Merge pull request #612 from timll/injectTypeHierarchy

Streamline handling of type hierarchy provided by taint wrappers

Author: StevenArzt

soot-infoflow-android/src/soot/jimple/infoflow/android/SetupApplication.java

@@ -1703,7 +1703,7 @@ public IMemoryManager<Abstraction, Unit> getMemoryManager(boolean tracingEnabled
 		info.setMemoryManagerFactory(null);
 
 		// Inject additional post-processors
-		info.setPostProcessors(Collections.singleton(new PostAnalysisHandler() {
+		info.addPostProcessor(new PostAnalysisHandler() {
 
 			@Override
 			public InfoflowResults onResultsAvailable(InfoflowResults results, IInfoflowCFG cfg) {
@@ -1717,7 +1717,7 @@ public InfoflowResults onResultsAvailable(InfoflowResults results, IInfoflowCFG
 				return results;
 			}
 
-		}));
+		});
 
 		return info;
 	}

soot-infoflow-cmd/src/soot/jimple/infoflow/cmd/MainClass.java

@@ -355,10 +355,6 @@ public boolean accept(File dir, String name) {
 				analyzer = createFlowDroidInstance(config);
 				analyzer.setTaintWrapper(taintWrapper);
 
-				// We need to inject the StubDroid hierarchy
-				if (taintWrapper instanceof SummaryTaintWrapper)
-					injectStubDroidHierarchy((SummaryTaintWrapper) taintWrapper);
-
 				// Start the data flow analysis
 				analyzer.runInfoflow();
 
@@ -378,59 +374,6 @@ public boolean accept(File dir, String name) {
 		}
 	}
 
-	/**
-	 * Injects hierarchy data from StubDroid into Soot
-	 * 
-	 * @param taintWrapper The StubDroid instance
-	 */
-	private void injectStubDroidHierarchy(final SummaryTaintWrapper taintWrapper) {
-		final IMethodSummaryProvider provider = taintWrapper.getProvider();
-		analyzer.addPreprocessor(new PreAnalysisHandler() {
-
-			@Override
-			public void onBeforeCallgraphConstruction() {
-				// Inject the hierarchy
-				for (String className : provider.getAllClassesWithSummaries()) {
-					SootClass sc = Scene.v().forceResolve(className, SootClass.SIGNATURES);
-					if (sc.isPhantom()) {
-						ClassMethodSummaries summaries = provider.getClassFlows(className);
-						if (summaries != null) {
-							// Some phantom classes are actually interfaces
-							if (summaries.hasInterfaceInfo()) {
-								if (summaries.isInterface())
-									sc.setModifiers(sc.getModifiers() | Modifier.INTERFACE);
-								else
-									sc.setModifiers(sc.getModifiers() & ~Modifier.INTERFACE);
-							}
-
-							// Set the correct superclass
-							if (summaries.hasSuperclass()) {
-								final String superclassName = summaries.getSuperClass();
-								SootClass scSuperclass = Scene.v().forceResolve(superclassName, SootClass.SIGNATURES);
-								sc.setSuperclass(scSuperclass);
-							}
-
-							// Register the interfaces
-							if (summaries.hasInterfaces()) {
-								for (String intfName : summaries.getInterfaces()) {
-									SootClass scIntf = Scene.v().forceResolve(intfName, SootClass.SIGNATURES);
-									if (!sc.implementsInterface(intfName))
-										sc.addInterface(scIntf);
-								}
-							}
-						}
-					}
-				}
-			}
-
-			@Override
-			public void onAfterCallgraphConstruction() {
-				//
-			}
-
-		});
-	}
-
 	/**
 	 * Creates an instance of the FlowDroid data flow solver tool for Android.
 	 * Derived classes can override this method to inject custom variants of

soot-infoflow-integration/res/AndroidRiverSourcesAndSinks.xml

@@ -494,48 +494,6 @@
 			</additionalFlowCondition>
 		</method>
 
-		<method signature="java.io.ObjectOutputStream: void write(byte[])">
-			<param index="0" description="Output Data">
-				<accessPath isSource="false" isSink="true" />
-			</param>
-			<additionalFlowCondition>
-				<signatureOnPath signature="java.net.URLConnection: java.io.OutputStream getOutputStream()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalCacheDir()" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalCacheDirs()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalMediaDirs()" />
-				<excludeClassName className="java.io.ByteArrayOutputStream" />
-			</additionalFlowCondition>
-		</method>
-		<method signature="java.io.ObjectOutputStream: void write(byte[],int,int)">
-			<param index="0" description="Output Data">
-				<accessPath isSource="false" isSink="true" />
-			</param>
-			<additionalFlowCondition>
-				<signatureOnPath signature="java.net.URLConnection: java.io.OutputStream getOutputStream()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalCacheDir()" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalCacheDirs()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalMediaDirs()" />
-				<excludeClassName className="java.io.ByteArrayOutputStream" />
-			</additionalFlowCondition>
-		</method>
-		<method signature="java.io.ObjectOutputStream: void write(int)">
-			<param index="0" description="Output Data">
-				<accessPath isSource="false" isSink="true" />
-			</param>
-			<additionalFlowCondition>
-				<signatureOnPath signature="java.net.URLConnection: java.io.OutputStream getOutputStream()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalCacheDir()" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalCacheDirs()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalMediaDirs()" />
-				<excludeClassName className="java.io.ByteArrayOutputStream" />
-			</additionalFlowCondition>
-		</method>
 		<method signature="java.io.ObjectOutputStream: void writeBoolean(boolean)">
 			<param index="0" description="Output Data">
 				<accessPath isSource="false" isSink="true" />
@@ -719,62 +677,6 @@
 			</additionalFlowCondition>
 		</method>
 
-		<method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(byte[])">
-			<param index="0" description="Output Data">
-				<accessPath isSource="false" isSink="true" />
-			</param>
-			<additionalFlowCondition>
-				<signatureOnPath signature="java.net.URLConnection: java.io.OutputStream getOutputStream()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalCacheDir()" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalCacheDirs()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalMediaDirs()" />
-				<excludeClassName className="java.io.ByteArrayOutputStream" />
-			</additionalFlowCondition>
-		</method>
-		<method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(byte[],int)">
-			<param index="0" description="Output Data">
-				<accessPath isSource="false" isSink="true" />
-			</param>
-			<additionalFlowCondition>
-				<signatureOnPath signature="java.net.URLConnection: java.io.OutputStream getOutputStream()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalCacheDir()" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalCacheDirs()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalMediaDirs()" />
-				<excludeClassName className="java.io.ByteArrayOutputStream" />
-			</additionalFlowCondition>
-		</method>
-		<method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(byte[],int,int)">
-			<param index="0" description="Output Data">
-				<accessPath isSource="false" isSink="true" />
-			</param>
-			<additionalFlowCondition>
-				<signatureOnPath signature="java.net.URLConnection: java.io.OutputStream getOutputStream()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalCacheDir()" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalCacheDirs()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalMediaDirs()" />
-				<excludeClassName className="java.io.ByteArrayOutputStream" />
-			</additionalFlowCondition>
-		</method>
-		<method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(int)">
-			<param index="0" description="Output Data">
-				<accessPath isSource="false" isSink="true" />
-			</param>
-			<additionalFlowCondition>
-				<signatureOnPath signature="java.net.URLConnection: java.io.OutputStream getOutputStream()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalCacheDir()" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalCacheDirs()" />
-				<signatureOnPath signature="android.content.Context: java.io.File getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalFilesDir(java.lang.String)" />
-				<signatureOnPath signature="android.content.Context: java.io.File[] getExternalMediaDirs()" />
-				<excludeClassName className="java.io.ByteArrayOutputStream" />
-			</additionalFlowCondition>
-		</method>
 		<method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void writeAscii(java.lang.String)">
 			<param index="0" description="Output Data">
 				<accessPath isSource="false" isSink="true" />

soot-infoflow-integration/res/OutputStreamAndWriters.xml

@@ -443,30 +443,6 @@
             </additionalFlowCondition>
         </method>
 
-        <method signature="java.io.ObjectOutputStream: void write(byte[])">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
-        <method signature="java.io.ObjectOutputStream: void write(byte[],int,int)">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
-        <method signature="java.io.ObjectOutputStream: void write(int)">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
         <method signature="java.io.ObjectOutputStream: void writeBoolean(boolean)">
             <param index="0" description="Output Data">
                 <accessPath isSource="false" isSink="true" />
@@ -572,55 +548,6 @@
             </additionalFlowCondition>
         </method>
 
-        <method signature="com.esotericsoftware.kryo.io.ByteBufferOutputStream: void write(byte[],int,int)">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
-        <method signature="com.esotericsoftware.kryo.io.ByteBufferOutputStream: void write(int)">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
-
-        <method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(byte[])">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
-        <method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(byte[],int)">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
-        <method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(bytes[],int,int)">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
-        <method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void write(int)">
-            <param index="0" description="Output Data">
-                <accessPath isSource="false" isSink="true" />
-            </param>
-            <additionalFlowCondition>
-                <classNameOnPath className="java.net.URLConnection" />
-            </additionalFlowCondition>
-        </method>
         <method signature="com.esotericsoftware.kryo.io.ByteBufferOutput: void writeAscii(java.lang.String)">
             <param index="0" description="Output Data">
                 <accessPath isSource="false" isSink="true" />

soot-infoflow-integration/test/soot/jimple/infoflow/integration/test/OutputStreamTestCode.java

@@ -269,6 +269,7 @@ public void testByteArrayExcludedTest1() {
 
 
     public String externalLocation = "external/";
+
     public String getExternalDirLoc() {
         return externalLocation;
     }
@@ -344,4 +345,10 @@ public void testFileWriter1() {
             throw new RuntimeException(e);
         }
     }
+
+    public void testCastWithSummaryTypeInformation1() throws IOException {
+        OutputStream os = new FileOutputStream("myfile.txt");
+        OutputStream bbo = (OutputStream) new ByteBufferOutput(os);
+        bbo.write(1337);
+    }
 }

soot-infoflow-integration/test/soot/jimple/infoflow/integration/test/junit/AndroidRegressionTests.java

@@ -3,18 +3,19 @@
 import org.junit.Assert;
 import org.junit.Test;
 import org.xmlpull.v1.XmlPullParserException;
+import soot.SootMethod;
 import soot.jimple.infoflow.InfoflowConfiguration;
 import soot.jimple.infoflow.android.SetupApplication;
-import soot.jimple.infoflow.methodSummary.data.provider.EagerSummaryProvider;
-import soot.jimple.infoflow.methodSummary.taintWrappers.SummaryTaintWrapper;
+import soot.jimple.infoflow.android.data.parsers.PermissionMethodParser;
 import soot.jimple.infoflow.methodSummary.taintWrappers.TaintWrapperFactory;
+import soot.jimple.infoflow.results.DataFlowResult;
 import soot.jimple.infoflow.results.InfoflowResults;
 import soot.jimple.infoflow.taintWrappers.ITaintPropagationWrapper;
 
 import javax.xml.stream.XMLStreamException;
 import java.io.IOException;
-import java.net.URISyntaxException;
 import java.util.Collections;
+import java.util.*;
 
 /**
  * Tests that uncovered a bug.
@@ -43,4 +44,48 @@ public void testFlowSensitivityWithOverwrite() throws XmlPullParserException, IO
         Assert.assertEquals(2, results.size());
         Assert.assertEquals(2, results.getResultSet().size());
     }
+
+    /**
+     * Tests that StubDroid correctly narrows the type when the summary is in a superclass.
+     * See also the comment in SummaryTaintWrapper#getSummaryDeclaringClass().
+     */
+    @Test
+    public void testTypeHierarchyFromSummary() throws XmlPullParserException, IOException {
+        SetupApplication app = initApplication("testAPKs/TypeHierarchyTest.apk");
+        InfoflowResults results = app.runInfoflow("../soot-infoflow-android/SourcesAndSinks.txt");
+        Assert.assertEquals(1, results.size());
+        Assert.assertEquals(1, results.getResultSet().size());
+    }
+
+    /**
+     * Tests an app that uses the kotlin collections.
+     * Expects four leaks:
+     *   * From getDeviceId() in onCreate() to Log.d(String, String)
+     *     in listFlow(String), mapFlow(String) and setFlow(String).
+     *   * From new File in fileFlow() to Log.d(String, String) in fileFlow(String).
+     */
+    @Test
+    public void testKotlinAppWithCollections() throws IOException {
+        SetupApplication app = initApplication("testAPKs/KotlinCollectionApp.apk");
+
+        // Make sure we find only one flow per method
+        app.addResultsAvailableHandler((cfg, results) -> {
+            Set<SootMethod> seenSet = new HashSet<>();
+            for (DataFlowResult res : results.getResultSet()) {
+                SootMethod sm = cfg.getMethodOf(res.getSink().getStmt());
+                Assert.assertFalse(seenSet.contains(sm));
+                seenSet.add(sm);
+            }
+        });
+
+        // Add the sources and sinks
+        List<String> ssinks = new ArrayList<>();
+        ssinks.add("<android.telephony.TelephonyManager: java.lang.String getDeviceId()> android.permission.READ_PHONE_STATE -> _SOURCE_");
+        ssinks.add("<android.util.Log: int d(java.lang.String,java.lang.String)> -> _SINK_");
+        ssinks.add("<kotlin.io.TextStreamsKt: java.util.List readLines(java.io.Reader)> -> _SOURCE_");
+
+        InfoflowResults results = app.runInfoflow(PermissionMethodParser.fromStringList(ssinks));
+        Assert.assertEquals(4, results.size());
+        Assert.assertEquals(4, results.getResultSet().size());
+    }
 }