All data-flow path for ConstraintErrors (#144)

a57b0c88 · Johannes Späth · 3f8924ff · a57b0c88 · a57b0c88 · a57b0c88
Commit a57b0c88 authored May 2, 2019 by Johannes Späth
--- a/CryptoAnalysis/pom.xml
+++ b/CryptoAnalysis/pom.xml
@@ -4,7 +4,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>de.fraunhofer.iem</groupId>
 	<artifactId>CryptoAnalysis</artifactId>
-	<version>2.2-SNAPSHOT</version>
+	<version>2.2.Pathtracking.-SNAPSHOT</version>
 	
 	<properties>
   	 	<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>  

--- a/CryptoAnalysis/src/main/java/crypto/analysis/errors/ConstraintError.java
+++ b/CryptoAnalysis/src/main/java/crypto/analysis/errors/ConstraintError.java
 package crypto.analysis.errors;

+import java.util.Collection;
 import java.util.List;
 import java.util.Set;

 import com.google.common.base.CharMatcher;
+import com.google.common.collect.Multimap;

+import boomerang.ForwardQuery;
 import boomerang.jimple.Statement;
 import boomerang.jimple.Val;
 import crypto.analysis.IAnalysisSeed;
@@ -44,9 +47,49 @@ public class ConstraintError extends ErrorWithObjectAllocation{
 		visitor.visit(this);
 	}
 	
+
+	/**
+	 * Returns the actual data-flow path for this constraints violation.
+	 * 
+	 * Example: {@code
+	 * if(...) 
+	 * 	x = "AES/CBC/PKCS5Padding"; 
+	 * 	y = x; 
+	 * else 
+	 * 	y = "DES"; (1)
+	 * 
+	 * Cipher.getInstance(y); (2)
+	 * } 
+	 * When this constraint error represents the violation that "DES" is used, the returned
+	 * data-flow path will only contain the statements marked by (1) and (2).
+	 * 
+	 * @return The map of allocation sites to the set of statements leading to the violation
+	 */
 	@Override
-	public Set<Node<Statement, Val>> getDataFlowPath() {
-		return callSiteWithParamIndex.getVal().getDataFlowPath();
+	public Collection<Node<Statement, Val>> getDataFlowPath() {
+		return callSiteWithParamIndex.getVal().getRelevantDataFlowPath();
+	}
+	
+
+	/**
+	 * Returns all other statements of the data-flow path for this constraints violation.
+	 * 
+	 * Example: {@code
+	 * if(...) 
+	 * 	x = "AES/CBC/PKCS5Padding"; (1)
+	 * 	y = x; (2)
+	 * else 
+	 * 	y = "DES"; (3)
+	 * 
+	 * Cipher.getInstance(y); (4)
+	 * } 
+	 * When this constraint error represents the violation that "DES" is used, the returned
+	 * map of statements is {1 => {1,2,4}, 3 => {3,4}}
+	 * 
+	 * @return The map of allocation sites to the set of statements reaching the violation location
+	 */
+	public Multimap<ForwardQuery, Node<Statement, Val>> getAllDataFlowPaths() {
+		return callSiteWithParamIndex.getVal().getAllDataFlowPaths();
 	}



--- a/CryptoAnalysis/src/main/java/crypto/analysis/errors/ErrorWithObjectAllocation.java
+++ b/CryptoAnalysis/src/main/java/crypto/analysis/errors/ErrorWithObjectAllocation.java
 package crypto.analysis.errors;

+import java.util.Collection;
 import java.util.Set;

 import boomerang.jimple.Statement;
@@ -26,7 +27,7 @@ public abstract class ErrorWithObjectAllocation extends AbstractError{
 		return "";
 	}
 	
-	public Set<Node<Statement, Val>> getDataFlowPath(){
+	public Collection<Node<Statement, Val>> getDataFlowPath(){
 		return objectAllocationLocation.getDataFlowPath();
 	}
 }
--- a/CryptoAnalysis/src/main/java/crypto/extractparameter/ExtractParameterAnalysis.java
+++ b/CryptoAnalysis/src/main/java/crypto/extractparameter/ExtractParameterAnalysis.java
@@ -4,7 +4,6 @@ import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.Set;

 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Lists;
@@ -18,6 +17,7 @@ import boomerang.callgraph.ObservableICFG;
 import boomerang.jimple.AllocVal;
 import boomerang.jimple.Statement;
 import boomerang.jimple.Val;
+import boomerang.results.AbstractBoomerangResults;
 import boomerang.results.BackwardBoomerangResults;
 import crypto.analysis.CryptoScanner;
 import crypto.boomerang.CogniCryptIntAndStringBoomerangOptions;
@@ -33,7 +33,6 @@ import soot.Type;
 import soot.Unit;
 import soot.Value;
 import soot.jimple.Stmt;
-import soot.jimple.toolkits.ide.icfg.BiDiInterproceduralCFG;
 import sync.pds.solver.nodes.Node;
 import typestate.finiteautomata.MatcherTransition;
 import wpds.impl.Weight.NoWeight;
@@ -52,7 +51,6 @@ public class ExtractParameterAnalysis {
 			return key;
 		}
 	};
-
 	public ExtractParameterAnalysis(CryptoScanner cryptoScanner, Map<Statement, SootMethod> allCallsOnObject, SootBasedStateMachineGraph fsm) {
 		this.cryptoScanner = cryptoScanner;
 		this.allCallsOnObject = allCallsOnObject;
@@ -122,10 +120,11 @@ public class ExtractParameterAnalysis {
 		if (!(parameter instanceof Local)) {
 			Val parameterVal = new Val(parameter, stmt.getMethod());
 			CallSiteWithParamIndex cs = new CallSiteWithParamIndex(stmt, parameterVal, index, varNameInSpecification);
-			Set<Node<Statement,Val>> dataFlowPath = Sets.newHashSet();
-			dataFlowPath.add(new Node<Statement, Val>(stmt, parameterVal));
+			Multimap<ForwardQuery,Node<Statement,Val>> dataFlowPath = HashMultimap.create();
+			ForwardQuery q  = new ForwardQuery(stmt, parameterVal);
+			dataFlowPath.put(q, new Node<Statement, Val>(stmt, parameterVal));
 			collectedValues.put(cs
-					, new ExtractedValue(stmt,parameter, dataFlowPath));
+					, new ExtractedValue(stmt,parameter, q, dataFlowPath));
 			querySites.add(cs);
 			return;
 		}
@@ -140,13 +139,14 @@ public class ExtractParameterAnalysis {
 				@Override
 				public void solved(AdditionalBoomerangQuery q, BackwardBoomerangResults<NoWeight> res) {
 					propagatedTypes.putAll(callSiteWithParamIndex, res.getPropagationType());
+					Multimap<ForwardQuery, Node<Statement, Val>> allDataFlowPath = computeDataFlowPath(res);
 					for (ForwardQuery v : res.getAllocationSites().keySet()) {
 						ExtractedValue extractedValue = null;
 						if(v.var() instanceof AllocVal) {
 							AllocVal allocVal = (AllocVal) v.var();
-							extractedValue = new ExtractedValue(allocVal.allocationStatement(),allocVal.allocationValue(), res.getDataFlowPath(v));
+							extractedValue = new ExtractedValue(allocVal.allocationStatement(),allocVal.allocationValue(), v,allDataFlowPath);
 						} else {
-							extractedValue = new ExtractedValue(v.stmt(),v.var().value(), res.getDataFlowPath(v));
+							extractedValue = new ExtractedValue(v.stmt(),v.var().value(), v, allDataFlowPath);
 						}
 						collectedValues.put(callSiteWithParamIndex,
 								extractedValue);
@@ -163,6 +163,17 @@ public class ExtractParameterAnalysis {
 		}
 	}

+	protected Multimap<ForwardQuery, Node<Statement, Val>> computeDataFlowPath(BackwardBoomerangResults<NoWeight> results) {
+		Multimap<ForwardQuery, Node<Statement,Val>> res = HashMultimap.create();
+		Map<ForwardQuery, AbstractBoomerangResults<NoWeight>.Context> allocationSites = results.getAllocationSites();
+		for(ForwardQuery q : allocationSites.keySet()) {
+			System.out.println(q);
+			res.putAll(q, results.getDataFlowPath(q));
+			System.out.println(results.getDataFlowPath(q));
+		}
+		return res;
+	}
+
 	public void addAdditionalBoomerangQuery(AdditionalBoomerangQuery q, QueryListener listener) {
 		AdditionalBoomerangQuery query = additionalBoomerangQuery.getOrCreate(q);
 		query.addListener(listener);

--- a/CryptoAnalysis/src/main/java/crypto/extractparameter/ExtractedValue.java
+++ b/CryptoAnalysis/src/main/java/crypto/extractparameter/ExtractedValue.java
 package crypto.extractparameter;

+import java.util.Collection;
+import java.util.Map;
 import java.util.Set;

+import com.google.common.collect.HashMultimap;
+import com.google.common.collect.Multimap;
+import com.google.common.collect.Multimaps;
+import com.google.inject.internal.util.Maps;
+
+import boomerang.ForwardQuery;
 import boomerang.jimple.Statement;
 import boomerang.jimple.Val;
+import boomerang.results.AbstractBoomerangResults;
+import boomerang.results.BackwardBoomerangResults;
 import soot.Value;
 import sync.pds.solver.nodes.Node;
+import wpds.impl.Weight.NoWeight;

 public class ExtractedValue {
-	private Statement stmt;
-	private Value val;
-	private Set<Node<Statement, Val>> dataFlowPath;
+	private final Statement stmt;
+	private final Value val;
+	private final ForwardQuery originalQuery;
+	private Multimap<ForwardQuery, Node<Statement, Val>> dataFlowPath;

-	public ExtractedValue(Statement stmt, Value val, Set<Node<Statement, Val>> dataFlowPath) {
+	public ExtractedValue(Statement stmt, Value val, ForwardQuery originalQuery,
+			Multimap<ForwardQuery, Node<Statement, Val>> dataFlowPath) {
 		this.stmt = stmt;
 		this.val = val;
+		this.originalQuery = originalQuery;
 		this.dataFlowPath = dataFlowPath;
 	}

@@ -31,10 +45,53 @@ public class ExtractedValue {
 		return "Extracted Value: " + val + " at " + stmt;
 	}

-	public Set<Node<Statement, Val>> getDataFlowPath() {
+	/**
+	 * Returns the actual data-flow path for this extract value.
+	 * 
+	 * Example: {@code
+	 * if(...) 
+	 * 	x = "AES"; 
+	 * 	y = x; 
+	 * else 
+	 * 	y = "DES"; (1)
+	 * 
+	 * Cipher.getInstance(y); (2)
+	 * } 
+	 * When this extracted value represents "DES" (this.val == "DES), the returned
+	 * data-flow path will only contain the statements marked by (1) and (2).
+	 * 
+	 * @return
+	 */
+	public Collection<Node<Statement, Val>> getRelevantDataFlowPath() {
+		return dataFlowPath.get(originalQuery);
+	}
+
+	/**
+	 * Returns all data-flow paths, for all for this extract value.
+	 * 
+	 * Example: {@code
+	 * if(...) 
+	 * 	x = "AES"; (1)
+	 * 	y = x; (2)
+	 * else 
+	 * 	y = "DES"; (3)
+	 * 
+	 * Cipher.getInstance(y);  (4)
+	 * } 
+	 * 
+	 * When this extracted value represents "DES" (this.val == "DES), the returned data-flow
+	 * path will contain the statements marked by (1)-(4).
+	 * 
+	 * @return
+	 */
+	public Multimap<ForwardQuery, Node<Statement, Val>> getAllDataFlowPaths() {
 		return dataFlowPath;
 	}

+	public ForwardQuery getQuery() {
+		return originalQuery;
+	}
+
 	@Override
 	public int hashCode() {
 		final int prime = 31;

--- a/CryptoAnalysis/src/main/java/crypto/typestate/FiniteStateMachineToTypestateChangeFunction.java
+++ b/CryptoAnalysis/src/main/java/crypto/typestate/FiniteStateMachineToTypestateChangeFunction.java
@@ -16,6 +16,7 @@ import soot.Unit;
 import soot.jimple.AssignStmt;
 import soot.jimple.InstanceInvokeExpr;
 import soot.jimple.InvokeExpr;
+import soot.jimple.InvokeStmt;
 import soot.jimple.NewExpr;
 import soot.jimple.Stmt;
 import typestate.TransitionFunction;
@@ -66,6 +67,9 @@ public class FiniteStateMachineToTypestateChangeFunction extends TypeStateMachin
 			if(unit instanceof AssignStmt){
 				AssignStmt stmt = (AssignStmt) unit;
 				out.add(createQuery(stmt,method,new AllocVal(stmt.getLeftOp(), method, stmt.getRightOp(), new Statement(stmt,method))));
+			} else if(unit instanceof Stmt && ((Stmt) unit).containsInvokeExpr()) {
+				Stmt stmt = (Stmt) unit;
+				out.add(createQuery(stmt,method,new AllocVal(stmt.getInvokeExpr(), method, stmt.getInvokeExpr(), new Statement(stmt,method))));
 			}
 		} else if (invokeExpr instanceof InstanceInvokeExpr){
 			InstanceInvokeExpr iie = (InstanceInvokeExpr) invokeExpr;