Add example for TaintAnalysis

Author: smeyer198

examples/TaintAnalysis/.gitignore

@@ -0,0 +1,38 @@
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### IntelliJ IDEA ###
+.idea/modules.xml
+.idea/jarRepositories.xml
+.idea/compiler.xml
+.idea/libraries/
+*.iws
+*.iml
+*.ipr
+
+### Eclipse ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
+
+### Mac OS ###
+.DS_Store

examples/TaintAnalysis/pom.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>TaintAnalysis</artifactId>
+    <version>1.0.0</version>
+
+    <properties>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+        <boomerang.version>4.3.2</boomerang.version>
+        <license.dir>../license_header.txt</license.dir>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>de.fraunhofer.iem</groupId>
+            <artifactId>boomerangPDS</artifactId>
+            <version>${boomerang.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>de.fraunhofer.iem</groupId>
+            <artifactId>boomerangScope-SootUp</artifactId>
+            <version>${boomerang.version}</version>
+        </dependency>
+    </dependencies>
+</project>

examples/TaintAnalysis/src/main/java/boomerang/example/Main.java

@@ -0,0 +1,60 @@
+package boomerang.example;
+
+import boomerang.example.analysis.TaintAnalysis;
+import boomerang.example.analysis.TaintDataFlowScope;
+import boomerang.scope.DataFlowScope;
+import boomerang.scope.FrameworkScope;
+import boomerang.scope.sootup.BoomerangPreInterceptor;
+import boomerang.scope.sootup.SootUpFrameworkScope;
+import boomerang.utils.MethodWrapper;
+import sootup.callgraph.CallGraph;
+import sootup.callgraph.CallGraphAlgorithm;
+import sootup.callgraph.RapidTypeAnalysisAlgorithm;
+import sootup.core.inputlocation.AnalysisInputLocation;
+import sootup.core.model.SourceType;
+import sootup.core.signatures.MethodSignature;
+import sootup.core.transform.BodyInterceptor;
+import sootup.java.bytecode.frontend.inputlocation.JavaClassPathAnalysisInputLocation;
+import sootup.java.core.JavaSootMethod;
+import sootup.java.core.views.JavaView;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+
+public class Main {
+
+  private static final String appToAnalyze = "./targets/BranchingSingleExample.jar";
+
+  private static final Collection<MethodWrapper> sources =
+      Set.of(new MethodWrapper("taints.SourceClass", "source", "java.lang.String"));
+
+  private static final Collection<MethodWrapper> sinks =
+      Set.of(new MethodWrapper("taints.SinkClass", "sink", "void", List.of("java.lang.String")));
+
+  public static void main(String[] args) {
+    List<BodyInterceptor> interceptors = List.of(new BoomerangPreInterceptor());
+    AnalysisInputLocation inputLocation =
+        new JavaClassPathAnalysisInputLocation(appToAnalyze, SourceType.Application, interceptors);
+    JavaView view = new JavaView(inputLocation);
+
+    CallGraphAlgorithm cgAlgorithm = new RapidTypeAnalysisAlgorithm(view);
+    CallGraph callGraph = cgAlgorithm.initialize();
+
+    Collection<JavaSootMethod> entryPoints = new HashSet<>();
+    for (MethodSignature signature : callGraph.getEntryMethods()) {
+      Optional<JavaSootMethod> method = view.getMethod(signature);
+
+      method.ifPresent(entryPoints::add);
+    }
+
+    DataFlowScope dataFlowScope = new TaintDataFlowScope(sources, sinks);
+    FrameworkScope frameworkScope =
+        new SootUpFrameworkScope(view, callGraph, entryPoints, dataFlowScope);
+
+    TaintAnalysis taintAnalysis = new TaintAnalysis(frameworkScope, sources, sinks);
+    taintAnalysis.run();
+  }
+}

examples/TaintAnalysis/src/main/java/boomerang/example/analysis/TaintAllocationSite.java

@@ -0,0 +1,47 @@
+package boomerang.example.analysis;
+
+import boomerang.options.IAllocationSite;
+import boomerang.scope.AllocVal;
+import boomerang.scope.DeclaredMethod;
+import boomerang.scope.Method;
+import boomerang.scope.Statement;
+import boomerang.scope.Val;
+import boomerang.utils.MethodWrapper;
+
+import java.util.Collection;
+import java.util.Optional;
+
+public class TaintAllocationSite implements IAllocationSite {
+
+  private final Collection<MethodWrapper> sources;
+
+  public TaintAllocationSite(Collection<MethodWrapper> sources) {
+    this.sources = sources;
+  }
+
+  @Override
+  public Optional<AllocVal> getAllocationSite(Method method, Statement statement, Val val) {
+    if (!statement.isAssignStmt()) {
+      return Optional.empty();
+    }
+
+    Val leftOp = statement.getLeftOp();
+    Val rightOp = statement.getRightOp();
+
+    if (!leftOp.equals(val)) {
+      return Optional.empty();
+    }
+
+    if (statement.containsInvokeExpr()) {
+      DeclaredMethod declaredMethod = statement.getInvokeExpr().getDeclaredMethod();
+
+      if (sources.contains(declaredMethod.toMethodWrapper())) {
+        AllocVal allocVal = new AllocVal(leftOp, statement, rightOp);
+
+        return Optional.of(allocVal);
+      }
+    }
+
+    return Optional.empty();
+  }
+}

examples/TaintAnalysis/src/main/java/boomerang/example/analysis/TaintAnalysis.java

@@ -0,0 +1,85 @@
+package boomerang.example.analysis;
+
+import boomerang.BackwardQuery;
+import boomerang.Boomerang;
+import boomerang.ForwardQuery;
+import boomerang.Query;
+import boomerang.options.BoomerangOptions;
+import boomerang.results.BackwardBoomerangResults;
+import boomerang.scope.AllocVal;
+import boomerang.scope.FrameworkScope;
+import boomerang.utils.MethodWrapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import wpds.impl.NoWeight;
+
+import java.util.Collection;
+import java.util.HashSet;
+
+public class TaintAnalysis {
+
+  private static final Logger logger = LoggerFactory.getLogger(TaintAnalysis.class.getSimpleName());
+
+  private final FrameworkScope frameworkScope;
+  private final Collection<MethodWrapper> sources;
+  private final Collection<MethodWrapper> sinks;
+
+  public TaintAnalysis(
+      FrameworkScope frameworkScope,
+      Collection<MethodWrapper> sources,
+      Collection<MethodWrapper> sinks) {
+    this.frameworkScope = frameworkScope;
+    this.sources = sources;
+    this.sinks = sinks;
+  }
+
+  public void run() {
+    TaintAnalysisScope scope = new TaintAnalysisScope(frameworkScope, sinks);
+    Collection<Query> queries = scope.computeSeeds();
+
+    logger.info("Found " + queries.size() + " sink(s)");
+
+    for (Query query : queries) {
+      if (!(query instanceof BackwardQuery)) {
+        continue;
+      }
+
+      Collection<AllocVal> allocSites = solveQuery((BackwardQuery) query);
+      logger.info(
+          "Found {} leaks for variable {} @ {}:",
+          allocSites.size(),
+          query.var().getVariableName(),
+          query.cfgEdge().getTarget());
+
+      for (AllocVal allocVal : allocSites) {
+        logger.info(
+            "\tSource: "
+                + allocVal.getAllocVal()
+                + " @ "
+                + allocVal.getAllocStatement()
+                + " @ line "
+                + allocVal.getAllocStatement().getLineNumber());
+      }
+    }
+
+    if (queries.isEmpty()) {
+      logger.info("Did not find any leaks!");
+    }
+  }
+
+  public Collection<AllocVal> solveQuery(BackwardQuery query) {
+    TaintAllocationSite allocationSite = new TaintAllocationSite(sources);
+    BoomerangOptions options =
+        BoomerangOptions.builder().withAllocationSite(allocationSite).build();
+
+    Boomerang boomerang = new Boomerang(frameworkScope, options);
+    BackwardBoomerangResults<NoWeight> results = boomerang.solve(query);
+
+    Collection<AllocVal> allocSites = new HashSet<>();
+    for (ForwardQuery result : results.getAllocationSites().keySet()) {
+      allocSites.add(result.getAllocVal());
+    }
+
+    return allocSites;
+  }
+}

examples/TaintAnalysis/src/main/java/boomerang/example/analysis/TaintAnalysisScope.java

@@ -0,0 +1,45 @@
+package boomerang.example.analysis;
+
+import boomerang.BackwardQuery;
+import boomerang.Query;
+import boomerang.scope.AnalysisScope;
+import boomerang.scope.ControlFlowGraph;
+import boomerang.scope.DeclaredMethod;
+import boomerang.scope.FrameworkScope;
+import boomerang.scope.InvokeExpr;
+import boomerang.scope.Statement;
+import boomerang.scope.Val;
+import boomerang.utils.MethodWrapper;
+
+import java.util.Collection;
+import java.util.Collections;
+
+public class TaintAnalysisScope extends AnalysisScope {
+
+  private final Collection<MethodWrapper> sinks;
+
+  public TaintAnalysisScope(FrameworkScope frameworkScope, Collection<MethodWrapper> sinks) {
+    super(frameworkScope);
+
+    this.sinks = sinks;
+  }
+
+  @Override
+  protected Collection<? extends Query> generate(ControlFlowGraph.Edge edge) {
+    Statement statement = edge.getTarget();
+
+    if (statement.containsInvokeExpr()) {
+      InvokeExpr invokeExpr = statement.getInvokeExpr();
+      DeclaredMethod declaredMethod = invokeExpr.getDeclaredMethod();
+
+      if (sinks.contains(declaredMethod.toMethodWrapper())) {
+        Val arg = invokeExpr.getArg(0);
+
+        BackwardQuery query = BackwardQuery.make(edge, arg);
+        return Collections.singleton(query);
+      }
+    }
+
+    return Collections.emptySet();
+  }
+}

examples/TaintAnalysis/src/main/java/boomerang/example/analysis/TaintDataFlowScope.java

@@ -0,0 +1,58 @@
+package boomerang.example.analysis;
+
+import boomerang.scope.DataFlowScope;
+import boomerang.scope.DeclaredMethod;
+import boomerang.scope.Method;
+import boomerang.scope.WrappedClass;
+import boomerang.utils.MethodWrapper;
+
+import java.util.Collection;
+
+public class TaintDataFlowScope implements DataFlowScope {
+
+  private final Collection<MethodWrapper> sources;
+  private final Collection<MethodWrapper> sinks;
+
+  public TaintDataFlowScope(Collection<MethodWrapper> sources, Collection<MethodWrapper> sinks) {
+    this.sources = sources;
+    this.sinks = sinks;
+  }
+
+  @Override
+  public boolean isExcluded(DeclaredMethod declaredMethod) {
+    WrappedClass declaringClass = declaredMethod.getDeclaringClass();
+
+    if (declaringClass.isPhantom()) {
+      return true;
+    }
+
+    return isClassSourceOrSink(declaringClass);
+  }
+
+  @Override
+  public boolean isExcluded(Method method) {
+    WrappedClass declaringClass = method.getDeclaringClass();
+
+    if (declaringClass.isPhantom()) {
+      return true;
+    }
+
+    return isClassSourceOrSink(declaringClass);
+  }
+
+  private boolean isClassSourceOrSink(WrappedClass declaringClass) {
+    for (MethodWrapper wrapper : sources) {
+      if (wrapper.getDeclaringClass().equals(declaringClass.getFullyQualifiedName())) {
+        return true;
+      }
+    }
+
+    for (MethodWrapper wrapper : sinks) {
+      if (wrapper.getDeclaringClass().equals(declaringClass.getFullyQualifiedName())) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+}

examples/TaintAnalysis/targets/BranchingMultipleExample.jar

@@ -0,0 +1,25 @@
+import taints.SinkClass;
+import taints.SourceClass;
+
+/**
+ * Simple example for a branched dataflow where there are multiple branches that taint the variable.
+ * Hence, Boomerang reports both positions for the taint.
+ */
+public class BranchingMultipleExample {
+
+  private static boolean staticallyUnknown() {
+    return Math.random() > 0.5;
+  }
+
+  public static void main(String[] args) {
+    // Taint position 1
+    String s = SourceClass.source();
+
+    if (staticallyUnknown()) {
+      // Taint position 2
+      s = SourceClass.source();
+    }
+
+    SinkClass.sink(s);
+  }
+}