Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test Aliasing4 is failing #761

Open
Jclavo opened this issue Sep 6, 2024 · 3 comments
Open

Test Aliasing4 is failing #761

Jclavo opened this issue Sep 6, 2024 · 3 comments

Comments

@Jclavo
Copy link

Jclavo commented Sep 6, 2024
edited
Loading

I am checking the tests from securibench in the soot-infoflow/ folder and I have noticed that test Aliasing4 (https://github.com/secure-software-engineering/FlowDroid/blob/develop/soot-infoflow/securiBench/securibench/micro/aliasing/Aliasing4.java) is failing.

This test has two 2 sinks

       String name = req.getParameter(FIELD_NAME);
       Object o1 = name;
       Object o2 = name.concat("abc");
       Object o3 = "anc";
              
       PrintWriter writer = resp.getWriter();
       writer.println(o1);                              /* BAD */
       writer.println(o2);                              /* BAD */
       writer.println(o3);                              /* OK */

but the solution is reporting just one.
image

so analysing the code I found that Flowdroid is not recognizing Object o2 as tainted when the next line is performed

Object o2 = name.concat("abc");

My question is: Does Flowdroid support calls to native method like toUpperCase() or concat() without losing the tainted for the variable?
@Jclavo
Copy link
Author

Jclavo commented Sep 11, 2024
edited
Loading

I have been continuing checking and I found that there are others tests failing for the same reason:

  • datastructures5
  • factories1
  • factories2

Also, I found an interesting thing; test for factories3 https://github.com/secure-software-engineering/FlowDroid/blob/develop/soot-infoflow/securiBench/securibench/micro/factories/Factories3.java calls to a native method and their tainted is not lost

        StringWrapper w1 = new StringWrapper(s1);
        StringWrapper w2 = new StringWrapper("abc");
            
        PrintWriter writer = resp.getWriter();
        
        writer.println(w1.toString());    /* BAD */
        writer.println(w2.toString());    /* OK */

while Test for factories2 https://github.com/secure-software-engineering/FlowDroid/blob/develop/soot-infoflow/securiBench/securibench/micro/factories/Factories2.java calls to a native method and their tainted is lost.

        String s1 = req.getParameter("name");
        String s2 = s1.toString();
        String s3 = "abc".toString();
            
        PrintWriter writer = resp.getWriter();
        
        writer.println(s2);    /* BAD */
        writer.println(s3);    /* OK */

In conclusion: Flowdroid loses tainted flow calling native method like "toString()" when the variable is an "string" but if it is an "object" the tainted flow is not lost.

@StevenArzt Do you think that I am missing some configurations to enable this behaviour?

@StevenArzt
Copy link
Member

That's strange. I had to update quite a few things to get the SecuriBench test cases running again because they were originally based on a highly outdated version of the servlet API, but once I migrated that to Jakarta, the tests ran fine.

For Aliasing4:

[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke r4.<java.io.PrintWriter: void println(java.lang.Object)>(r1) in method <securibench.micro.aliasing.Aliasing4: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r1 = interfaceinvoke r0.<jakarta.servlet.http.HttpServletRequest: java.lang.String getParameter(java.lang.String)>("name") in method <securibench.micro.aliasing.Aliasing4: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)>
[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke r4.<java.io.PrintWriter: void println(java.lang.Object)>(r2) in method <securibench.micro.aliasing.Aliasing4: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r1 = interfaceinvoke r0.<jakarta.servlet.http.HttpServletRequest: java.lang.String getParameter(java.lang.String)>("name") in method <securibench.micro.aliasing.Aliasing4: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)>

For Datastructures5:

[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke r9.<java.io.PrintWriter: void println(java.lang.String)>(r7) in method <securibench.micro.datastructures.Datastructures5: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r1 = interfaceinvoke r0.<jakarta.servlet.http.HttpServletRequest: java.lang.String getParameter(java.lang.String)>("name") in method <securibench.micro.datastructures.Datastructures5: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)>

For Factories1:

[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke r6.<java.io.PrintWriter: void println(java.lang.String)>(r2) in method <securibench.micro.factories.Factories1: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r1 = interfaceinvoke r0.<jakarta.servlet.http.HttpServletRequest: java.lang.String getParameter(java.lang.String)>("name") in method <securibench.micro.factories.Factories1: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)>

For Factories2:

[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke r6.<java.io.PrintWriter: void println(java.lang.String)>(r2) in method <securibench.micro.factories.Factories2: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.Infoflow - - r1 = interfaceinvoke r0.<jakarta.servlet.http.HttpServletRequest: java.lang.String getParameter(java.lang.String)>("name") in method <securibench.micro.factories.Factories2: void doGet(jakarta.servlet.http.HttpServletRequest,jakarta.servlet.http.HttpServletResponse)>

FlowDroid uses summaries to cover methods from the Java standard library. It therefore makes no difference whether these methods are implemented in native code or not.

How did you run the tests? Did you use the offical JUnit test cases for SecuriBench or something else? Maybe you are missing the library summary configuration if you have your own runner instead of the official test cases.

@Jclavo
Copy link
Author

Jclavo commented Sep 24, 2024

Hi @StevenArzt, I set up to work with Jakarta and now the tests that I mentioned run smoothly.
However a few tests (13) are still failing.
Capture d’écran du 2024-09-24 18-16-10
I am wondering if when you run them, all the tests were green?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@StevenArzt @Jclavo