {
                    invokeToSourcesArgsPrecise.put(ie, new HashSet<Stmt>());
                  }
                  invokeToSourcesArgsPrecise.get(ie).add(source);
                }
              }
            }
          }
          // get receiver
          for (Map.Entry<InfoKind, Set<Stmt>> flows : oe.getReceiverSourceInfoUnits().entrySet()) {
            // ignore all non-critical flows
            for (Stmt source : flows.getValue()) {
              if (InfoKind.callsSensitiveSource(source)) {
                if (!invokeToSourcesRec.containsKey(ie)) {
                  invokeToSourcesRec.put(ie, new HashSet<Stmt>());
                }
                invokeToSourcesRec.get(ie).add(source);
              }
            }
          }
          // get method accesses
          for (Map.Entry<InfoKind, Set<Stmt>> flows : oe.getMethodInfoUnits().entrySet()) {
            // ignore all non-critical flows
            for (Stmt source : flows.getValue()) {
              if (InfoKind.callsSensitiveSource(source)) {
                if (!invokeToSourcesMem.containsKey(ie)) {
                  invokeToSourcesMem.put(ie, new HashSet<Stmt>());
                }

                invokeToSourcesMem.get(ie).add(source);
              }
            }
          }
        }
      }
    }

    // count number of flows
    int flowsIntoSinksArgs = 0;
    int flowsIntoSinksArgsPrecise = 0;
    int flowsIntoSinksMem = 0;
    int flowsIntoSinksRec = 0;

    try {
      for (Map.Entry<InvokeExpr, Set<Stmt>> sink : invokeToSourcesArgs.entrySet()) {
        flowsIntoSinksArgs += sink.getValue().size();
      }

      for (Map.Entry<InvokeExpr, Set<Stmt>> sink : invokeToSourcesArgsPrecise.entrySet()) {
        flowsIntoSinksArgsPrecise += sink.getValue().size();
      }

      for (Map.Entry<InvokeExpr, Set<Stmt>> sink : invokeToSourcesMem.entrySet()) {
        flowsIntoSinksMem += sink.getValue().size();
      }

      for (Map.Entry<InvokeExpr, Set<Stmt>> sink : invokeToSourcesRec.entrySet()) {
        flowsIntoSinksRec += sink.getValue().size();
      }

    } catch (Exception e) {

    }

    buf.append("Info Flow Time Sec: " + infoFlowTimeSec + "\n");

    buf.append("Flows into sinks (Args): " + flowsIntoSinksArgs + "\n");
    buf.append("Flows into sinks (Args, Precise): " + flowsIntoSinksArgsPrecise + "\n");
    buf.append("Flows into sinks (Mem): " + flowsIntoSinksMem + "\n");
    buf.append("Flows into sinks (Rec): " + flowsIntoSinksRec + "\n");

    buf.append(reachableSinksSources());

    return buf.toString();
  }
  @Override
  public void tranformsInvoke(
      SootMethod containingMthd, SootMethod callee, InvokeExpr invokeExpr, Stmt stmt, Body body) {

    if (!Project.v().isSrcClass(containingMthd.getDeclaringClass())) {
      return;
    }

    if (modified.contains(stmt)) {
      return;
    }
    modified.add(stmt);

    IntentResolutionStats.v().contentProviderOps++;

    Value lvalue = null;
    if (stmt instanceof AssignStmt) {
      lvalue = ((AssignStmt) stmt).getLeftOp();
    }

    Set<SootField> targetCPFields = new LinkedHashSet<SootField>();

    boolean resolved = true;

    for (IAllocNode node : PTABridge.v().getPTSetIns(invokeExpr.getArg(0))) {
      resolved = addToTargets(node, targetCPFields, stmt);

      if (!resolved) {
        UnresolvedICC.v().addInfo(stmt, callee, "Unresolved URI for Content Provider");
        // can break here because we added all possible content provider destinations
        IntentResolutionStats.v().contentProviderOpsUnresolvedUri++;
        break;
      }
    }

    // for each field of harness that is a content provider
    for (SootField cpField : targetCPFields) {
      SootClass cpClass = ((RefType) cpField.getType()).getSootClass();
      SootMethod target = cpClass.getMethod(callee.getSubSignature());

      // create local and add to body
      Local local = Jimple.v().newLocal("_$contentprovider_local_" + localID++, cpField.getType());
      body.getLocals().add(local);

      // set field of cp to local [local = harness.contentproviderfield]
      // set local to field
      Stmt localAssign =
          Jimple.v().newAssignStmt(local, Jimple.v().newStaticFieldRef(cpField.makeRef()));
      // insert before original statement
      body.getUnits().insertBefore(localAssign, stmt);

      InvokeExpr newInvoke =
          Jimple.v().newVirtualInvokeExpr(local, target.makeRef(), invokeExpr.getArgs());

      // create statement to invoke
      Stmt toInsert = null;
      if (lvalue == null) {
        // original call not in an assign;
        toInsert = Jimple.v().newInvokeStmt(newInvoke);
      } else {
        // original call in an assign
        toInsert = Jimple.v().newAssignStmt(lvalue, newInvoke);
      }
      // insert after original statement just to have all locals assigned in a block
      body.getUnits().insertAfter(toInsert, stmt);
      logger.info(
          "Adding {} call to ContentProvider {} in method {}",
          callee.getSubSignature(),
          cpClass,
          containingMthd);

      // ignore generated calls in rcfg
      RCFG.v().ignoreInvokeForOutputEvents(toInsert);
    }

    // if resolved and in app target, then don't report
    if (resolved) {
      IntentResolutionStats.v().contentProviderOpsResolvedUri++;
      if (targetCPFields.size() > 0) {
        RCFG.v().ignoreInvokeForOutputEvents(stmt);
        IntentResolutionStats.v().contentProviderOpsInAppTotalTargets += targetCPFields.size();
      } else {
        IntentResolutionStats.v().contentProviderOpsInterAppTarget++;
      }
    }
  }