All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.scandroid.flow.functions.IFDSTaintFlowFunctionProvider Maven / Gradle / Ivy

There is a newer version: 1.6.8
Show newest version
/*
 * This program and the accompanying materials
 * are made available under the terms of the Eclipse Public License v1.0
 * which accompanies this distribution, and is available at
 * http://www.eclipse.org/legal/epl-v10.html.
 *
 * This file is a derivative of code released under the terms listed below.
 *
 */
/*
 *
 * Copyright (c) 2009-2012,
 *
 *  Adam Fuchs          
 *  Avik Chaudhuri      
 *  Steve Suh           
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 *
 * 3. The names of the contributors may not be used to endorse or promote
 * products derived from this software without specific prior written
 * permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 *
 */

package org.scandroid.flow.functions;

import com.ibm.wala.classLoader.IClass;
import com.ibm.wala.classLoader.IField;
import com.ibm.wala.classLoader.IMethod;
import com.ibm.wala.dataflow.IFDS.IFlowFunction;
import com.ibm.wala.dataflow.IFDS.IFlowFunctionMap;
import com.ibm.wala.dataflow.IFDS.ISupergraph;
import com.ibm.wala.dataflow.IFDS.IUnaryFlowFunction;
import com.ibm.wala.ipa.callgraph.CGNode;
import com.ibm.wala.ipa.callgraph.propagation.InstanceKey;
import com.ibm.wala.ipa.callgraph.propagation.LocalPointerKey;
import com.ibm.wala.ipa.callgraph.propagation.PointerAnalysis;
import com.ibm.wala.ipa.callgraph.propagation.PointerKey;
import com.ibm.wala.ipa.callgraph.propagation.StaticFieldKey;
import com.ibm.wala.ipa.cfg.BasicBlockInContext;
import com.ibm.wala.ipa.cha.IClassHierarchy;
import com.ibm.wala.ssa.ISSABasicBlock;
import com.ibm.wala.ssa.SSAArrayLoadInstruction;
import com.ibm.wala.ssa.SSAArrayStoreInstruction;
import com.ibm.wala.ssa.SSAGetInstruction;
import com.ibm.wala.ssa.SSAInstruction;
import com.ibm.wala.ssa.SSAInvokeInstruction;
import com.ibm.wala.ssa.SSAPutInstruction;
import com.ibm.wala.ssa.SSAReturnInstruction;
import com.ibm.wala.types.FieldReference;
import com.ibm.wala.types.MethodReference;
import com.ibm.wala.types.TypeReference;
import com.ibm.wala.util.collections.HashMapFactory;
import com.ibm.wala.util.collections.HashSetFactory;
import com.ibm.wala.util.intset.BitVectorIntSet;
import com.ibm.wala.util.intset.IntSet;
import com.ibm.wala.util.intset.MutableIntSet;
import com.ibm.wala.util.intset.MutableSparseIntSet;
import com.ibm.wala.util.intset.OrdinalSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.scandroid.domain.CodeElement;
import org.scandroid.domain.DomainElement;
import org.scandroid.domain.FieldElement;
import org.scandroid.domain.IFDSTaintDomain;
import org.scandroid.domain.InstanceKeyElement;
import org.scandroid.domain.LocalElement;
import org.scandroid.domain.ReturnElement;
import org.scandroid.flow.types.FlowType;

/** @deprecated Replaced by TaintTransferFunctions. */
@Deprecated
public class IFDSTaintFlowFunctionProvider
    implements IFlowFunctionMap> {

  private final IFDSTaintDomain domain;
  private final ISupergraph, CGNode> graph;
  private final PointerAnalysis pa;

  public IFDSTaintFlowFunctionProvider(
      IFDSTaintDomain domain,
      ISupergraph, CGNode> graph,
      PointerAnalysis pa) {
    this.domain = domain;
    this.graph = graph;
    this.pa = pa;
  }

  // instruction has a valid def set
  private static boolean inFlow(SSAInstruction instruction) {
    return (instruction instanceof SSAArrayLoadInstruction)
        || (instruction instanceof SSAGetInstruction);
  }

  // instruction's def is getUse(0)
  private static boolean outFlow(SSAInstruction instruction) {
    return (instruction instanceof SSAArrayStoreInstruction)
        || (instruction instanceof SSAPutInstruction)
        || (instruction instanceof SSAInvokeInstruction);
  }

  // instruction is a return instruction
  private static boolean returnFlow(SSAInstruction instruction) {
    return (instruction instanceof SSAReturnInstruction);
  }

  private static class UseDefSetPair {
    public Set uses = HashSetFactory.make();
    public Set defs = HashSetFactory.make();
  }

  private class DefUse implements IUnaryFlowFunction {

    private final List useToDefList = new ArrayList<>();

    private final BasicBlockInContext bb;

    public DefUse(final BasicBlockInContext inBlock) {

      this.bb = inBlock;

      for (SSAInstruction instruction : bb) {
        handleInstruction(instruction);
      }
    }

    private void handleInstruction(SSAInstruction instruction) {
      //			System.out.println("handle instruction: "+instruction);

      UseDefSetPair p = new UseDefSetPair();
      boolean thisToResult = false;
      if (instruction instanceof SSAInvokeInstruction) {
        thisToResult = handleInvokeInstruction(instruction, p);
      }
      if (thisToResult) {
        useToDefList.add(p);
        p = new UseDefSetPair();
      }

      IClassHierarchy ch = bb.getNode().getClassHierarchy();

      if (inFlow(instruction)) {
        handleInflowInstruction(instruction, p, ch);
      } else if (outFlow(instruction)) {
        handleOutflowInstruction(instruction, p, ch);
      } else if (returnFlow(instruction)) {
        handleReturnFlowInstruction(instruction, p);
      } else {
        for (int i = 0; i < instruction.getNumberOfUses(); i++) {
          p.uses.addAll(CodeElement.valueElements(instruction.getUse(i)));
        }
        for (int j = 0; j < instruction.getNumberOfDefs(); j++) {
          p.defs.addAll(CodeElement.valueElements(instruction.getDef(j)));
        }
      }

      useToDefList.add(p);
    }

    private void handleReturnFlowInstruction(SSAInstruction instruction, UseDefSetPair p) {
      SSAReturnInstruction retInst = (SSAReturnInstruction) instruction;
      if (retInst.getNumberOfUses() > 0) {
        /* TODO: why not add instance keys, too? */
        for (int i = 0; i < instruction.getNumberOfUses(); i++) {
          // p.uses.add(new LocalElement(instruction.getUse(i)));
          p.uses.addAll(CodeElement.valueElements(instruction.getUse(i)));
        }
        p.defs.add(new ReturnElement());
      }
    }

    private boolean handleInvokeInstruction(SSAInstruction instruction, UseDefSetPair p) {
      boolean thisToResult;
      SSAInvokeInstruction invInst = (SSAInvokeInstruction) instruction;
      if (!invInst.isSpecial() && !invInst.isStatic() && instruction.getNumberOfDefs() > 0) {
        // System.out.println("adding receiver flow in "+this+" for "+invInst);
        // System.out.println("\tadding local element "+invInst.getReceiver());
        // getReceiver() == getUse(0) == param[0] == this
        p.uses.addAll(CodeElement.valueElements(invInst.getReceiver()));
        for (int i = 0; i < invInst.getNumberOfDefs(); i++) {
          // System.out.println("\tadding def local element "+invInst.getDef(i));
          // return valuenumber of invoke instruction
          p.defs.addAll(CodeElement.valueElements(invInst.getDef(i)));
        }
      }
      thisToResult = true;
      return thisToResult;
    }

    private void handleInflowInstruction(
        SSAInstruction instruction, UseDefSetPair p, IClassHierarchy ch) {
      if (instruction instanceof SSAGetInstruction) {
        handleInflowGetInstruction(instruction, p, ch);
      } else if (instruction instanceof SSAArrayLoadInstruction) {
        handleInflowArrayLoadInstruction(instruction, p);
      }
    }

    private void handleOutflowInstruction(
        SSAInstruction instruction, UseDefSetPair p, IClassHierarchy ch) {
      if (instruction instanceof SSAPutInstruction) {
        handleOutflowPutInstruction(instruction, p, ch);
      } else if (instruction instanceof SSAArrayStoreInstruction) {
        handleOutflowArrayStoreInstruction(instruction, p);
      } else if (instruction instanceof SSAInvokeInstruction) {

        handleOutflowInvokeInstruction(instruction, p);
      }
    }

    private void handleOutflowInvokeInstruction(SSAInstruction instruction, UseDefSetPair p) {
      MethodReference targetMethod =
          ((SSAInvokeInstruction) instruction).getCallSite().getDeclaredTarget();
      if (methodExcluded(targetMethod)) {
        // TODO make all parameters flow into all other
        // parameters, which could happen in the static case as well.
        if (!((SSAInvokeInstruction) instruction).isStatic()) {
          // These loops cause all parameters flow into the
          // 'this' param (due to instruction.getUse(0))
          for (int i = 1; i < instruction.getNumberOfUses(); i++) {
            p.uses.addAll(CodeElement.valueElements(instruction.getUse(i)));
          }

          if (instruction.getNumberOfUses() > 0) {
            p.defs.addAll(CodeElement.valueElements(instruction.getUse(0)));
          }
        }
      }
    }

    private void handleOutflowArrayStoreInstruction(SSAInstruction instruction, UseDefSetPair p) {
      p.uses.addAll(CodeElement.valueElements(instruction.getUse(2)));
      p.defs.addAll(CodeElement.valueElements(instruction.getUse(0)));
    }

    private void handleOutflowPutInstruction(
        SSAInstruction instruction, UseDefSetPair p, IClassHierarchy ch) {
      SSAPutInstruction pi = (SSAPutInstruction) instruction;
      PointerKey pk;
      Set elements = HashSetFactory.make();
      if (pi.isStatic()) {
        p.uses.addAll(CodeElement.valueElements(instruction.getUse(0)));
        FieldReference declaredField = pi.getDeclaredField();
        IField staticField = getStaticIField(ch, declaredField);
        if (staticField == null) {
          pk = null;
        } else {
          pk = new StaticFieldKey(staticField);
        }
      } else {
        p.uses.addAll(CodeElement.valueElements(instruction.getUse(1)));

        // this value number seems to be the object referenced in this instruction (?)
        int valueNumber = instruction.getUse(0);
        pk = new LocalPointerKey(bb.getNode(), valueNumber);

        // MyLogger.log(LogLevel.DEBUG, " instruction: "+instruction);

        // add the object that holds the field that was modified
        // to the list of things tainted by this flow:
        p.defs.addAll(CodeElement.valueElements(valueNumber));
      }
      // now add the field keys to the defs list so that they
      // are also tainted:
      if (pk != null) {
        OrdinalSet m = pa.getPointsToSet(pk);
        if (m != null) {
          for (InstanceKey instanceKey : m) {
            elements.add(new FieldElement(instanceKey, pi.getDeclaredField()));
            elements.add(new InstanceKeyElement(instanceKey));
          }
        }
        p.defs.addAll(elements);
      }
    }

    private void handleInflowArrayLoadInstruction(SSAInstruction instruction, UseDefSetPair p) {
      p.uses.addAll(CodeElement.valueElements(instruction.getUse(0)));
      p.defs.addAll(CodeElement.valueElements(instruction.getDef()));
    }

    private void handleInflowGetInstruction(
        SSAInstruction instruction, UseDefSetPair p, IClassHierarchy ch) {
      SSAGetInstruction gi = (SSAGetInstruction) instruction;

      PointerKey pk;
      FieldReference declaredField = gi.getDeclaredField();
      if (gi.isStatic()) {
        IField staticField = getStaticIField(ch, declaredField);

        if (staticField == null) {
          pk = null;
        } else {
          pk = new StaticFieldKey(staticField);
        }
      } else {
        int valueNumber = instruction.getUse(0);
        pk = new LocalPointerKey(bb.getNode(), valueNumber);
      }

      if (pk != null) {
        Set elements = HashSetFactory.make();
        OrdinalSet m = pa.getPointsToSet(pk);
        if (m != null) {
          for (InstanceKey instanceKey : m) {
            elements.add(new FieldElement(instanceKey, declaredField));
            elements.add(new InstanceKeyElement(instanceKey));
          }
        }
        p.uses.addAll(elements);
        // getinstruction only has 1 def
        p.defs.add(new LocalElement(instruction.getDef(0)));
      }
    }

    /**
     * Determines if the provide method is in the exclusions by checking the supergraph.
     *
     * @return True if the method can not be found in the supergraph.
     */
    private boolean methodExcluded(MethodReference method) {
      Collection iMethods = pa.getClassHierarchy().getPossibleTargets(method);
      return 0 == iMethods.size();
    }

    private IField getStaticIField(IClassHierarchy ch, FieldReference declaredField) {
      TypeReference staticTypeRef = declaredField.getDeclaringClass();

      IClass staticClass = ch.lookupClass(staticTypeRef);

      // referring to a static field which we don't have loaded in the class hierarchy
      // possibly ignored in the exclusions file or just not included in the scope
      if (staticClass == null) return null;

      IField staticField = staticClass.getField(declaredField.getName());
      return staticField;
    }

    private void addTargets(CodeElement d1, MutableIntSet set, FlowType taintType) {
      // System.out.println(this.toString()+".addTargets("+d1+"...)");
      for (UseDefSetPair p : useToDefList) {
        if (p.uses.contains(d1)) {
          // System.out.println("\t\tfound pair that uses "+d1);
          for (CodeElement i : p.defs) {
            // System.out.println("\t\tadding outflow "+i);
            set.add(domain.getMappedIndex(new DomainElement(i, taintType)));
          }
        }
      }
    }

    @Override
    @SuppressWarnings("unchecked")
    public IntSet getTargets(int d1) {
      // System.out.println(this.toString()+".getTargets("+d1+") "+bb);
      // BitVectorIntSet set = new BitVectorIntSet();
      MutableSparseIntSet set = MutableSparseIntSet.makeEmpty();
      set.add(d1);
      DomainElement de = domain.getMappedObject(d1);
      if (de != null) {
        addTargets(de.codeElement, set, de.taintSource);
      }
      return set;
    }
  }

  @Override
  public IUnaryFlowFunction getCallFlowFunction(
      BasicBlockInContext src, BasicBlockInContext dest, BasicBlockInContext ret) {
    assert graph.isCall(src);

    final SSAInvokeInstruction instruction = (SSAInvokeInstruction) src.getLastInstruction();

    //		String signature = dest.getMethod().getSignature();
    //		if ( dest.getMethod().isWalaSynthetic() ) {
    //			System.out.println("Synthetic: "+signature);
    //		} else {
    //			System.err.println(signature);
    //		}

    //		if ( LoaderUtils.fromLoader(src.getNode(), ClassLoaderReference.Application)
    //		  && LoaderUtils.fromLoader(dest.getNode(), ClassLoaderReference.Primordial)) {
    //			System.out.println("Call to system: "+signature);
    //		}

    //		if (! dest.getMethod().isWalaSynthetic()
    //		    && LoaderUtils.fromLoader(dest.getNode(), ClassLoaderReference.Primordial)) {
    //
    //            MyLogger.log(DEBUG,"Primordial and No Summary! (getCallFlowFunction) - " +
    // dest.getMethod().getReference());
    //		}

    final Map parameterMap = HashMapFactory.make();
    for (int i = 0; i < instruction.getNumberOfPositionalParameters(); i++) {
      Set elements = CodeElement.valueElements(instruction.getUse(i));
      for (CodeElement e : elements) {
        parameterMap.put(e, new LocalElement(i + 1));
      }
    }

    return d1 -> {
      BitVectorIntSet set = new BitVectorIntSet();
      if (d1 == 0 || !(domain.getMappedObject(d1).codeElement instanceof LocalElement)) {
        set.add(d1);
      }
      DomainElement de = domain.getMappedObject(d1);
      if (de != null && parameterMap.containsKey(de.codeElement))
        set.add(
            domain.getMappedIndex(
                new DomainElement(parameterMap.get(de.codeElement), de.taintSource)));
      return set;
    };
  }

  @Override
  public IUnaryFlowFunction getCallNoneToReturnFlowFunction(
      BasicBlockInContext src, BasicBlockInContext dest) {
    // I Believe this method is called only if there are no callees of src in the supergraph
    // if supergraph included all primordials, this method can still be called if it calls a
    // method that wasn't included in the scope

    // Assertions.UNREACHABLE();
    // TODO: Look up summary for this method, or warn if it doesn't exist.
    assert (src.getNode().equals(dest.getNode()));

    //		final SSAInvokeInstruction instruction = (SSAInvokeInstruction) src.getLastInstruction();

    //		System.out.println("call to return(no callee) method inside call graph: " +
    // src.getNode()+"--" + instruction.getDeclaredTarget());
    // System.out.println("call to system: " + instruction.getDeclaredTarget());
    return new DefUse(dest);
  }

  @Override
  public IUnaryFlowFunction getCallToReturnFlowFunction(
      BasicBlockInContext src, BasicBlockInContext dest) {
    assert (src.getNode().equals(dest.getNode()));
    // final SSAInvokeInstruction instruction = (SSAInvokeInstruction) src.getLastInstruction();
    // System.out.println("call to return method inside call graph: " +
    // instruction.getDeclaredTarget());

    return new DefUse(dest);
  }

  @Override
  public IUnaryFlowFunction getNormalFlowFunction(
      BasicBlockInContext src, BasicBlockInContext dest) {
    assert (src.getNode().equals(dest.getNode()));
    // System.out.println("getNormalFlowFuntion");
    // System.out.println("\tSrc " + src.getLastInstruction());
    // System.out.println("\tDest " + dest.getLastInstruction());
    return new DefUse(dest);
  }

  public class ReturnDefUse extends DefUse {
    CodeElement callSet;
    Set receivers = new HashSet<>();

    public ReturnDefUse(BasicBlockInContext dest, BasicBlockInContext call) {
      super(dest);

      // TODO: look into exception handling through getDef(1)
      if (call.getLastInstruction() instanceof SSAInvokeInstruction) {
        SSAInvokeInstruction invInst = (SSAInvokeInstruction) call.getLastInstruction();
        if (!invInst.isSpecial()) { // && !invInst.isStatic()) {
          //					for (int i = 0; i < invInst.getNumberOfReturnValues(); i++) {
          //
          //					}
          if (invInst.hasDef()) {
            callSet = new LocalElement(invInst.getReturnValue(0));

            if (!invInst.isStatic()) {
              // used to be invInst.getReceiver(), but I believe that was incorrect.
              receivers.addAll(CodeElement.valueElements(invInst.getReceiver()));
              // receivers.addAll(CodeElement.valueElements(pa, call.getNode(),
              // invInst.getReturnValue(0)));
            }
          }
        }
      } else {
        callSet = null;
      }
      //			// TODO: look into exception handling through getDef(1)
      //			if(call.getLastInstruction().getNumberOfDefs() == 1)
      //			{
      //				//System.out.println("\treturn defines something: "+call.getLastInstruction());
      //				callSet = new LocalElement(call.getLastInstruction().getDef(0));
      //				if(call.getLastInstruction() instanceof SSAInvokeInstruction)
      //				{
      //					SSAInvokeInstruction invInst = (SSAInvokeInstruction) call.getLastInstruction();
      //					if(!invInst.isSpecial() && !invInst.isStatic()) {
      //						receivers.addAll(CodeElement.valueElements(pa, call.getNode(),
      // invInst.getReceiver()));
      //					}
      //				}
      //			}
      //			else
      //				callSet = null;
    }

    @Override
    public IntSet getTargets(int d1) {
      if (d1 != 0 && domain.getMappedObject(d1).codeElement instanceof ReturnElement) {
        BitVectorIntSet set = new BitVectorIntSet();
        if (callSet != null) {
          //					System.out.println("callset: " + callSet);
          set.add(
              domain.getMappedIndex(
                  new DomainElement(callSet, domain.getMappedObject(d1).taintSource)));
        }
        return set;
      } else if (d1 != 0 && domain.getMappedObject(d1).codeElement instanceof LocalElement) {
        return new BitVectorIntSet();
      } else if (d1 != 0 && receivers.contains(domain.getMappedObject(d1).codeElement)) {
        BitVectorIntSet set = new BitVectorIntSet();
        if (callSet != null)
          set.add(
              domain.getMappedIndex(
                  new DomainElement(callSet, domain.getMappedObject(d1).taintSource)));
        set.addAll(super.getTargets(d1));
        return set;
      } else {
        return super.getTargets(d1);
      }
    }
  }

  @Override
  public IFlowFunction getReturnFlowFunction(
      BasicBlockInContext call, BasicBlockInContext src, BasicBlockInContext dest) {
    assert (graph.isCall(call) && graph.isReturn(dest) && call.getNode().equals(dest.getNode()));
    // final SSAInvokeInstruction instruction = (SSAInvokeInstruction) call.getLastInstruction();

    // System.out.println("Return from call to method inside call graph: " +
    // instruction.getDeclaredTarget());

    return new ReturnDefUse(dest, call);
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy