FlowDroid icon indicating copy to clipboard operation
FlowDroid copied to clipboard
verified publisher icon secure-software-engineering

Aliasing with casts test is failing in soot-infloflow

Open Jclavo opened this issue 2 years ago • 1 comments

Hi @StevenArzt , I am exploring soot-infloflow's tests and I managed to run 104 of them but I got 32 fails so I started to explore each folder.

For aliasing folder (FlowDroid/soot-infoflow/securiBench/securibench/micro) and the result was:

[OK] alising1: 
[OK] alising2: 
[FAIL] alising3: 
[FAIL] alising4: 
[FAIL] alising5: 
[OK] alising6:

so lets focus on test alising4 (which is using cast)

public class Aliasing4 extends BasicTestCase implements MicroTestCase {
	private static final String FIELD_NAME = "name";

    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
       String name = req.getParameter(FIELD_NAME);
       Object o1 = name;
       Object o2 = name.concat("abc");
       Object o3 = "anc";
              
       PrintWriter writer = resp.getWriter();
       writer.println(o1);                              /* BAD */
       writer.println(o2);                              /* BAD */
       writer.println(o3);                              /* OK */
    }
    
    public String getDescription() {
        return "simple aliasing with casts";
    }
    
    public int getVulnerabilityCount() {
        return 1;
    }
}

It is only checking as bad writer.println(o1); but not writer.println(o2);

UPDATE

While I am exploring basic folder, I have found some similar errors and my first conclusion is that every time that a TAINTED var does an operation like:

String name = req.getParameter(FIELD_NAME);
String s1 = name.concat("abc");
writer.println(s1);

String name = req.getParameter(FIELD_NAME);
String s1 = name.toString();
writer.println(s1);

String name = req.getParameter(FIELD_NAME);
String s1 = name.toLowerCase();
writer.println(s1);

the var loses its TAINTED.

Do you have any idea of what could be happening?

CONFIG

I am using the last Flowdroid's dependency

<dependency>
    <groupId>de.fraunhofer.sit.sse.flowdroid</groupId>
    <artifactId>soot-infoflow</artifactId>
    <version>2.10.0</version>
</dependency>

Jclavo avatar Feb 23 '23 23:02 Jclavo

If you lose taints over library calls, it might be due to the called class containing the method being phantom (aka Soot found references to the class but couldn't find the bytecode and thus, can't resolve the method body). Either configure Soot to find the bytecode of the library or preferably, use a taint wrapper that has a summary for the methods.

t1mlange avatar Feb 24 '23 11:02 t1mlange