Merge branch 'develop' of github.com:secure-software-engineering/FlowDroid into develop

Author: StevenArzt

soot-infoflow-android/pom.xml

@@ -125,12 +125,12 @@
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-simple</artifactId>
-			<version>1.7.5</version>
+			<version>1.7.32</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
-			<version>1.7.5</version>
+			<version>1.7.32</version>
 		</dependency>
 		<dependency>
 			<groupId>de.tud.sse</groupId>
@@ -140,7 +140,7 @@
 		<dependency>
 			<groupId>junit</groupId>
 			<artifactId>junit</artifactId>
-			<version>4.13.1</version>
+			<version>4.13.2</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
@@ -163,12 +163,12 @@
 		<dependency>
 			<groupId>com.google.protobuf</groupId>
 			<artifactId>protobuf-java</artifactId>
-			<version>3.18.1</version>
+			<version>3.19.2</version>
 		</dependency>
 		<dependency>
 		    <groupId>com.esotericsoftware</groupId>
 		    <artifactId>kryo</artifactId>
-		    <version>5.2.0</version>
+		    <version>5.2.1</version>
 		</dependency>
 	</dependencies>
 

soot-infoflow-android/src/soot/jimple/infoflow/android/axml/AXmlNode.java

@@ -198,6 +198,19 @@ public List<AXmlNode> getChildrenWithTag(String tag) {
 		return children;
 	}
 
+	/**
+	 * Removes an element from the attributes.
+	 *
+	 * @param key the key
+	 * @return the previously associated value or null
+	 */
+	public AXmlAttribute<?> removeAttribute(String key) {
+		if (this.attributes == null)
+			return null;
+		return this.attributes.remove(key);
+	}
+
+
 	/**
 	 * Returns a map which contains all attributes. The keys match the attributes'
 	 * names.

soot-infoflow-android/src/soot/jimple/infoflow/android/axml/parsers/AXML20Parser.java

@@ -78,6 +78,8 @@ public void attr(String ns, String name, int resourceId, int type, Object obj) {
 						// Without a name, we cannot really carry on
 						return;
 					}
+					if (tname == null)
+						tname = String.valueOf(resourceId);
 				}
 			} else
 				tname = name.trim();

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/AbstractCallbackAnalyzer.java

@@ -24,10 +24,16 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.ExecutionException;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+
+import heros.solver.Pair;
 import soot.AnySubType;
 import soot.Body;
 import soot.FastHierarchy;
@@ -36,12 +42,17 @@
 import soot.RefType;
 import soot.Scene;
 import soot.SootClass;
+import soot.SootField;
 import soot.SootMethod;
 import soot.SootMethodRef;
 import soot.Type;
 import soot.Unit;
 import soot.Value;
+import soot.jimple.ArrayRef;
+import soot.jimple.AssignStmt;
+import soot.jimple.CastExpr;
 import soot.jimple.ClassConstant;
+import soot.jimple.FieldRef;
 import soot.jimple.IdentityStmt;
 import soot.jimple.InstanceInvokeExpr;
 import soot.jimple.InvokeExpr;
@@ -59,6 +70,9 @@
 import soot.jimple.infoflow.values.IValueProvider;
 import soot.jimple.infoflow.values.SimpleConstantValueProvider;
 import soot.jimple.toolkits.callgraph.Edge;
+import soot.toolkits.graph.ExceptionalUnitGraph;
+import soot.toolkits.graph.ExceptionalUnitGraphFactory;
+import soot.toolkits.scalar.SimpleLocalDefs;
 import soot.util.HashMultiMap;
 import soot.util.MultiMap;
 
@@ -94,10 +108,16 @@ public abstract class AbstractCallbackAnalyzer {
 
 	protected final SootClass scSupportViewPager = Scene.v().getSootClassUnsafe("android.support.v4.view.ViewPager");
 	protected final SootClass scAndroidXViewPager = Scene.v().getSootClassUnsafe("androidx.viewpager.widget.ViewPager");
+
 	protected final SootClass scFragmentStatePagerAdapter = Scene.v()
 			.getSootClassUnsafe("android.support.v4.app.FragmentStatePagerAdapter");
+	protected final SootClass scFragmentPagerAdapter = Scene.v()
+			.getSootClassUnsafe("android.support.v4.app.FragmentPagerAdapter");
+
 	protected final SootClass scAndroidXFragmentStatePagerAdapter = Scene.v()
 			.getSootClassUnsafe("androidx.fragment.app.FragmentStatePagerAdapter");
+	protected final SootClass scAndroidXFragmentPagerAdapter = Scene.v()
+			.getSootClassUnsafe("androidx.fragment.app.FragmentPagerAdapter");
 
 	protected final InfoflowAndroidConfiguration config;
 	protected final Set<SootClass> entryPointClasses;
@@ -115,6 +135,69 @@ public abstract class AbstractCallbackAnalyzer {
 
 	protected IValueProvider valueProvider = new SimpleConstantValueProvider();
 
+	protected LoadingCache<SootField, List<Type>> arrayToContentTypes = CacheBuilder.newBuilder()
+			.build(new CacheLoader<SootField, List<Type>>() {
+
+				@Override
+				public List<Type> load(SootField field) throws Exception {
+					// Find all assignments to this field
+					List<Type> typeList = new ArrayList<>();
+					field.getDeclaringClass().getMethods().stream().filter(m -> m.isConcrete())
+							.map(m -> m.retrieveActiveBody()).forEach(b -> {
+								// Find all locals that reference the field
+								Set<Local> arrayLocals = new HashSet<>();
+								for (Unit u : b.getUnits()) {
+									if (u instanceof AssignStmt) {
+										AssignStmt assignStmt = (AssignStmt) u;
+										Value rop = assignStmt.getRightOp();
+										Value lop = assignStmt.getLeftOp();
+										if (rop instanceof FieldRef && ((FieldRef) rop).getField() == field) {
+											arrayLocals.add((Local) lop);
+										} else if (lop instanceof FieldRef && ((FieldRef) lop).getField() == field) {
+											arrayLocals.add((Local) rop);
+										}
+									}
+								}
+
+								// Find casts
+								for (Unit u : b.getUnits()) {
+									if (u instanceof AssignStmt) {
+										AssignStmt assignStmt = (AssignStmt) u;
+										Value rop = assignStmt.getRightOp();
+										Value lop = assignStmt.getLeftOp();
+
+										if (rop instanceof CastExpr) {
+											CastExpr ce = (CastExpr) rop;
+											if (arrayLocals.contains(ce.getOp()))
+												arrayLocals.add((Local) lop);
+											else if (arrayLocals.contains(lop))
+												arrayLocals.add((Local) ce.getOp());
+										}
+									}
+								}
+
+								// Find the assignments to the array locals
+								for (Unit u : b.getUnits()) {
+									if (u instanceof AssignStmt) {
+										AssignStmt assignStmt = (AssignStmt) u;
+										Value rop = assignStmt.getRightOp();
+										Value lop = assignStmt.getLeftOp();
+										if (lop instanceof ArrayRef) {
+											ArrayRef arrayRef = (ArrayRef) lop;
+											if (arrayLocals.contains(arrayRef.getBase())) {
+												Type t = rop.getType();
+												if (t instanceof RefType)
+													typeList.add(rop.getType());
+											}
+										}
+									}
+								}
+							});
+					return typeList;
+				}
+
+			});
+
 	public AbstractCallbackAnalyzer(InfoflowAndroidConfiguration config, Set<SootClass> entryPointClasses)
 			throws IOException {
 		this(config, entryPointClasses, "AndroidCallbacks.txt");
@@ -488,15 +571,23 @@ else if (methodName.equals("inflate") && stmt.getInvokeExpr().getArgCount() > 1)
 	 * @author Julius Naeumann
 	 */
 	protected void analyzeMethodForViewPagers(SootClass clazz, SootMethod method) {
-		if (scSupportViewPager == null || scFragmentStatePagerAdapter == null)
-			if (scAndroidXViewPager == null || scAndroidXFragmentStatePagerAdapter == null)
-				return;
+		// We need at least one fragment base class
+		if (scSupportViewPager == null && scAndroidXViewPager == null)
+			return;
+		// We need at least one class with a method to register a fragment
+		if (scFragmentStatePagerAdapter == null && scAndroidXFragmentStatePagerAdapter == null
+				&& scFragmentPagerAdapter == null && scAndroidXFragmentPagerAdapter == null)
+			return;
 
 		if (!method.isConcrete())
 			return;
 
 		Body body = method.retrieveActiveBody();
 
+		if (method.getDeclaringClass().getName().equals("org.liberty.android.fantastischmemo.ui.AnyMemo")
+				&& method.getName().equals("initDrawer"))
+			System.out.println("x");
+
 		// look for invocations of ViewPager.setAdapter
 		for (Unit u : body.getUnits()) {
 			Stmt stmt = (Stmt) u;
@@ -525,7 +616,8 @@ protected void analyzeMethodForViewPagers(SootClass clazz, SootMethod method) {
 			RefType rt = (RefType) pa.getType();
 
 			// check whether argument is of type FragmentStatePagerAdapter
-			if (!safeIsType(pa, scFragmentStatePagerAdapter) && !safeIsType(pa, scAndroidXFragmentStatePagerAdapter))
+			if (!safeIsType(pa, scFragmentStatePagerAdapter) && !safeIsType(pa, scAndroidXFragmentStatePagerAdapter)
+					&& !safeIsType(pa, scFragmentPagerAdapter) && !safeIsType(pa, scAndroidXFragmentPagerAdapter))
 				continue;
 
 			// now analyze getItem() to find possible Fragments
@@ -546,7 +638,59 @@ protected void analyzeMethodForViewPagers(SootClass clazz, SootMethod method) {
 					Value rv = rs.getOp();
 					Type type = rv.getType();
 					if (type instanceof RefType) {
-						checkAndAddFragment(method.getDeclaringClass(), ((RefType) type).getSootClass());
+						SootClass rtClass = ((RefType) type).getSootClass();
+						if (rv instanceof Local && (rtClass.getName().startsWith("android.")
+								|| rtClass.getName().startsWith("androidx.")))
+							analyzeFragmentCandidates(rs, getItem, (Local) rv);
+						else
+							checkAndAddFragment(method.getDeclaringClass(), rtClass);
+					}
+				}
+			}
+		}
+	}
+
+	/**
+	 * Attempts to find fragments that are not returned immediately, but that
+	 * require a more complex backward analysis. This analysis is best-effort, we do
+	 * not attempt to solve every possible case.
+	 * 
+	 * @param s The statement at which the fragment is returned
+	 * @param m The method in which the fragment is returned
+	 * @param l The local that contains the fragment
+	 */
+	private void analyzeFragmentCandidates(Stmt s, SootMethod m, Local l) {
+		ExceptionalUnitGraph g = ExceptionalUnitGraphFactory.createExceptionalUnitGraph(m.getActiveBody());
+		SimpleLocalDefs lds = new SimpleLocalDefs(g);
+
+		List<Pair<Local, Stmt>> toSearch = new ArrayList<>();
+		Set<Pair<Local, Stmt>> doneSet = new HashSet<>();
+		toSearch.add(new Pair<>(l, s));
+
+		while (!toSearch.isEmpty()) {
+			Pair<Local, Stmt> pair = toSearch.remove(0);
+			if (doneSet.add(pair)) {
+				List<Unit> defs = lds.getDefsOfAt(pair.getO1(), pair.getO2());
+				for (Unit def : defs) {
+					if (def instanceof AssignStmt) {
+						AssignStmt assignStmt = (AssignStmt) def;
+						Value rop = assignStmt.getRightOp();
+						if (rop instanceof ArrayRef) {
+							ArrayRef arrayRef = (ArrayRef) rop;
+
+							// Look for all assignments to the array
+							toSearch.add(new Pair<>((Local) arrayRef.getBase(), assignStmt));
+						} else if (rop instanceof FieldRef) {
+							FieldRef fieldRef = (FieldRef) rop;
+							try {
+								List<Type> typeList = arrayToContentTypes.get(fieldRef.getField());
+								typeList.stream().map(t -> ((RefType) t).getSootClass())
+										.forEach(c -> checkAndAddFragment(m.getDeclaringClass(), c));
+							} catch (ExecutionException e) {
+								logger.error(String.format("Could not load potential types for field %s",
+										fieldRef.getField().getSignature()), e);
+							}
+						}
 					}
 				}
 			}

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/DefaultCallbackAnalyzer.java

@@ -115,12 +115,10 @@ protected void internalTransform(String phaseName, @SuppressWarnings("rawtypes")
 					reachableChangedListener = Scene.v().getReachableMethods().listener();
 					logger.info("Callback analysis done.");
 				} else {
-					// Incremental mode, only process the worklist
-					logger.info(String.format("Running incremental callback analysis for %d components...",
-							callbackWorklist.size()));
 					// Find the mappings between classes and layouts
 					findClassLayoutMappings();
 
+					// Add the methods that have become reachable in the views
 					MultiMap<SootMethod, SootClass> reverseViewCallbacks = new HashMultiMap<>();
 					for (Pair<SootClass, AndroidCallbackDefinition> i : viewCallbacks)
 						reverseViewCallbacks.put(i.getO2().getTargetMethod(), i.getO1());
@@ -132,6 +130,10 @@ protected void internalTransform(String phaseName, @SuppressWarnings("rawtypes")
 						}
 					}
 
+					// Incremental mode, only process the worklist
+					logger.info(String.format("Running incremental callback analysis for %d components...",
+							callbackWorklist.size()));
+
 					MultiMap<SootClass, SootMethod> workList = new HashMultiMap<>(callbackWorklist);
 					for (Iterator<SootClass> it = workList.keySet().iterator(); it.hasNext();) {
 						// Check whether we're still running

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/Main.java

@@ -47,6 +47,7 @@ class Main {
 	private static final String OPTION_CLASS_TIMEOUT = "ct";
 	private static final String OPTION_ANALYZE_HASHCODE_EQUALS = "he";
 	private static final String OPTION_ANDROID_PLATFORMS = "p";
+	private static final String OPTION_IGNORE_DEFAULT_SUMMARIES = "is";
 	private static final String OPTION_WRITE_JIMPLE_FILES = "wj";
 
 	public static void main(final String[] args) throws FileNotFoundException, XMLStreamException {
@@ -80,6 +81,8 @@ private void initializeCommandLineOptions() {
 				"Also analyze hashCode() and equals() methods");
 		options.addOption(OPTION_ANDROID_PLATFORMS, "platformsdir", true,
 				"Path to the platforms directory from the Android SDK");
+		options.addOption(OPTION_IGNORE_DEFAULT_SUMMARIES, "ignoresummaries", false,
+				"Existing summaries from the default summary directory are ignored");
 		options.addOption(OPTION_WRITE_JIMPLE_FILES, "writejimplefiles", false, "Write out the Jimple files");
 	}
 
@@ -203,6 +206,11 @@ protected void configureOptionalSettings(CommandLine cmd, SummaryGenerator gener
 			String platformsDir = cmd.getOptionValue(OPTION_ANDROID_PLATFORMS);
 			generator.getConfig().setAndroidPlatformDir(platformsDir);
 		}
+		{
+			boolean ignoreDefaultSummaries = cmd.hasOption(OPTION_IGNORE_DEFAULT_SUMMARIES);
+			if (ignoreDefaultSummaries)
+				generator.getConfig().setUseDefaultSummaries(false);
+		}
 		{
 			boolean writeJimpleFiles = cmd.hasOption(OPTION_WRITE_JIMPLE_FILES);
 			if (writeJimpleFiles)

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/generator/SummaryGenerationTaintWrapper.java

@@ -127,19 +127,23 @@ protected Set<Abstraction> getTaintsForHashCodeEquals(Stmt stmt, Abstraction tai
 			InstanceInvokeExpr iiexpr = (InstanceInvokeExpr) iexpr;
 			AccessPath ap = taintedPath.getAccessPath();
 
+			final Set<Abstraction> taints = new HashSet<Abstraction>();
+
+			// We always keep the incoming taint
+			taints.add(taintedPath);
+
 			// Check for hashCode()
 			if (ref.getName().equals("hashCode") && ref.getParameterTypes().isEmpty()
 					&& ref.getReturnType() instanceof IntType) {
 				if (ap.getPlainValue() == iiexpr.getBase()) {
 					// If the return value is used, we taint it
 					if (stmt instanceof DefinitionStmt) {
 						DefinitionStmt defStmt = (DefinitionStmt) stmt;
-						return Collections.singleton(taintedPath.deriveNewAbstraction(
+						taints.add(taintedPath.deriveNewAbstraction(
 								manager.getAccessPathFactory().createAccessPath(defStmt.getLeftOp(), false), stmt));
 					}
 
-					// The return value is apparently ignored
-					return Collections.emptySet();
+					return taints;
 				}
 			}
 
@@ -150,12 +154,11 @@ protected Set<Abstraction> getTaintsForHashCodeEquals(Stmt stmt, Abstraction tai
 				// If the return value is used, we taint it
 				if (config.getImplicitFlowMode().trackControlFlowDependencies() && stmt instanceof DefinitionStmt) {
 					DefinitionStmt defStmt = (DefinitionStmt) stmt;
-					return Collections.singleton(taintedPath.deriveNewAbstraction(
+					taints.add(taintedPath.deriveNewAbstraction(
 							manager.getAccessPathFactory().createAccessPath(defStmt.getLeftOp(), false), stmt));
 				}
 
-				// The return value is apparently ignored
-				return Collections.emptySet();
+				return taints;
 			}
 		}