FlowDroid icon indicating copy to clipboard operation
FlowDroid copied to clipboard

Published 20 hours ago verified publisher icon secure-software-engineering

Can FlowDroid track the taint for specific elements in HashMap?

Open coder-chenzhi opened this issue 4 years ago • 2 comments

I am new to FlowDroid. As far as I know, the taint starts from the source, which is the method of reading sensitive data. However, in my case, the sensitive data is part of the return value of source methods, such as specific elements in hashmap. If I track the taint of the entire return value, there will be many false positives. So, I wonder if FlowDroid can specify the sensitive part of return value? Thanks!

coder-chenzhi avatar Jun 29 '20 11:06 coder-chenzhi

FlowDroid can specify individual fields reachable from the return value of a particular method as source. Take the following example:

a = source(); leak(a.f);

You can configure to only treat a.g as a source and avoid a false positive in the example. However, FlowDroid does not distinguish between individual elements in a map or list. This is something you can implement, but it's not trivial.

StevenArzt avatar Jun 29 '20 17:06 StevenArzt

Thanks, @StevenArzt . Is there any references (paper or open-source tools) to distinguish between individual elements in Collection during taint analysis?

coder-chenzhi avatar Jun 29 '20 23:06 coder-chenzhi