Package proguard.analysis.cpa.util

Class TaintAnalyzer

java.lang.Object

proguard.analysis.cpa.util.TaintAnalyzer

public class TaintAnalyzer
extends java.lang.Object

Helper class to analyze taints propagation in a program inter-procedurally (i.e., if the result of the invocation of a TaintSource affects a TaintSink).

The analyzer can be configured in several ways via TaintAnalyzer.Builder.

The analyze(MethodSignature) method can be called to perform the configured analysis starting from a given method in the program.

The same analyzer can be used to analyze several methods in sequence, in this case the analysis BamCache will be shared between the sequential analyses making them potentially avoid recalculating the results when a method is called again with known parameters.

This might sometimes not be the desired behavior, since the cache might take a lot of memory. If this is a concern rebuilding the TaintAnalyzer from the original TaintAnalyzer.Builder will provide a fresh cache.

Another problem of not currently having snapshots of the cache for a single run of analyze(MethodSignature) is that some components of TaintAnalyzerResult that take a long time to compute might be recalculated several times for different runs. For this reason:

• Sink locations triggered by a valid source are not computed until needed. This happens when computing the witness traces or when calling TaintAnalyzerResult.TaintAnalysisResult.getEndpoints() or TaintAnalyzerResult.TaintAnalysisResult.getEndpointToTriggeredSinks().
• Witness traces are not calculated unless the trace reconstruction result has been explicitly requested via TaintAnalyzerResult.getTraceReconstructionResult().

When using a cache that just keeps all results (i.e. without evictions), which is the only type originally available, this means that it's best to calculate endpoints and witness traces only on the TaintAnalyzerResult provided by the last run of analyze(MethodSignature) for the analyzer.

TaintAnalyzer is currently not designed to be thread safe. Among the known reasons, the currently available BamCaches are not designed for concurrent access.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	TaintAnalyzer.Builder	Class to configure and build a TaintAnalyzer.

Method Summary

Modifier and Type	Method	Description
TaintAnalyzerResult	analyze(MethodSignature mainSignature)	Run the taint analysis on the given method.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

analyze

public TaintAnalyzerResult analyze(MethodSignature mainSignature)

Run the taint analysis on the given method.

The results are not intended as just for the last execution, but as a view on the full analysis' cache.

Since the cache at the moment has no capability to remember the last execution, the result will change as the cache changes (i.e., after calling this again on a new method, old instances of TaintAnalyzerResult will also be updated).

Parameters:

mainSignature - the signature of the method to analyze.

Returns:

the result of the analysis.