[Soot-list] How to track a String variable backward in Jimple?
Steven Lee
Hello everyone,
I’m trying to estimate a variable’s value in Java, here are my Java code and corresponding Jimple code:
Java:
public static void main(String[] args) {
String x, y;
x = "hello, ";
y = x + "world";
x = y;
}
Jimple:
01> public static void main(java.lang.String[]){
02> java.lang.String[] args;
03> java.lang.String x, y, $r1;
04> java.lang.StringBuilder $r0;
05> args := @parameter0: java.lang.String[];
06> x = "hello, ";
07> $r0 = new java.lang.StringBuilder;
08> $r1 = staticinvoke <java.lang.String: java.lang.String valueOf(java.lang.Object)>(x);
09> specialinvoke $r0.<java.lang.StringBuilder: void <init>(java.lang.String)>($r1);
10> $r0 = virtualinvoke $r0.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>("world");
11> y = virtualinvoke $r0.<java.lang.StringBuilder: java.lang.String toString()>();
12> x = y;
13> return;
14> }
I want to use static analysis to find what is the value of variable “y” at line 12, so I used SimpleLocalDefs.getDefsOfAt() to find where “y” was assigned, then I came to line 11 and found that I need to know the value of $r0. The same way I arrived at line 10, however this time I called SimpleLocalDefs.getDefsOfAt(), it returns line 07, where $r0 was initialized, instead of line 09, where I thought the nearest place where $r0 was defined or changed.
I know this is because of Reaching-Definition Analysis’s scheme. Then what can I do to continue my work? I’m considering re-implement my own Reaching-Definition Analysis with my demand, is that an acceptable approach? And I want to know more about Jimple’s String manipulation but failed to find some complete and systematic document, do they exist?
Thanks in advance.
Steven Lee
Dacong Yan
For a complete, full-blown solution, you may want to look at the Java
String Analyzer <http://www.brics.dk/JSA/>. If you need an easy hack
to track a few simple cases, you can, on top of the
Reaching-Definition Analysis, record calls like
StringBuilder.append(), StringBuffer.append(), etc and see if you can
figure out what the result strings should be.
Thanks,
Tony
> _______________________________________________
> Soot-list mailing list
> Soot...@CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
--
Dacong (Tony) Yan
Ph.D. Student
Computer Science and Engineering
The Ohio State University, Columbus
http://www.cse.ohio-state.edu/~yan
_______________________________________________
Soot-list mailing list
Soot...@CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
Steven Lee
Thanks anyway,
Steven
Hi Steven Lee,
Thanks,
Tony
> 11> java.lang.String
Steven Arzt
Soot is not based on a String analyzer and there is no special semantics for Strings in Jimple either, since such constructs do not exist in Java or Dalvik bytecode. String operations are just normal calls to library methods that operate on regular objects. For static analysis, this however makes it a harder to figure out the concrete values String variables can have at runtime (which may be ambiguous when conditionals are present). There are some purely static approaches like the one Dacong has mentioned, but they all have their limitations and most of them are not very fast either. In the end, it depends on what you need: If you only want to analyze simple examples, you might be able to create something on top of IFDS/IDE that performs backward tracking on String variables and manually models the effect of String/StringBuilder/StringBuffer/etc. methods. If you are dealing with highly-obfuscated malware applications, that lead you very far, though.
We are working on something cool for String analysis in our group at the moment btw., but it's still work in progress.
Best regards,
Steven
-----Ursprüngliche Nachricht-----
Von: soot-lis...@CS.McGill.CA [mailto:soot-lis...@CS.McGill.CA] Im Auftrag von Steven Lee
Gesendet: Montag, 21. April 2014 09:16
An: 'Dacong Yan'
Cc: soot...@sable.mcgill.ca
Betreff: Re: [Soot-list] How to track a String variable backward in Jimple?