Skip to content

Inspect the Source Code

Jump to bottom
Limei Gilham edited this page Mar 10, 2015 · 2 revisions

The Droidsafe plugin contains extensions to the Eclipse Java Editor. These extensions enable the analyst to access some Droidsafe analysis results directly from the editor while inspecting the source code.

Contents
  1. Tainted Data Indication
  2. View Taint Sources
  3. Filter Taint Sources
  4. View Call Graphs
  5. Dead Code Indication

1. Tainted Data Indication

Figure 5

Figure 5 shows the editor content when an API sink method call

  ```
  AbstractHttpClient execute (HttpUriRequest)
  ```

is selected from a Droidsafe outline view (e.g. Security Spec Outline or Info Flow Summary). Upon the selection, the editor reveals and highlights the location for the API sink method call in the source file ```PickContact.java'''. In addition, tainted data in the source file are indicated in three parts of the editor:

  • In the editing area, tainted local variables and field references are highlighted brown (e.g. )

  • On the vertical ruler to the left of the editing area, taint decorator are shown at tainted lines

  • On the overview ruler to the right of the editing area, taint decorator are shown at tainted locations relative to the enrire source file

2. View Taint Sources

Taint sources can be viewed in two ways:

  1. Tooltips

    To quickly see the taint sources of a tainted datum, hover over the datum and get a tooltip that displays this information.

    For example, hovering over the tainted local variable txt on line 142 of PickContact.java, the tooltip will show

    It first lists all the taint source categories, then for each taint category it lists the source method calls.

  2. Outline view

    The taint sources of tainted datum can also be displayed in an outline which allows the analyst to navigate to the source method calls when desired.

    1. Double click on the tainted local variable txt on line 142 of PickContact.java to select it. Its highlighting will change from brown to blue.

    2. Right click anywhere in the editing area to bring up an editor context menu for the selected tainted local variable ``txt`

    3. Select [Droidsafe] Show Taint Sources from the context menu

      This will add a new tab Taint Sources to the bottom right window pane, and displays the taint sources as an outline.

    4. Click on the source method call

      <call> android.content.Intent: android.net.Uri getData() - com.example.android.apis.content.PickContact line: 128

      The Droidsafe Info Flow Details view, the Values view and the Points To Info view will be updated to show information on this selected source method call. The editor will also reveals and highlights the line where the source method call is located.

3. Filter Taint Sources

Filtering taint sources allows the analyst to focus on a subset of information flows.

  1. Right click anywhere in the editing area to bring up an editor context menu

  2. Select [Droidsafe] Filter Taint Sources from the context menu

    The popup window contains two levels of display. The first level shows all the information source categories for the current project. The second level shows the information source method calls for each source category. Above figure shows the fully expanded content for our example.

  3. Click on the second source categories IPC to uncheck it. The corresponding source method call will also become unchecked. This will filter out the taint sources in the IPC category.

  4. Click on OK.

    This will cause the editor and the Taint Sources view to be updated accordingly.

    • The editor content will be updated to show only tainted data with the filtered taint sources

    • The tooltips for the tainted data displayed in the editor will be updated to show only the filtered taint sources

      For example, hover over the tainted local variable txt on line 142 of PickContact.java

      The tooltip will show the filtered taint sources:

    • The Taint Sources outline on the right hand side of the editor will be updated to contain only the filteted taint sources.

      For example, the outline for the tainted local variable txt on line 142 of PickContact.java will now only contain one source category

      DATABASE_INFORMATION

      and one source method call

      <call> droidsafe.concrete.DSCursor: int getInt(int) - com.example.android.apis.content.PickContact line: 136

4. View Call Graphs

Given a method call or a method declaration in the editor, the analyst can view the collapsed call graph generated by Droidsafe for the method. The collapsed call graph does not include API methods, but it shortcuts edges between application methods through API methods.

  • View the callee graph for a method call

    1. Double click on the method name startActivityForResult of a method call on line 79 of PickContact.java to select it. The blue highlight indicates it is the current selection in the editor.

    2. Right click anywhere in the editing area to bring up an editor context menu for the selected method call

    3. Select [Droidsafe] Show Call Graph from the context menu

      This will add a new tab Call Graph to the bottom right window pane, and displays the callee graph for the selected call as an outline.

      The top level nodes are the (collapsed) call targets of the selected call. In this case, there is one target

      com.example.android.apis.content.PickContact: void onActivityResult(int,int,android.content.Intent)

      The second level nodes are the two callees of onActivityResult(int,int,Intent), i.e. sendData(Intent) and showData(Intent).

    4. Select a method node from the Call Graph outline, the Droidsafe views and the editor will be updated accordingly:

      • Info Flow Details view - shows detailed info flow analysis results computed for this method.
      • Values view - shows the value analysis results computed for this method.
      • Points To Info view - shows the points-to analysis results computed for this method.
      • Editor - reveals and highlights the file location corresponding to this method.

  • View the caller graph for a method declaration

    1. Double click on the method name showData of a method declaration on line 153 PickContact.java to select it. The blue highlight indicates it is the current selection in the editor.

    2. Right click anywhere in the editing area to bring up an editor context menu for the selected method call

    3. Select [Droidsafe] Show Call Graph from the context menu

      This will display the caller graph for the selection method as an outline in the Call Graph view in the bottom right window pane.

      The top level node represents the selected method.

      com.example.android.apis.content.PickContact: void sendData(android.content.Intent)

      The second level node is the caller of sendData(android.content.Intent)

      android.app.Activity: void startActivityForResult(android.content.Intent,int)

    4. Click on in the toolbar of the Call Graph view to expand the caller graph to show all levels

    5. Select a method node from the Call Graph outline, the Droidsafe views and the editor will be updated accordingly:

      • Info Flow Details view - shows detailed info flow analysis results computed for this method.
      • Values view - shows the value analysis results computed for this method.
      • Points To Info view - shows the points-to analysis results computed for this method.
      • Editor - reveals and highlights the file location corresponding to this method.

5. Dead Code Indication

Unreachable methods are indicated in the editor by highlighting the code in dark grey. For example, the method setDeviceID(String) in PickContact.java is unreachable. It is highlighted in the editor as shown below:

Previous section: Inspect the Indicators

Table of Contents

Clone this wiki locally