All Downloads are FREE. Search and download functionalities are using the official Maven repository.

soot.jimple.infoflow.problems.rules.ImplicitPropagtionRule Maven / Gradle / Ivy

package soot.jimple.infoflow.problems.rules;

import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;

import soot.Local;
import soot.SootMethod;
import soot.Unit;
import soot.Value;
import soot.ValueBox;
import soot.jimple.Constant;
import soot.jimple.DefinitionStmt;
import soot.jimple.FieldRef;
import soot.jimple.IfStmt;
import soot.jimple.LookupSwitchStmt;
import soot.jimple.ReturnStmt;
import soot.jimple.Stmt;
import soot.jimple.TableSwitchStmt;
import soot.jimple.infoflow.InfoflowManager;
import soot.jimple.infoflow.collect.ConcurrentHashSet;
import soot.jimple.infoflow.collect.MyConcurrentHashMap;
import soot.jimple.infoflow.data.Abstraction;
import soot.jimple.infoflow.data.AbstractionAtSink;
import soot.jimple.infoflow.data.AccessPath;
import soot.jimple.infoflow.problems.TaintPropagationResults;
import soot.jimple.infoflow.solver.cfg.IInfoflowCFG.UnitContainer;
import soot.jimple.infoflow.sourcesSinks.manager.SinkInfo;
import soot.jimple.infoflow.util.ByReferenceBoolean;

/**
 * Rule for propagating implicit taints
 * 
 * @author Steven Arzt
 *
 */
public class ImplicitPropagtionRule extends AbstractTaintPropagationRule {

	private final MyConcurrentHashMap> implicitTargets = new MyConcurrentHashMap>();

	public ImplicitPropagtionRule(InfoflowManager manager, Abstraction zeroValue, TaintPropagationResults results) {
		super(manager, zeroValue, results);
	}

	@Override
	public Collection propagateNormalFlow(Abstraction d1, Abstraction source, Stmt stmt, Stmt destStmt,
			ByReferenceBoolean killSource, ByReferenceBoolean killAll) {
		// Do not process zero abstractions
		if (source == getZeroValue())
			return null;

		// Check whether we must leave a conditional branch
		if (leavesConditionalBranch(stmt, source, killAll))
			return null;

		// We only consider active abstractions
		if (!source.isAbstractionActive())
			return null;

		// If we are in a conditionally-called method, there is no
		// need to care about further conditionals, since all
		// assignment targets will be tainted anyway
		if (source.getAccessPath().isEmpty())
			return null;

		// If we get from the current statement to the next one via an
		// exceptional edge and the current statement uses some tainted
		// operand, we assume that whether the exception is thrown or not
		// can potentially depend on the tainted data. Thus, this constitutes
		// an implicit flow.
		final Value condition;
		final Set values = new HashSet();
		if (getManager().getICFG().isExceptionalEdgeBetween(stmt, destStmt)) {
			for (ValueBox box : stmt.getUseBoxes())
				values.add(box.getValue());
		} else {
			// Get the operand
			if (stmt instanceof IfStmt)
				condition = ((IfStmt) stmt).getCondition();
			else if (stmt instanceof LookupSwitchStmt)
				condition = ((LookupSwitchStmt) stmt).getKey();
			else if (stmt instanceof TableSwitchStmt)
				condition = ((TableSwitchStmt) stmt).getKey();
			else
				return null;

			if (condition instanceof Local)
				values.add(condition);
			else
				for (ValueBox box : condition.getUseBoxes())
					values.add(box.getValue());
		}

		Set res = null;
		for (Value val : values)
			if (getAliasing().mayAlias(val, source.getAccessPath().getPlainValue())) {
				// ok, we are now in a branch that depends on a secret value.
				// We now need the postdominator to know when we leave the
				// branch again.
				UnitContainer postdom = getManager().getICFG().getPostdominatorOf(stmt);
				if (!(postdom.getMethod() == null && source.getTopPostdominator() != null && getManager().getICFG()
						.getMethodOf(postdom.getUnit()) == source.getTopPostdominator().getMethod())) {
					Abstraction newAbs = source.deriveConditionalAbstractionEnter(postdom, stmt);

					if (res == null)
						res = new HashSet();
					res.add(newAbs);
					break;
				}
			}

		return res;
	}

	/**
	 * Checks whether the given abstraction at the given statement leaves a
	 * conditional branch
	 * 
	 * @param stmt    The statement to check
	 * @param source  The abstraction arriving at the given statement
	 * @param killAll The by-value boolean to receive whether all taints shall be
	 *                removed
	 * @return True if the given abstraction at the given statement leaves a
	 *         conditional branch, otherwise false
	 */
	private boolean leavesConditionalBranch(Stmt stmt, Abstraction source, ByReferenceBoolean killAll) {
		// Check whether we must leave a conditional branch
		if (source.isTopPostdominator(stmt)) {
			source = source.dropTopPostdominator();
			// Have we dropped the last postdominator for an empty taint?
			if (source.getAccessPath().isEmpty() && source.getTopPostdominator() == null) {
				if (killAll != null)
					killAll.value = true;
				return true;
			}
		}
		return false;
	}

	@Override
	public Collection propagateCallFlow(Abstraction d1, Abstraction source, Stmt stmt, SootMethod dest,
			ByReferenceBoolean killAll) {
		// Do not process zero abstractions
		if (source == getZeroValue())
			return null;

		// Check whether we must leave a conditional branch
		if (leavesConditionalBranch(stmt, source, killAll))
			return null;

		// If we have already tracked implicit flows through this method,
		// there is no point in tracking explicit ones afterwards as well.
		if (implicitTargets.containsKey(stmt) && (d1 == null || implicitTargets.get(stmt).contains(d1))) {
			if (killAll != null)
				killAll.value = true;
			return null;
		}

		// If no parameter is tainted, but we are in a conditional, we create a
		// pseudo abstraction. We do not map parameters if we are handling an
		// implicit flow anyway.
		if (source.getAccessPath().isEmpty()) {
			// Block the call site for further explicit tracking
			if (d1 != null) {
				Set callSites = implicitTargets.putIfAbsentElseGet(stmt,
						new ConcurrentHashSet());
				callSites.add(d1);
			}

			Abstraction abs = source.deriveConditionalAbstractionCall(stmt);
			return Collections.singleton(abs);
		}
		// If we are already inside a conditional call, we don't need to
		// propagate anything
		else if (source.getTopPostdominator() != null) {
			if (killAll != null)
				killAll.value = true;
			return null;
		}

		return null;
	}

	@Override
	public Collection propagateCallToReturnFlow(Abstraction d1, Abstraction source, Stmt stmt,
			ByReferenceBoolean killSource, ByReferenceBoolean killAll) {
		// Do not process zero abstractions
		if (source == getZeroValue())
			return null;

		// Check whether we must leave a conditional branch
		if (leavesConditionalBranch(stmt, source, killAll))
			return null;

		// If we are inside a conditional branch, we consider every sink call a
		// leak
		if (source.isAbstractionActive()) {
			if (source.getAccessPath().isEmpty() || source.getTopPostdominator() != null) {
				SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(stmt, getManager(), null);
				if (sinkInfo != null)
					getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt));
			} else {
				SootMethod curMethod = getManager().getICFG().getMethodOf(stmt);
				if (!curMethod.isStatic() && source.getAccessPath().getFirstField() == null && getAliasing()
						.mayAlias(curMethod.getActiveBody().getThisLocal(), source.getAccessPath().getPlainValue())) {
					SinkInfo sinkInfo = getManager().getSourceSinkManager().getSinkInfo(stmt, getManager(), null);
					if (sinkInfo != null)
						getResults().addResult(new AbstractionAtSink(sinkInfo.getDefinition(), source, stmt));
				}
			}
		}

		// Implicit flows: taint return value
		if (stmt instanceof DefinitionStmt) {
			// If we have an implicit flow, but the assigned
			// local is never read outside the condition, we do
			// not need to taint it.
			boolean implicitTaint = source.getTopPostdominator() != null
					&& source.getTopPostdominator().getUnit() != null;
			implicitTaint |= source.getAccessPath().isEmpty();

			if (implicitTaint) {
				Value leftVal = ((DefinitionStmt) stmt).getLeftOp();

				// We can skip over all local assignments inside conditionally-
				// called functions since they are not visible in the caller
				// anyway
				if ((d1 == null || d1.getAccessPath().isEmpty()) && !(leftVal instanceof FieldRef))
					return null;

				Abstraction abs = source.deriveNewAbstraction(
						getManager().getAccessPathFactory().createAccessPath(leftVal, true), stmt);
				return Collections.singleton(abs);
			}
		}
		return null;
	}

	@Override
	public Collection propagateReturnFlow(Collection callerD1s, Abstraction source,
			Stmt returnStmt, Stmt retSite, Stmt callSite, ByReferenceBoolean killAll) {
		// Are we inside a conditionally-called method?
		boolean callerD1sConditional = false;
		for (Abstraction d1 : callerD1s)
			if (d1.getAccessPath().isEmpty()) {
				callerD1sConditional = true;
				break;
			}

		// Empty access paths are never propagated over return edges
		if (source.getAccessPath().isEmpty()) {
			// If we return a constant, we must taint it
			if (returnStmt instanceof ReturnStmt && ((ReturnStmt) returnStmt).getOp() instanceof Constant)
				if (callSite instanceof DefinitionStmt) {
					DefinitionStmt def = (DefinitionStmt) callSite;
					AccessPath ap = getManager().getAccessPathFactory().copyWithNewValue(source.getAccessPath(),
							def.getLeftOp());
					Abstraction abs = source.deriveNewAbstraction(ap, returnStmt);

					Set res = new HashSet();
					res.add(abs);

					// If we taint a return value because it is implicit,
					// we must trigger an alias analysis
					if (manager.getAliasing().canHaveAliases(def, def.getLeftOp(), abs) && !callerD1sConditional)
						for (Abstraction d1 : callerD1s)
							getAliasing().computeAliases(d1, returnStmt, def.getLeftOp(), res,
									getManager().getICFG().getMethodOf(callSite), abs);
					return res;
				}

			// Kill the empty abstraction
			killAll.value = true;
			return null;
		}

		// if we have a returnStmt we have to look at the returned value:
		if (returnStmt instanceof ReturnStmt && callSite instanceof DefinitionStmt) {
			DefinitionStmt defnStmt = (DefinitionStmt) callSite;
			Value leftOp = defnStmt.getLeftOp();

			// Are we still inside a conditional? We check this before we
			// leave the method since the return value is still assigned
			// inside the method.
			boolean insideConditional = source.getTopPostdominator() != null || source.getAccessPath().isEmpty();

			if (insideConditional && leftOp instanceof FieldRef) {
				AccessPath ap = getManager().getAccessPathFactory().copyWithNewValue(source.getAccessPath(), leftOp);
				Abstraction abs = source.deriveNewAbstraction(ap, returnStmt);

				// Aliases of implicitly tainted variables must be mapped back
				// into the caller's context on return when we leave the last
				// implicitly-called method
				if (abs.isImplicit() && abs.getAccessPath().isFieldRef() && !callerD1sConditional) {
					Set res = new HashSet<>();
					res.add(abs);
					for (Abstraction d1 : callerD1s)
						getAliasing().computeAliases(d1, callSite, leftOp, res,
								getManager().getICFG().getMethodOf(callSite), abs);
				}

				return Collections.singleton(abs);
			}
		}

		return null;
	}

}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy