Git Product home page Git Product logo

Comments (3)

StevenArzt avatar StevenArzt commented on August 16, 2024

There is indeed an option to stop the data flow analysis when the first N data flows have been found (regardless of the source or sink to which they belong). This option is decativated by default. Unless you explicitly enable it, FlowDroid should process all flows.

There is another option, which limits the number of abstractions to be considered at join points, i.e., statements in the program where a single variable is tainted through multiple incoming taints. Let's take the following example:

String s1 = source1();
String s2 = source2();
data = s1 + " - " + s2;

Here, variable "data" in the last line receives two incoming abstractions. Since a high number of abstractions at a join point can indicate a source of false positives through some over-approximation that happened somewhere in the code (and just tainted a whole lot of variables in the proximity), we limit the number of join point abstractions. By default, the cut-off value is 10. You can increase it using InfofowConfiguration.SolverConfiguration.setMaxJoinPointAbstractions(). A value of -1 will disable the check entirely and allow an arbitrary number of abstractions.

There are other factors that might lead to a missed result. By default, FlowDroid will only report paths (if path tracking is enabled) that are no longer than 75 statements. By experience, we found longer flows to be mostly false positives. This check is not as arbitrary as it might seem: There are some situations that can lead to "runaway" flows of very high lengths and we're just filtering those. You can also change the cutoff value or use -1 to disable the cutoff entirely.

Yet another possibility: We limit the number of paths at a single abstraction for a similar reason (15 by default). We also limit the call stack on a path (30 by default). If you know that one of these options is your problem, change them or use the magic -1 value.

Lastly, all of that might not be your problem altogether. Therefore, I'd first check whether you find the other source when you remove all but tone of those that is not found at the moment. Then, you can investigate why this happens by setting a breakpoint at the call computeTaintPaths() in the Infoflow class. If you get an empty object, you know that no taint arrived at a sink. If you do get at least one taint, you need to double-check the configuration of the path reconstruction.

In case, you do not get a taint at the sink (path reconstructor gets an empty list), your problem might be somewhere totally different. There might be just a library method on the path for which there is currently no data flow summary. In fact, this is my first guess, because that's what happens most of the time when you miss a leak.

If nothing helps, send me the APK and the source and sink you want to detect.

from flowdroid.

louison avatar louison commented on August 16, 2024

Thanks for this full answer.

I tried the InfofowConfiguration.SolverConfiguration.setMaxJoinPointAbstractions() option with (-1). It didn't work.

Normally, I run FlowDroid with all the SuSi sources to test leaks through a few sinks.
I created an APK with one specific data flow from one source (let's call it source1) to a sink on purpose.

When I put only source1 in my SourcesAndSinks file, FlowDroid finds a connection between source1 and the sink.
However, if I put all SuSi sources (including source1) in my SourcesAndSinks file, FlowDroid finds another connection between another source (source2) and my sink but not the "original" one (source1 expected).
So my next move has been to remove source2 from the SuSi source list, and in this case FlowDroid finds the connection between source1 and the sink.
It looks like the connection between source2 and the sink kind of "hide" the connection between source1 and the sink.

Here is a zip containing the APK, and two SourcesAndSinks.txt files
flowdroid_issue_19.zip

In the file SourcesAndSinks_contact_sources.txt, you can find source1

Thank you

from flowdroid.

omuomugin avatar omuomugin commented on August 16, 2024

Hi @LouisonGitzinger @StevenArzt

I'm also getting similar problem.
I opened a new issue #104 since it might be from different cause.

Are there any updates on this?

from flowdroid.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.