Merge pull request #618 from timll/develop

Various fixes

Author: StevenArzt

soot-infoflow-integration/test/soot/jimple/infoflow/integration/test/junit/AndroidRegressionTests.java

@@ -88,4 +88,15 @@ public void testKotlinAppWithCollections() throws IOException {
         Assert.assertEquals(4, results.size());
         Assert.assertEquals(4, results.getResultSet().size());
     }
+
+    /**
+     * Tests that the CallToReturnFunction does not pass on taints that were killed
+     * by a taint wrapper that marked the method as exclusive.
+     */
+    @Test
+    public void testMapClear() throws XmlPullParserException, IOException {
+        SetupApplication app = initApplication("testAPKs/MapClearTest.apk");
+        InfoflowResults results = app.runInfoflow("../soot-infoflow-android/SourcesAndSinks.txt");
+        Assert.assertEquals(0, results.size());
+    }
 }

soot-infoflow-integration/testAPKs/MapClearTest.apk

@@ -35,6 +35,7 @@
 		</xs:sequence>
 		<xs:attribute name="fileFormatVersion" type="xs:int" />
 		<xs:attribute name="isInterface" type="xs:boolean" />
+		<xs:attribute name="isExclusive" type="xs:boolean" />
 	</xs:complexType>
 </xs:element>
 

soot-infoflow-summaries/schema/ClassSummary.xsd

@@ -53,7 +53,6 @@
 import soot.jimple.infoflow.nativeCallHandler.INativeCallHandler;
 import soot.jimple.infoflow.results.InfoflowResults;
 import soot.jimple.infoflow.solver.cfg.IInfoflowCFG;
-import soot.jimple.infoflow.taintWrappers.TaintWrapperList;
 import soot.options.Options;
 
 /**
@@ -75,8 +74,8 @@ public class SummaryGenerator {
 
 	protected List<String> substitutedWith = new LinkedList<String>();
 
-	protected SummaryTaintWrapper fallbackWrapper;
-	protected boolean fallbackWrapperInitialized = false;
+	protected SummaryTaintWrapper summaryTaintWrapper;
+	protected boolean summaryTaintWrapperInitialized = false;
 	protected MemorySummaryProvider onFlySummaryProvider = null;
 
 	public SummaryGenerator() {
@@ -86,10 +85,10 @@ public SummaryGenerator() {
 	/**
 	 * Initializes the fallback taint wrapper
 	 */
-	protected void initializeFallbackWrapper() {
-		if (fallbackWrapperInitialized)
+	protected void initializeSummaryTaintWrapper() {
+		if (summaryTaintWrapperInitialized)
 			return;
-		fallbackWrapperInitialized = true;
+		summaryTaintWrapperInitialized = true;
 
 		try {
 			// Do we want to integrate summaries on the fly?
@@ -113,7 +112,7 @@ protected void initializeFallbackWrapper() {
 
 			// Combine our summary providers
 			IMethodSummaryProvider provider = new MergingSummaryProvider(innerProviders);
-			fallbackWrapper = new SummaryTaintWrapper(provider);
+			summaryTaintWrapper = new SummaryTaintWrapper(provider);
 		} catch (Exception e) {
 			LoggerFactory.getLogger(getClass()).error(
 					"An error occurred while loading the fallback taint wrapper, proceeding without fallback", e);
@@ -125,9 +124,9 @@ protected void initializeFallbackWrapper() {
 	 * new summaries. Call this method after changing pre-existing summary files on
 	 * disk.
 	 */
-	public void releaseFallbackTaintWrapper() {
-		this.fallbackWrapper = null;
-		this.fallbackWrapperInitialized = false;
+	public void releaseSummaryTaintWrapper() {
+		this.summaryTaintWrapper = null;
+		this.summaryTaintWrapperInitialized = false;
 	}
 
 	/**
@@ -625,7 +624,7 @@ protected MethodSummaries createMethodSummary(String classpath, final String met
 			final IGapManager gapManager, final ResultsAvailableHandler resultHandler) {
 		// We need to construct a fallback taint wrapper based on the current
 		// configuration
-		initializeFallbackWrapper();
+		initializeSummaryTaintWrapper();
 
 		logger.info(String.format("Computing method summary for %s...", methodSig));
 		long nanosBeforeMethod = System.nanoTime();
@@ -761,8 +760,12 @@ protected ISummaryInfoflow initInfoflow(MethodSummaries summaries, IGapManager g
 		else
 			iFlow.setNativeCallHandler(new SummaryNativeCallHandler(nativeCallHandler));
 
-		final SummaryGenerationTaintWrapper summaryWrapper = createTaintWrapper(summaries, gapManager);
-		iFlow.setTaintWrapper(new TaintWrapperList(fallbackWrapper, summaryWrapper));
+		final SummaryGenerationTaintWrapper summaryGenWrapper = createTaintWrapper(summaries, gapManager);
+		// We only want to compute summaries for methods we do not have summaries. Thus, we register the
+		// summary generation wrapper as a fallback to the SummaryTaintWrapper such that it is only queried
+		// when the SummaryTaintWrapper doesn't know the method.
+		summaryTaintWrapper.setFallbackTaintWrapper(summaryGenWrapper);
+		iFlow.setTaintWrapper(summaryTaintWrapper);
 
 		// Set the Soot configuration
 		if (sootConfig == null)

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/generator/SummaryGenerator.java

@@ -7,6 +7,7 @@
 import java.util.List;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.function.Function;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -526,11 +527,8 @@ public Set<Abstraction> getTaintsForMethod(Stmt stmt, Abstraction d1, Abstractio
 					return Collections.singleton(taintedAbs);
 				else {
 					reportMissingSummary(callee, stmt, taintedAbs);
-					if (fallbackWrapper == null)
-						return null;
-					else {
-						Set<Abstraction> fallbackTaints = fallbackWrapper.getTaintsForMethod(stmt, d1, taintedAbs);
-						return fallbackTaints;
+					if (fallbackWrapper != null) {
+						return fallbackWrapper.getTaintsForMethod(stmt, d1, taintedAbs);
 					}
 				}
 			}
@@ -1594,14 +1592,22 @@ public boolean isExclusive(Stmt stmt, Abstraction taintedPath) {
 
 	@Override
 	public boolean supportsCallee(SootMethod method) {
-		// Check whether we directly support that class. We assume that if we
-		// have some summary for that class, we have all summaries for that
-		// class.
+		// Check whether we directly support that class
 		SootClass declClass = method.getDeclaringClass();
-		if (declClass != null && flows.supportsClass(declClass.getName()))
+		if (declClass == null)
+			return false;
+
+		ClassMethodSummaries cms = flows.getClassFlows(declClass.getName());
+		if (cms == null)
+			return false;
+
+		// We assume for exclusive classes that we have all summaries for that class.
+		if (cms.isExclusiveForClass())
 			return true;
 
-		return false;
+		// Otherwise, we check whether we have a summary for the method.
+		MethodSummaries summaries = cms.getMethodSummaries().filterForMethod(method.getSubSignature());
+		return summaries != null && !summaries.isEmpty();
 	}
 
 	@Override
@@ -1757,12 +1763,9 @@ public Set<Abstraction> getInverseTaintsForMethod(Stmt stmt, Abstraction d1, Abs
 		ClassSummaries flowsInCallees = getFlowSummariesForMethod(stmt, method, taintedAbs, null);
 
 		// If we have no data flows, we can abort early
-		if (flowsInCallees.isEmpty()) {
+		if (flowsInCallees.isEmpty())
 			if (fallbackWrapper != null && fallbackWrapper instanceof IReversibleTaintWrapper)
 				return ((IReversibleTaintWrapper) fallbackWrapper).getInverseTaintsForMethod(stmt, d1, taintedAbs);
-			else
-				return null;
-		}
 
 		// Create a level-0 propagator for the initially tainted access path
 		ByReferenceBoolean killIncomingTaint = new ByReferenceBoolean();

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/taintWrappers/SummaryTaintWrapper.java

@@ -90,6 +90,10 @@ public void read(Reader reader, ClassMethodSummaries summaries)
 					// not call setInterface()!
 					if (isInterface != null && !isInterface.isEmpty())
 						summaries.setInterface(isInterface.equals(XMLConstants.VALUE_TRUE));
+
+					String isExclusive = getAttributeByName(xmlreader, XMLConstants.ATTRIBUTE_IS_EXCLUSIVE);
+					if (isExclusive != null && !isExclusive.isEmpty())
+						summaries.setExclusiveForClass(isExclusive.equals(XMLConstants.VALUE_TRUE));
 				} else if (localName.equals(XMLConstants.TREE_METHODS) && xmlreader.isStartElement()) {
 					if (state == State.summary)
 						state = State.methods;

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/SummaryReader.java

@@ -41,6 +41,7 @@ public class XMLConstants {
 	public static final String ATTRIBUTE_MATCH_STRICT = "matchStrict";
 	public static final String ATTRIBUTE_NAME = "name";
 	public static final String ATTRIBUTE_SUPERCLASS = "superClass";
+	public static final String ATTRIBUTE_IS_EXCLUSIVE = "isExclusive";
 
 	public static final String VALUE_TRUE = "true";
 	public static final String VALUE_FALSE = "false";

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/XMLConstants.java

@@ -0,0 +1,4 @@
+<?xml version="1.0" ?>
+<summary fileFormatVersion="101">
+    <hierarchy superClass="kotlin.collections.CollectionsKt___CollectionsKt" />
+</summary>

soot-infoflow-summaries/summariesManual/kotlin.collections.CollectionsKt.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" ?>
+<summary fileFormatVersion="101" isExclusive="false">
+    <methods>
+        <method id="java.lang.String joinToString$default(java.lang.Iterable,java.lang.CharSequence,java.lang.CharSequence,java.lang.CharSequence,int,java.lang.CharSequence,kotlin.jvm.functions.Function1,int,java.lang.Object)">
+            <flows>
+                <flow isAlias="false" typeChecking="false" cutSubFields="true">
+                    <from sourceSinkType="Parameter" ParameterIndex="0"
+                          AccessPath="[java.util.Collection: java.lang.Object[] innerArray]"
+                          AccessPathTypes="[java.lang.Object[]]" />
+                    <to sourceSinkType="Return" />
+                </flow>
+            </flows>
+        </method>
+    </methods>
+</summary>

soot-infoflow-summaries/summariesManual/kotlin.collections.CollectionsKt___CollectionsKt.xml

@@ -4,8 +4,7 @@
 import java.io.ObjectOutputStream;
 import java.io.ObjectOutputStream.PutField;
 import java.math.BigInteger;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.*;
 
 public class ApiClassClient {
 	public Object source() {
@@ -302,4 +301,12 @@ public void mapToString() {
 		char c = str.charAt(2);
 		sink(c);
 	}
+
+	public void iterator() {
+		List<String> lst = new ArrayList<>();
+		lst.add(stringSource());
+		Iterator<String> it = lst.iterator();
+		if (it.hasNext())
+			sink(it.next());
+	}
 }