Support for multiple pseudoconstants and fragment types

Author: MarcMil

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/AbstractCallbackAnalyzer.java

@@ -18,6 +18,7 @@
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -523,31 +524,27 @@ protected void analyzeMethodForFragmentTransaction(SootClass lifecycleElement, S
 
 		// first check if there is a Fragment manager, a fragment transaction
 		// and a call to the add method which adds the fragment to the transaction
-		boolean isFragmentManager = false;
-		boolean isFragmentTransaction = false;
-		boolean isAddTransaction = false;
+		boolean isAddOrReplaceTransaction = false;
 		for (Unit u : method.getActiveBody().getUnits()) {
 			Stmt stmt = (Stmt) u;
 			if (stmt.containsInvokeExpr()) {
 				final String methodName = stmt.getInvokeExpr().getMethod().getName();
-				if (methodName.equals("getFragmentManager") || methodName.equals("getSupportFragmentManager"))
-					isFragmentManager = true;
-				else if (methodName.equals("beginTransaction"))
-					isFragmentTransaction = true;
-				else if (methodName.equals("add") || methodName.equals("replace"))
-					isAddTransaction = true;
+				if (methodName.equals("add") || methodName.equals("replace"))
+					isAddOrReplaceTransaction = true;
 				else if (methodName.equals("inflate") && stmt.getInvokeExpr().getArgCount() > 1) {
 					Value arg = stmt.getInvokeExpr().getArg(0);
-					Integer fragmentID = valueProvider.getValue(method, stmt, arg, Integer.class);
-					if (fragmentID != null)
-						fragmentIDs.put(lifecycleElement, fragmentID);
+					Set<Integer> fragmentID = valueProvider.getValue(method, stmt, arg, Integer.class);
+					if (fragmentID != null) {
+						for (int f : fragmentID)
+							fragmentIDs.put(lifecycleElement, f);
+					}
 				}
 			}
 		}
 
 		// now get the fragment class from the second argument of the add method
 		// from the transaction
-		if (isFragmentManager && isFragmentTransaction && isAddTransaction)
+		if (isAddOrReplaceTransaction)
 			for (Unit u : method.getActiveBody().getUnits()) {
 				Stmt stmt = (Stmt) u;
 				if (stmt.containsInvokeExpr()) {
@@ -557,34 +554,56 @@ else if (methodName.equals("inflate") && stmt.getInvokeExpr().getArgCount() > 1)
 
 						// Make sure that we referring to the correct class and
 						// method
-						isFragmentTransaction = scFragmentTransaction != null && Scene.v().getFastHierarchy()
+						boolean isFragmentTransaction = scFragmentTransaction != null && Scene.v().getFastHierarchy()
 								.canStoreType(iinvExpr.getBase().getType(), scFragmentTransaction.getType());
 						isFragmentTransaction |= scSupportFragmentTransaction != null && Scene.v().getFastHierarchy()
 								.canStoreType(iinvExpr.getBase().getType(), scSupportFragmentTransaction.getType());
 						isFragmentTransaction |= scAndroidXFragmentTransaction != null && Scene.v().getFastHierarchy()
 								.canStoreType(iinvExpr.getBase().getType(), scAndroidXFragmentTransaction.getType());
-						isAddTransaction = stmt.getInvokeExpr().getMethod().getName().equals("add")
+						isAddOrReplaceTransaction = stmt.getInvokeExpr().getMethod().getName().equals("add")
 								|| stmt.getInvokeExpr().getMethod().getName().equals("replace");
 
-						if (isFragmentTransaction && isAddTransaction) {
+						if (isFragmentTransaction && isAddOrReplaceTransaction) {
 							// We take all fragments passed to the method
 							for (int i = 0; i < stmt.getInvokeExpr().getArgCount(); i++) {
 								Value br = stmt.getInvokeExpr().getArg(i);
 
-								// Is this a fragment?
-								if (br.getType() instanceof RefType) {
-									RefType rt = (RefType) br.getType();
-									if (br instanceof ClassConstant)
-										rt = (RefType) ((ClassConstant) br).toSootType();
-
-									boolean addFragment = scFragment != null
-											&& Scene.v().getFastHierarchy().canStoreType(rt, scFragment.getType());
-									addFragment |= scSupportFragment != null && Scene.v().getFastHierarchy()
-											.canStoreType(rt, scSupportFragment.getType());
-									addFragment |= scAndroidXFragment != null && Scene.v().getFastHierarchy()
-											.canStoreType(rt, scAndroidXFragment.getType());
-									if (addFragment)
-										checkAndAddFragment(method.getDeclaringClass(), rt.getSootClass());
+								Type pt = stmt.getInvokeExpr().getMethodRef().getParameterType(i);
+								if (pt instanceof RefType) {
+									RefType rpt = (RefType) pt;
+									//skip tag parameter
+									if (rpt.getClassName().equals("java.lang.String"))
+										continue;
+									Set<Type> possibleTypes = Collections.emptySet();
+									if (((RefType) pt).getSootClass().getName().equals("java.lang.Class")) {
+										Set<ClassConstant> ct = valueProvider.getValue(method, stmt, br,
+												ClassConstant.class);
+										if (ct != null) {
+											possibleTypes = new HashSet<>();
+											for (ClassConstant p : ct) {
+												possibleTypes.add((RefType) (p.toSootType()));
+											}
+										}
+
+									} else {
+										possibleTypes = valueProvider.getType(method, stmt, br);
+									}
+
+									for (Type t : possibleTypes) {
+										if (t instanceof RefType) {
+											RefType frt = (RefType) t;
+											// Is this a fragment?
+											boolean addFragment = scFragment != null && Scene.v().getFastHierarchy()
+													.canStoreType(frt, scFragment.getType());
+											addFragment |= scSupportFragment != null && Scene.v().getFastHierarchy()
+													.canStoreType(frt, scSupportFragment.getType());
+											addFragment |= scAndroidXFragment != null && Scene.v().getFastHierarchy()
+													.canStoreType(frt, scAndroidXFragment.getType());
+											if (addFragment)
+												checkAndAddFragment(method.getDeclaringClass(), frt.getSootClass());
+										}
+									}
+
 								}
 							}
 						}

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/DefaultCallbackAnalyzer.java

@@ -270,17 +270,19 @@ private void findClassLayoutMappings() {
 															// the
 															// fragments
 							for (Value val : inv.getArgs()) {
-								Integer intValue = valueProvider.getValue(sm, stmt, val, Integer.class);
-								if (intValue != null) {
-									this.layoutClasses.put(sm.getDeclaringClass(), intValue);
+								Set<Integer> intValues = valueProvider.getValue(sm, stmt, val, Integer.class);
+								if (intValues != null) {
+									for (int iv : intValues)
+										this.layoutClasses.put(sm.getDeclaringClass(), iv);
 								}
 
 							}
 						}
 						if (invokesInflate(inv)) {
-							Integer intValue = valueProvider.getValue(sm, stmt, inv.getArg(0), Integer.class);
-							if (intValue != null) {
-								this.layoutClasses.put(sm.getDeclaringClass(), intValue);
+							Set<Integer> intValues = valueProvider.getValue(sm, stmt, inv.getArg(0), Integer.class);
+							if (intValues != null) {
+								for (int iv : intValues)
+									this.layoutClasses.put(sm.getDeclaringClass(), iv);
 							}
 						}
 					}

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/FastCallbackAnalyzer.java

@@ -76,9 +76,10 @@ private void findClassLayoutMappings() {
 								InvokeExpr inv = stmt.getInvokeExpr();
 								if (invokesSetContentView(inv)) {
 									for (Value val : inv.getArgs()) {
-										Integer intValue = valueProvider.getValue(sm, stmt, val, Integer.class);
-										if (intValue != null) {
-											this.layoutClasses.put(sm.getDeclaringClass(), intValue);
+										Set<Integer> intValues = valueProvider.getValue(sm, stmt, val, Integer.class);
+										if (intValues != null) {
+											for (int iv : intValues)
+												this.layoutClasses.put(sm.getDeclaringClass(), iv);
 										}
 									}
 								}

soot-infoflow-android/src/soot/jimple/infoflow/android/source/AndroidSourceSinkManager.java

@@ -320,7 +320,7 @@ private String findLastStringAssignment(Stmt stmt, Local local, BiDiInterprocedu
 	 * @return The layout control that is being accessed at the given statement, or
 	 *         <code>null</code> if no such control could be found
 	 */
-	protected AndroidLayoutControl getLayoutControl(Stmt sCallSite, IInfoflowCFG cfg) {
+	protected Set<AndroidLayoutControl> getLayoutControl(Stmt sCallSite, IInfoflowCFG cfg) {
 		// If we don't have a layout control list, we cannot perform any
 		// more specific checks
 		if (this.layoutControls == null)
@@ -340,21 +340,27 @@ protected AndroidLayoutControl getLayoutControl(Stmt sCallSite, IInfoflowCFG cfg
 			return null;
 		}
 
-		Integer id = valueProvider.getValue(uiMethod, sCallSite, iexpr.getArg(0), Integer.class);
-		if (id == null && iexpr.getArg(0) instanceof Local) {
-			id = findLastResIDAssignment(sCallSite, (Local) iexpr.getArg(0), cfg,
+		Set<Integer> ids = valueProvider.getValue(uiMethod, sCallSite, iexpr.getArg(0), Integer.class);
+		if ((ids == null || ids.isEmpty()) && iexpr.getArg(0) instanceof Local) {
+			Integer id = findLastResIDAssignment(sCallSite, (Local) iexpr.getArg(0), cfg,
 					new HashSet<Stmt>(cfg.getMethodOf(sCallSite).getActiveBody().getUnits().size()));
+			if (id != null)
+				ids = Collections.singleton(id);
 		}
-		if (id == null) {
+		if (ids == null || ids.isEmpty()) {
 			logger.debug("Could not find assignment to local " + ((Local) iexpr.getArg(0)).getName() + " in method "
 					+ cfg.getMethodOf(sCallSite).getSignature());
 			return null;
 		}
 
-		AndroidLayoutControl control = this.layoutControls.get(id);
-		if (control == null)
-			return null;
-		return control;
+		Set<AndroidLayoutControl> set = new HashSet<AndroidLayoutControl>();
+		for (int id : ids) {
+			AndroidLayoutControl control = this.layoutControls.get(id);
+			if (control != null)
+				set.add(control);
+		}
+
+		return set;
 	}
 
 	private boolean isResourceCall(SootMethod callee) {
@@ -403,11 +409,13 @@ protected ISourceSinkDefinition getUISourceDefinition(Stmt sCallSite, IInfoflowC
 				return MethodSourceSinkDefinition.createReturnSource(CallType.MethodCall);
 			}
 
-			AndroidLayoutControl control = getLayoutControl(sCallSite, cfg);
-			if (control != null) {
-				if (sourceSinkConfig.getLayoutMatchingMode() == LayoutMatchingMode.MatchSensitiveOnly
-						&& control.isSensitive()) {
-					return control.getSourceDefinition();
+			Set<AndroidLayoutControl> control = getLayoutControl(sCallSite, cfg);
+			if (control != null && !control.isEmpty()) {
+				for (AndroidLayoutControl c : control) {
+					if (sourceSinkConfig.getLayoutMatchingMode() == LayoutMatchingMode.MatchSensitiveOnly
+							&& c.isSensitive()) {
+						return c.getSourceDefinition();
+					}
 				}
 			}
 		}

soot-infoflow/src/soot/jimple/infoflow/values/IValueProvider.java

@@ -1,6 +1,9 @@
 package soot.jimple.infoflow.values;
 
+import java.util.Set;
+
 import soot.SootMethod;
+import soot.Type;
 import soot.Value;
 import soot.jimple.Stmt;
 
@@ -12,6 +15,24 @@
  */
 public interface IValueProvider {
 
-	public <T> T getValue(SootMethod sm, Stmt stmt, Value value, Class<T> type);
+	/**
+	 * Tries to find pseudo-constants for a given value at a given statement in a method 
+	 * @param <T> the type the pseudo-constant should be
+	 * @param sm the method the statement is within
+	 * @param stmt the statement for which to inquire a value
+	 * @param value the value the analysis is interested in
+	 * @param type the type the pseudo-constant should be
+	 * @return the value as type <i>T</i> or null
+	 */
+	public <T> Set<T> getValue(SootMethod sm, Stmt stmt, Value value, Class<T> type);
+
+	/**
+	 * Tries to find a set of concrete types of a value
+	 * @param sm the method the statement is within
+	 * @param stmt the statement for which to inquire the type
+	 * @param value the value the analysis is interested in
+	 * @return a set of possible types for <i>value</i>
+	 */
+	public Set<Type> getType(SootMethod sm, Stmt stmt, Value value);
 
 }

soot-infoflow/src/soot/jimple/infoflow/values/SimpleConstantValueProvider.java

@@ -1,10 +1,14 @@
 package soot.jimple.infoflow.values;
 
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import soot.Local;
 import soot.SootField;
 import soot.SootMethod;
+import soot.Type;
 import soot.Unit;
 import soot.Value;
 import soot.jimple.AssignStmt;
@@ -16,7 +20,6 @@
 import soot.jimple.LongConstant;
 import soot.jimple.Stmt;
 import soot.jimple.StringConstant;
-import soot.tagkit.ConstantValueTag;
 import soot.tagkit.DoubleConstantValueTag;
 import soot.tagkit.FloatConstantValueTag;
 import soot.tagkit.IntegerConstantValueTag;
@@ -37,14 +40,19 @@ public class SimpleConstantValueProvider implements IValueProvider {
 
 	@SuppressWarnings("unchecked")
 	@Override
-	public Object getValue(SootMethod sm, Stmt stmt, Value value, Class type) {
-		if (value instanceof Constant)
-			return getConstantOfType(value, type);
+	public Set<Object> getValue(SootMethod sm, Stmt stmt, Value value, Class type) {
+		if (value instanceof Constant) {
+			Object c = getConstantOfType(value, type);
+			if (c != null)
+				return Collections.singleton(c);
+			return null;
+		}
 
 		if (value instanceof Local) {
 			// Find the defs
 			BriefUnitGraph ug = new BriefUnitGraph(sm.getActiveBody());
 			SimpleLocalDefs du = new SimpleLocalDefs(ug);
+			Set<Object> ret = new HashSet<>();
 			List<Unit> defs = du.getDefsOfAt((Local) value, stmt);
 			for (Unit def : defs) {
 				if (!(def instanceof AssignStmt))
@@ -58,8 +66,9 @@ public Object getValue(SootMethod sm, Stmt stmt, Value value, Class type) {
 				// Use the ConstantTag to retrieve the constant value
 				Object constant = getConstantFromTag(((FieldRef) rightOp).getField(), type);
 				if (constant != null)
-					return constant;
+					ret.add(constant);
 			}
+			return ret;
 		}
 
 		return null;
@@ -82,6 +91,8 @@ private Object getConstantOfType(Value value, Class<?> type) {
 			if (value instanceof StringConstant)
 				return ((StringConstant) value).value;
 		}
+		if (type.isInstance(value))
+			return value;
 		return null;
 	}
 
@@ -104,4 +115,9 @@ private Object getConstantFromTag(SootField f, Class<?> type) {
 		}
 		return null;
 	}
+
+	@Override
+	public Set<Type> getType(SootMethod sm, Stmt stmt, Value value) {
+		return Collections.singleton(value.getType());
+	}
 }