fix some bugs

funjackyone · Mar 22, 2021 · 2e8150f · 2e8150f
1 parent 03a94db
commit 2e8150f
Showing 6 changed files with 39 additions and 8 deletions.
diff --git a/rules/knowledges.json b/rules/knowledges.json
@@ -47,6 +47,9 @@
   {"name":"java.lang.ProcessImpl", "rules": [
     {"function": "start", "type": "sink", "actions": {}, "polluted": [0], "signatures": ["<java.lang.ProcessImpl: java.lang.Process start(java.lang.String[],java.util.Map,java.lang.String,java.lang.ProcessBuilder$Redirect[],boolean)>"]}
   ]},
+  {"name":"javax.xml.parsers.DocumentBuilder", "rules": [
+    {"function": "parse", "type": "sink", "actions": {"return": "param-0"}, "polluted": [0], "signatures": []}
+  ]},
   {"name":"java.lang.ClassLoader", "rules": [
     {"function": "defineClass", "type": "sink", "actions": {"return": "param-1"}, "polluted": [1], "signatures": ["<java.lang.ClassLoader: java.lang.Class defineClass(java.lang.String,byte[],int,int)>","<java.lang.ClassLoader: java.lang.Class defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)>","<java.lang.ClassLoader: java.lang.Class defineClass(byte[],int,int)>","<java.lang.ClassLoader: java.lang.Class defineClass(java.lang.String,java.nio.ByteBuffer,java.security.ProtectionDomain)>"]},
     {"function":  "newInstance", "type": "sink", "actions": {"return": "this"}, "polluted": [-1], "signatures": []},
@@ -111,6 +114,13 @@
   {"name":"java.io.ByteArrayInputStream", "rules": [
     {"function": "<init>", "type": "know", "actions": {"return": "param-0"}, "polluted": [], "signatures": ["<java.io.ByteArrayInputStream: void <init>(byte[],int,int)>","<java.io.ByteArrayInputStream: void <init>(byte[])>"]}
   ]},
+  {"name":"java.io.ObjectInput", "rules": [
+    {"function": "read", "type": "know", "actions": {"param-0": "this"}, "polluted": [], "signatures": []},
+    {"function": "readFully", "type": "know", "actions": {"param-0": "this"}, "polluted": [], "signatures": []},
+    {"function": "readLine", "type": "know", "actions": {"return": "this"}, "polluted": [], "signatures": []},
+    {"function": "readObject", "type": "know", "actions": {"return": "this"}, "polluted": [], "signatures": []},
+    {"function": "readUTF", "type": "know", "actions": {"return": "this"}, "polluted": [], "signatures": []}
+  ]},
   {"name":"java.lang.StringBuilder", "rules": [
     {"function": "toString", "type": "know", "actions": {"return": "this"}, "polluted": [], "signatures": ["<java.lang.StringBuilder: java.lang.String toString()>"]},
     {"function": "append", "type": "know", "actions": {"this":"param-0&remain", "return": "this"}, "polluted": [], "signatures": ["<java.lang.StringBuilder: java.lang.AbstractStringBuilder append(java.lang.StringBuffer)>","<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.StringBuffer)>","<java.lang.StringBuilder: java.lang.AbstractStringBuilder append(java.lang.String)>","<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>","<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.Object)>","<java.lang.StringBuilder: java.lang.AbstractStringBuilder append(java.lang.Object)>","<java.lang.StringBuilder: java.lang.StringBuilder append(char[])>"]},

diff --git a/src/main/java/tabby/core/data/TabbyValue.java b/src/main/java/tabby/core/data/TabbyValue.java
@@ -103,7 +103,7 @@ public boolean equals(Object o) {
                 .append(isField, that.isField)
                 .append(isStatic, that.isStatic)
                 .append(type, that.type).append(typeName, that.typeName)
-//                .append(status, that.status).isEquals();
+//                .append(status.isPolluted, that.status.isPolluted).isEquals();
                 .isEquals();
     }
 
@@ -112,7 +112,10 @@ public int hashCode() {
         return new HashCodeBuilder(17, 37)
                 .append(type).append(typeName).append(isArray)
                 .append(isField).append(isStatic)
-//                .append(status).toHashCode();
+//                .append(status.isPolluted).toHashCode();
                 .toHashCode();
+        // TODO 关于污点追踪这块的实现，其实是存在缺陷的
+        //  当前使用的relatedType并不是一个很好的方案
+        //  等当前事情过去，再想个合适的方法
     }
 }
diff --git a/src/main/java/tabby/core/data/TabbyVariable.java b/src/main/java/tabby/core/data/TabbyVariable.java
@@ -128,7 +128,8 @@ public void union(TabbyVariable that){
      */
     public void assign(TabbyVariable var, boolean remain){
         // copy value
-        if(var != null && var.getValue() != null){
+        if(var != null && var.getValue() != null
+                && !"Temp Variable".equals(var.getName())){ // 遇到临时变量，不做处理，通常为new操作
             if(isPolluted(-1) && remain){
                 return;
             }

diff --git a/src/main/java/tabby/core/scanner/CallGraphScanner.java b/src/main/java/tabby/core/scanner/CallGraphScanner.java
@@ -77,8 +77,8 @@ public void collect(MethodReference methodRef){
                 return; // sink点为不动点，无需分析该函数内的调用情况  native/抽象函数没有具体的body
             }
 
-//            if("<com.bluecast.xml.Piccolo: void saveAttributeDefinition(java.lang.String,java.lang.String,java.lang.String,int,int,java.lang.String)>".equals(methodRef.getSignature())){
 //            if("<test.FieldSensitivity: void test(benchmark.objects.A)>".equals(methodRef.getSignature())){
+////            if("<test.FieldSensitivity: void test(benchmark.objects.A)>".equals(methodRef.getSignature())){
 //                System.out.println(1);
 //            }else{
 //                return;

diff --git a/src/main/java/tabby/core/soot/switcher/Switcher.java b/src/main/java/tabby/core/soot/switcher/Switcher.java
@@ -107,6 +107,21 @@ public static TabbyVariable doInvokeExprAnalysis(
             Switcher.doMethodAnalysis(subContext, dataContainer, invokeExpr.getMethod(), methodRef, false);
         }
         TabbyVariable retVar = null;
+        if("<init>".equals(methodRef.getName())
+                && baseVar != null && !baseVar.isPolluted(-1)){
+            // 对于new语句 拆分成2个
+            // obj = new type
+            // obj.<init>(xxx)
+            // 为了不丢失污点，这里近似处理
+            // 将args的第一个污点状态传递给obj
+            for(TabbyVariable arg: args.values()){
+                if(arg.isPolluted(-1)){
+                    baseVar.getValue().setPolluted(true);
+                    baseVar.getValue().setRelatedType(arg.getValue().getRelatedType());
+                    break;
+                }
+            }
+        }
         // 参数修正，将从子函数的分析结果套用到当前的localMap
         // 修正 入参和baseVar
         for (Map.Entry<String, String> entry : methodRef.getActions().entrySet()) {
@@ -134,6 +149,8 @@ public static TabbyVariable doInvokeExprAnalysis(
             retVar = parsePosition(methodRef.getActions().get("return"), baseVar, args, true);
         }
 
+
+
         return retVar;
     }
 

diff --git a/src/main/java/tabby/core/soot/switcher/value/SimpleRightValueSwitcher.java b/src/main/java/tabby/core/soot/switcher/value/SimpleRightValueSwitcher.java
@@ -57,10 +57,10 @@ public void caseCastExpr(CastExpr v) {
 //        defaultCase(v);
 //    }
 //
-//    @Override
-//    public void caseNewExpr(NewExpr v) {
-//        setResult(TabbyVariable.makeRandomInstance());
-//    }
+    @Override
+    public void caseNewExpr(NewExpr v) {
+        setResult(TabbyVariable.makeRandomInstance());
+    }
 
     @Override
     public void caseArrayRef(ArrayRef v) {