Taint propagation is blocked due to a reversed subtype checkΒ #214
Description
π Overall Description
In Tai-eβs taint analysis, taint propagation across type cast is blocked due to a reversed subtype check in TypeFilter.
A type cast such as:
public static void main(String[] args) {
testTypeCast("test");
}
private static void testTypeCast(Object obj) {
System.out.println((String) obj);
}isSubtype(str, obj) fails the type filter, and taint propagation is incorrectly stopped.
The propagation works correctly after changing the code to isSubtype(from, to).
π― Expected Behavior
Points-to sets of all variables
[]:<TypeCast: void main(java.lang.String[])>/%stringconst0 -> [[]:ConstantObj{java.lang.String: "test"}]
[]:<TypeCast: void main(java.lang.String[])>/args -> [[]:EntryPointObj{alloc=MethodParam{<TypeCast: void main(java.lang.String[])>/0},type=java.lang.String[] in <TypeCast: void main(java.lang.String[])>}]
[]:<TypeCast: void testTypeCast(java.lang.Object)>/obj -> [[]:ConstantObj{java.lang.String: "test"}, []:TaintObj{alloc=<TypeCast: void testTypeCast(java.lang.Object)>/0,type=java.lang.Object}]
[]:<TypeCast: void testTypeCast(java.lang.Object)>/temp$0 -> []
[]:<TypeCast: void testTypeCast(java.lang.Object)>/temp$1 -> [[]:ConstantObj{java.lang.String: "test"}, []:TaintObj{alloc=<TypeCast: void testTypeCast(java.lang.Object)>/0,type=java.lang.Object}]
Points-to sets of all static fields
<java.lang.System: java.io.PrintStream out> -> []
Points-to sets of all instance fields
Points-to sets of all array indexes
[]:EntryPointObj{alloc=MethodParam{<TypeCast: void main(java.lang.String[])>/0},type=java.lang.String[] in <TypeCast: void main(java.lang.String[])>}[] -> [[]:EntryPointObj{alloc=MethodParam{<TypeCast: void main(java.lang.String[])>/0}[],type=java.lang.String in <TypeCast: void main(java.lang.String[])>}]
Detected 1 taint flow(s):
TaintFlow{<TypeCast: void testTypeCast(java.lang.Object)>/0 -> <TypeCast: void testTypeCast(java.lang.Object)>[2@L7] invokevirtual temp$0.println(temp$1)/0}
π Current Behavior
Points-to sets of all variables
[]:<TypeCast: void main(java.lang.String[])>/%stringconst0 -> [[]:ConstantObj{java.lang.String: "test"}]
[]:<TypeCast: void main(java.lang.String[])>/args -> [[]:EntryPointObj{alloc=MethodParam{<TypeCast: void main(java.lang.String[])>/0},type=java.lang.String[] in <TypeCast: void main(java.lang.String[])>}]
[]:<TypeCast: void testTypeCast(java.lang.Object)>/obj -> [[]:ConstantObj{java.lang.String: "test"}, []:TaintObj{alloc=<TypeCast: void testTypeCast(java.lang.Object)>/0,type=java.lang.Object}]
[]:<TypeCast: void testTypeCast(java.lang.Object)>/temp$0 -> []
[]:<TypeCast: void testTypeCast(java.lang.Object)>/temp$1 -> [[]:ConstantObj{java.lang.String: "test"}]
Points-to sets of all static fields
<java.lang.System: java.io.PrintStream out> -> []
Points-to sets of all instance fields
Points-to sets of all array indexes
[]:EntryPointObj{alloc=MethodParam{<TypeCast: void main(java.lang.String[])>/0},type=java.lang.String[] in <TypeCast: void main(java.lang.String[])>}[] -> [[]:EntryPointObj{alloc=MethodParam{<TypeCast: void main(java.lang.String[])>/0}[],type=java.lang.String in <TypeCast: void main(java.lang.String[])>}]
Detected 0 taint flow(s):
π Reproducible Example
class TypeCast {
public static void main(String[] args) {
testTypeCast("test");
}
private static void testTypeCast(Object obj) {
System.out.println((String) obj);
}
}taint-config:
sources:
- { kind: param, method: "<TypeCast: void testTypeCast(java.lang.Object)>", index: 0 }
sinks:
- { method: "<java.io.PrintStream: void println(java.lang.String>", index: 0 }
call-site-mode: true
run args:
-cp classes -m TypeCast -ap -pp -a pta=taint-config:taint-config.yml;implicit-entries:false;only-app:true;
βοΈ Tai-e Arguments
π Click here to see Tai-e Options
{{The content of 'output/options.yml' file}}π Click here to see Tai-e Analysis Plan
{{The content of 'output/tai-e-plan.yml' file}}π Tai-e Log
π Click here to see Tai-e Log
{{The content of 'output/tai-e.log' file}}
βΉοΈ Additional Information
No response