Support for StringConcatFactory

Author: MarcMil

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/data/sourceSink/AbstractFlowSinkSource.java

@@ -57,7 +57,7 @@ public AbstractFlowSinkSource(SourceSinkType type, int parameterIdx, String base
 	 * i.e., if all elements referenced by the given source or sink are also
 	 * referenced by this one
 	 * 
-	 * @param src The source or sink with which to compare the current one
+	 * @param other The source or sink with which to compare the current one
 	 * @return True if the current source or sink is coarser than the given one,
 	 *         otherwise false
 	 */
@@ -221,7 +221,7 @@ public Map<String, String> xmlAttributes() {
 		Map<String, String> res = new HashMap<String, String>();
 		if (isParameter()) {
 			res.put(XMLConstants.ATTRIBUTE_FLOWTYPE, XMLConstants.VALUE_PARAMETER);
-			res.put(XMLConstants.ATTRIBUTE_PARAMTER_INDEX, getParameterIndex() + "");
+			res.put(XMLConstants.ATTRIBUTE_PARAMETER_INDEX, getParameterIndex() + "");
 		} else if (isField())
 			res.put(XMLConstants.ATTRIBUTE_FLOWTYPE, XMLConstants.VALUE_FIELD);
 		else if (isReturn())

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/data/sourceSink/FlowSource.java

@@ -13,6 +13,8 @@
  */
 public class FlowSource extends AbstractFlowSinkSource implements Cloneable {
 
+	public static final int ANY_PARAMETER = -2;
+
 	public FlowSource(SourceSinkType type, String baseType) {
 		super(type, -1, baseType, null, null, false);
 	}

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/taintWrappers/SummaryTaintWrapper.java

@@ -7,14 +7,34 @@
 import java.util.List;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicInteger;
-import java.util.function.Function;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import heros.solver.Pair;
 import heros.solver.PathEdge;
-import soot.*;
-import soot.jimple.*;
+import soot.ArrayType;
+import soot.FastHierarchy;
+import soot.Hierarchy;
+import soot.Local;
+import soot.Modifier;
+import soot.PrimType;
+import soot.RefType;
+import soot.Scene;
+import soot.SootClass;
+import soot.SootField;
+import soot.SootFieldRef;
+import soot.SootMethod;
+import soot.Type;
+import soot.Unit;
+import soot.Value;
+import soot.VoidType;
+import soot.jimple.DefinitionStmt;
+import soot.jimple.DynamicInvokeExpr;
+import soot.jimple.InstanceInvokeExpr;
+import soot.jimple.InvokeExpr;
+import soot.jimple.ReturnStmt;
+import soot.jimple.StaticInvokeExpr;
+import soot.jimple.Stmt;
 import soot.jimple.infoflow.InfoflowConfiguration;
 import soot.jimple.infoflow.InfoflowManager;
 import soot.jimple.infoflow.data.Abstraction;
@@ -24,6 +44,7 @@
 import soot.jimple.infoflow.handlers.PreAnalysisHandler;
 import soot.jimple.infoflow.methodSummary.data.provider.IMethodSummaryProvider;
 import soot.jimple.infoflow.methodSummary.data.sourceSink.AbstractFlowSinkSource;
+import soot.jimple.infoflow.methodSummary.data.sourceSink.FlowSource;
 import soot.jimple.infoflow.methodSummary.data.summary.ClassMethodSummaries;
 import soot.jimple.infoflow.methodSummary.data.summary.ClassSummaries;
 import soot.jimple.infoflow.methodSummary.data.summary.GapDefinition;
@@ -507,8 +528,18 @@ public Set<Abstraction> getTaintsForMethod(Stmt stmt, Abstraction d1, Abstractio
 		ByReferenceBoolean classSupported = new ByReferenceBoolean(false);
 
 		// Compute the wrapper taints for the current method
-		final SootMethod callee = stmt.getInvokeExpr().getMethod();
-		Set<AccessPath> res = computeTaintsForMethod(stmt, d1, taintedAbs, callee, killIncomingTaint, classSupported);
+		final InvokeExpr inv = stmt.getInvokeExpr();
+		final SootMethod callee = inv.getMethod();
+		Set<AccessPath> res;
+		if (inv instanceof DynamicInvokeExpr) {
+			final DynamicInvokeExpr dyn = (DynamicInvokeExpr) inv;
+			SootMethod m = dyn.getBootstrapMethodRef().tryResolve();
+			if (m == null)
+				return null;
+
+			res = computeTaintsForMethod(stmt, d1, taintedAbs, m, killIncomingTaint, classSupported);
+		} else
+			res = computeTaintsForMethod(stmt, d1, taintedAbs, callee, killIncomingTaint, classSupported);
 
 		// Create abstractions from the access paths
 		if (res != null && !res.isEmpty()) {
@@ -522,7 +553,7 @@ public Set<Abstraction> getTaintsForMethod(Stmt stmt, Abstraction d1, Abstractio
 		if (!killIncomingTaint.value && (resAbs == null || resAbs.isEmpty())) {
 			// Is this method explicitly excluded?
 			if (!this.flows.isMethodExcluded(callee.getDeclaringClass().getName(), callee.getSubSignature())) {
-//				wrapperMisses.incrementAndGet();
+				//				wrapperMisses.incrementAndGet();
 
 				if (classSupported.value)
 					return Collections.singleton(taintedAbs);
@@ -584,7 +615,7 @@ protected void reportMissingMethod(SootMethod method) {
 	 */
 	private Set<AccessPath> computeTaintsForMethod(Stmt stmt, Abstraction d1, Abstraction taintedAbs,
 			final SootMethod method, ByReferenceBoolean killIncomingTaint, ByReferenceBoolean classSupported) {
-//		wrapperHits.incrementAndGet();
+		//		wrapperHits.incrementAndGet();
 
 		// Get the cached data flows
 		ClassSummaries flowsInCallees = getFlowSummariesForMethod(stmt, method, taintedAbs, classSupported);
@@ -965,23 +996,28 @@ protected ClassSummaries getFlowSummariesForMethod(Stmt stmt, final SootMethod m
 	 */
 	protected SootClass getSummaryDeclaringClass(Stmt stmt, AccessPath taintedAP) {
 		Type declaredType = null;
-		if (stmt != null && stmt.getInvokeExpr() instanceof InstanceInvokeExpr) {
-			// If the base object of the call is tainted, we may have a more precise type in
-			// the access path
-			InstanceInvokeExpr iinv = (InstanceInvokeExpr) stmt.getInvokeExpr();
-			if (taintedAP != null && iinv.getBase() == taintedAP.getPlainValue()) {
-				declaredType = taintedAP.getBaseType();
-			}
+		if (stmt != null) {
+			if (stmt.getInvokeExpr() instanceof InstanceInvokeExpr) {
+				// If the base object of the call is tainted, we may have a more precise type in
+				// the access path
+				InstanceInvokeExpr iinv = (InstanceInvokeExpr) stmt.getInvokeExpr();
+				if (taintedAP != null && iinv.getBase() == taintedAP.getPlainValue()) {
+					declaredType = taintedAP.getBaseType();
+				}
+
+				// We may have a call such as
+				// x = editable.toString();
+				// In that case, the callee is Object.toString(), since in the stub Android
+				// JAR, the class android.text.Editable does not override toString(). On a
+				// real device, it does. Consequently, we have a summary in the "Editable"
+				// class. To handle such weird cases, we walk the class hierarchy based on
+				// the declared type of the base object.
+				Type baseType = iinv.getBase().getType();
+				declaredType = manager.getTypeUtils().getMorePreciseType(declaredType, baseType);
+			} else if (stmt.getInvokeExpr() instanceof DynamicInvokeExpr) {
+				return ((DynamicInvokeExpr) stmt.getInvokeExpr()).getBootstrapMethodRef().getDeclaringClass();
 
-			// We may have a call such as
-			// x = editable.toString();
-			// In that case, the callee is Object.toString(), since in the stub Android
-			// JAR, the class android.text.Editable does not override toString(). On a
-			// real device, it does. Consequently, we have a summary in the "Editable"
-			// class. To handle such weird cases, we walk the class hierarchy based on
-			// the declared type of the base object.
-			Type baseType = iinv.getBase().getType();
-			declaredType = manager.getTypeUtils().getMorePreciseType(declaredType, baseType);
+			}
 		}
 		return declaredType instanceof RefType ? ((RefType) declaredType).getSootClass() : null;
 	}
@@ -1102,6 +1138,8 @@ private boolean flowMatchesTaint(final AbstractFlowSinkSource flowSource, final
 				if (compareFields(taint, flowSource))
 					return true;
 			}
+			if (flowSource.getParameterIndex() == FlowSource.ANY_PARAMETER)
+				return true;
 		} else if (flowSource.isField()) {
 			// Flows from a field can either be applied to the same field or
 			// the base object in total

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/SummaryReader.java

@@ -3,7 +3,7 @@
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_BASETYPE;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_FLOWTYPE;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_MATCH_STRICT;
-import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_PARAMTER_INDEX;
+import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_PARAMETER_INDEX;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_TAINT_SUB_FIELDS;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.TREE_CLEAR;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.TREE_FLOW;
@@ -51,7 +51,7 @@ private enum State {
 	 * 
 	 * @param reader    The reader from which to read the method summaries
 	 * @param summaries The data object in which to place the summaries
-	 * @return XMLStreamException Thrown in case of a syntax error in the input file
+	 * @throws XMLStreamException Thrown in case of a syntax error in the input file
 	 * @throws IOException Thrown if the reader could not be read
 	 */
 	public void read(Reader reader, ClassMethodSummaries summaries)
@@ -247,7 +247,7 @@ public void read(Reader reader, ClassMethodSummaries summaries)
 	 * 
 	 * @param fileName  The file from which to read the method summaries
 	 * @param summaries The data object in which to place the summaries
-	 * @return XMLStreamException Thrown in case of a syntax error in the input file
+	 * @throws XMLStreamException Thrown in case of a syntax error in the input file
 	 * @throws IOException Thrown if the file could not be read
 	 */
 
@@ -418,9 +418,11 @@ private boolean isGapBaseObject(Map<String, String> attributes) {
 	}
 
 	private int parameterIdx(Map<String, String> attributes) {
-		String strIdx = attributes.get(ATTRIBUTE_PARAMTER_INDEX);
+		String strIdx = attributes.get(ATTRIBUTE_PARAMETER_INDEX);
 		if (strIdx == null || strIdx.isEmpty())
 			throw new RuntimeException("Parameter index not specified");
+		if (strIdx.equals("*"))
+			return FlowSource.ANY_PARAMETER;
 		return Integer.parseInt(strIdx);
 	}
 

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/SummaryWriter.java

@@ -4,7 +4,7 @@
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_ACCESSPATHTYPES;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_BASETYPE;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_FLOWTYPE;
-import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_PARAMTER_INDEX;
+import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.ATTRIBUTE_PARAMETER_INDEX;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.TREE_FLOW;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.TREE_FLOWS;
 import static soot.jimple.infoflow.methodSummary.xml.XMLConstants.TREE_SINK;
@@ -214,7 +214,7 @@ private void writeAbstractFlowSinkSource(XMLStreamWriter writer, AbstractFlowSin
 			// nothing we need to write in the xml file here (we write the
 			// access path later)
 		} else if (currentFlow.isParameter())
-			writer.writeAttribute(ATTRIBUTE_PARAMTER_INDEX, currentFlow.getParameterIndex() + "");
+			writer.writeAttribute(ATTRIBUTE_PARAMETER_INDEX, currentFlow.getParameterIndex() + "");
 		else if (currentFlow.isGapBaseObject()) {
 			// nothing special to write
 		} else

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/XMLConstants.java

@@ -27,7 +27,7 @@ public class XMLConstants {
 	public static final String ATTRIBUTE_METHOD_SIG = "id";
 	public static final String ATTRIBUTE_IS_EXCLUDED = "isExcluded";
 	public static final String ATTRIBUTE_FLOWTYPE = "sourceSinkType";
-	public static final String ATTRIBUTE_PARAMTER_INDEX = "ParameterIndex";
+	public static final String ATTRIBUTE_PARAMETER_INDEX = "ParameterIndex";
 	public static final String ATTRIBUTE_ACCESSPATH = "AccessPath";
 	public static final String ATTRIBUTE_ACCESSPATHTYPES = "AccessPathTypes";
 	public static final String ATTRIBUTE_BASETYPE = "BaseType";

soot-infoflow-summaries/summariesManual/java.lang.invoke.StringConcatFactory.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" ?>
+<summary fileFormatVersion="102">
+    <hierarchy superClass="java.lang.Object">
+    </hierarchy>
+    <methods>
+    	<!-- Note that this a summary for dynamic invokes. For these, we do not actually know the number and types of parameters.
+    	As such, we use the wildcard * to match all possible concrete parameters used for the call site.  -->
+        <method id="java.lang.invoke.CallSite makeConcat(java.lang.invoke.MethodHandles$Lookup,java.lang.String,java.lang.invoke.MethodType)">
+            <flows>
+                <flow isAlias="false">
+                    <from sourceSinkType="Parameter" ParameterIndex="*" />
+                    <to sourceSinkType="Return" />
+                </flow>
+            </flows>
+        </method>
+
+        <method id="java.lang.invoke.CallSite makeConcatWithConstants(java.lang.invoke.MethodHandles$Lookup,java.lang.String,java.lang.invoke.MethodType,java.lang.String,java.lang.Object[])">
+            <flows>
+                <flow isAlias="false">
+                    <from sourceSinkType="Parameter" ParameterIndex="*" />
+                    <to sourceSinkType="Return" />
+                </flow>
+            </flows>
+        </method>
+    </methods>
+</summary>