Comments (3)
There is indeed an option to stop the data flow analysis when the first N data flows have been found (regardless of the source or sink to which they belong). This option is decativated by default. Unless you explicitly enable it, FlowDroid should process all flows.
There is another option, which limits the number of abstractions to be considered at join points, i.e., statements in the program where a single variable is tainted through multiple incoming taints. Let's take the following example:
String s1 = source1();
String s2 = source2();
data = s1 + " - " + s2;
Here, variable "data" in the last line receives two incoming abstractions. Since a high number of abstractions at a join point can indicate a source of false positives through some over-approximation that happened somewhere in the code (and just tainted a whole lot of variables in the proximity), we limit the number of join point abstractions. By default, the cut-off value is 10. You can increase it using InfofowConfiguration.SolverConfiguration.setMaxJoinPointAbstractions(). A value of -1 will disable the check entirely and allow an arbitrary number of abstractions.
There are other factors that might lead to a missed result. By default, FlowDroid will only report paths (if path tracking is enabled) that are no longer than 75 statements. By experience, we found longer flows to be mostly false positives. This check is not as arbitrary as it might seem: There are some situations that can lead to "runaway" flows of very high lengths and we're just filtering those. You can also change the cutoff value or use -1 to disable the cutoff entirely.
Yet another possibility: We limit the number of paths at a single abstraction for a similar reason (15 by default). We also limit the call stack on a path (30 by default). If you know that one of these options is your problem, change them or use the magic -1 value.
Lastly, all of that might not be your problem altogether. Therefore, I'd first check whether you find the other source when you remove all but tone of those that is not found at the moment. Then, you can investigate why this happens by setting a breakpoint at the call computeTaintPaths() in the Infoflow class. If you get an empty object, you know that no taint arrived at a sink. If you do get at least one taint, you need to double-check the configuration of the path reconstruction.
In case, you do not get a taint at the sink (path reconstructor gets an empty list), your problem might be somewhere totally different. There might be just a library method on the path for which there is currently no data flow summary. In fact, this is my first guess, because that's what happens most of the time when you miss a leak.
If nothing helps, send me the APK and the source and sink you want to detect.
from flowdroid.
Thanks for this full answer.
I tried the InfofowConfiguration.SolverConfiguration.setMaxJoinPointAbstractions() option with (-1). It didn't work.
Normally, I run FlowDroid with all the SuSi sources to test leaks through a few sinks.
I created an APK with one specific data flow from one source (let's call it source1) to a sink on purpose.
When I put only source1 in my SourcesAndSinks file, FlowDroid finds a connection between source1 and the sink.
However, if I put all SuSi sources (including source1) in my SourcesAndSinks file, FlowDroid finds another connection between another source (source2) and my sink but not the "original" one (source1 expected).
So my next move has been to remove source2 from the SuSi source list, and in this case FlowDroid finds the connection between source1 and the sink.
It looks like the connection between source2 and the sink kind of "hide" the connection between source1 and the sink.
Here is a zip containing the APK, and two SourcesAndSinks.txt files
flowdroid_issue_19.zip
In the file SourcesAndSinks_contact_sources.txt, you can find source1
Thank you
from flowdroid.
Hi @LouisonGitzinger @StevenArzt
I'm also getting similar problem.
I opened a new issue #104 since it might be from different cause.
Are there any updates on this?
from flowdroid.
Related Issues (20)
- Why this library lacks documentation? HOT 4
- (Question) Getting methods chain between sources and sinks HOT 1
- README outdated wrt. to standalone cmd jar HOT 1
- (Question) Doses FlowDroid support encode to binary xml?? HOT 4
- No leaks found when using FlowDroid as a library HOT 2
- Seeking Guidance on FlowDroid v2.12 Build Issue HOT 5
- (Question) Getting precisely source to sink path (methods) with FlowDroid HOT 8
- APK Instrumentation: Issues with app startup when excluding androidx.* HOT 6
- java.lang.NullPointerException: Cannot invoke "Object.hashCode() HOT 4
- Using FlowDroid for Java Programs HOT 1
- RuntimeException: File format violation, res1 was not zero HOT 4
- Non-deterministic results from --dataflowsolver FLOWINSENSITIVE --pathalgo CONTEXTINSENSITIVE --taintwrapper EASY HOT 1
- (Question)Display SootClass and SootMethod Information for Each Stmt of Taint Path in FlowDroid HOT 2
- No sources found, aborting analysis HOT 5
- Null pointer errors when attempting to find data flow in app HOT 3
- Can not run project with FlowDroid HOT 8
- Is there a method to start taint analysis for a single variable instead of between two functions?
- Is there a taint analysis tool for open-source application HOT 3
- Why flowdroid cannot find the path from flow1 to flow2 by taint varibale Flow.data1? HOT 4
- (Question) about path between sources and sinks.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flowdroid.