├── .classpath ├── .project ├── .settings └── org.eclipse.jdt.core.prefs ├── README.md ├── bin ├── org │ └── json │ │ ├── CDL.class │ │ ├── Cookie.class │ │ ├── CookieList.class │ │ ├── HTTP.class │ │ ├── HTTPTokener.class │ │ ├── JSONArray.class │ │ ├── JSONException.class │ │ ├── JSONML.class │ │ ├── JSONObject$Null.class │ │ ├── JSONObject.class │ │ ├── JSONPointer$Builder.class │ │ ├── JSONPointer.class │ │ ├── JSONPointerException.class │ │ ├── JSONString.class │ │ ├── JSONStringer.class │ │ ├── JSONTokener.class │ │ ├── JSONWriter.class │ │ ├── LICENSE │ │ ├── Property.class │ │ ├── README │ │ ├── XML.class │ │ └── XMLTokener.class └── osu │ └── seclab │ └── inputscope │ ├── main │ └── runTest.class │ ├── stringvsa │ ├── backwardslicing │ │ ├── BackwardContext.class │ │ ├── BackwardController.class │ │ ├── CallStackItem.class │ │ ├── DataSourceType.class │ │ ├── ICollecter.class │ │ └── TaintRules.class │ ├── base │ │ ├── ExecTrace.class │ │ ├── GlobalStatistics.class │ │ ├── ParameterTransferStmt$LinkedVariableBox.class │ │ ├── ParameterTransferStmt.class │ │ ├── StmtPoint.class │ │ └── TargetType.class │ ├── forwardexec │ │ ├── SimulateEngine.class │ │ └── StmtPath.class │ ├── graph │ │ ├── CallGraph.class │ │ ├── CallGraphNode.class │ │ ├── DGraph.class │ │ ├── HeapObject.class │ │ ├── IDGNode.class │ │ ├── ValuePoint.class │ │ └── specialcase │ │ │ └── FindInClassAdd.class │ ├── main │ │ ├── ApkContext.class │ │ └── Config.class │ └── utility │ │ ├── BlockGenerator.class │ │ ├── BlockUtility.class │ │ ├── ErrorHandler.class │ │ ├── FileUtility.class │ │ ├── FunctionUtility.class │ │ ├── ListUtility.class │ │ ├── Logger.class │ │ ├── MethodUtility.class │ │ ├── OtherUtility$AddCompute.class │ │ ├── OtherUtility$AndCompute.class │ │ ├── OtherUtility$Compute.class │ │ ├── OtherUtility$DivCompute.class │ │ ├── OtherUtility$MulCompute.class │ │ ├── OtherUtility$OrCompute.class │ │ ├── OtherUtility$ShlCompute.class │ │ ├── OtherUtility$ShrCompute.class │ │ ├── OtherUtility$SubCompute.class │ │ ├── OtherUtility$UshrCompute.class │ │ ├── OtherUtility$XorCompute.class │ │ └── OtherUtility.class │ └── taintanalysis │ ├── base │ ├── SinkMethod.class │ ├── SourcePoint.class │ └── TaintQuestion.class │ ├── main │ ├── CrossPath.class │ ├── QuestionGenerator.class │ └── TResSolve.class │ ├── solver │ ├── CallStackItem.class │ ├── SimulationContext.class │ ├── SimulationEngine.class │ ├── StmtItem.class │ └── TaintQuestionSolver.class │ └── utility │ ├── BlockGenerator.class │ ├── FileUtility.class │ ├── ListUtility.class │ ├── Logger.class │ ├── MethodUtility.class │ ├── TimeUtility$1.class │ └── TimeUtility.class ├── example └── InputScopeExample.apk ├── libs ├── android.jar ├── apktool-lib_fat.jar ├── javatuples-1.2.jar ├── json-20151123.jar └── xmlpull-1.1.3.1.jar ├── src ├── org │ └── json │ │ ├── CDL.java │ │ ├── Cookie.java │ │ ├── CookieList.java │ │ ├── HTTP.java │ │ ├── HTTPTokener.java │ │ ├── JSONArray.java │ │ ├── JSONException.java │ │ ├── JSONML.java │ │ ├── JSONObject.java │ │ ├── JSONPointer.java │ │ ├── JSONPointerException.java │ │ ├── JSONString.java │ │ ├── JSONStringer.java │ │ ├── JSONTokener.java │ │ ├── JSONWriter.java │ │ ├── LICENSE │ │ ├── Property.java │ │ ├── README │ │ ├── XML.java │ │ └── XMLTokener.java └── osu │ └── seclab │ └── inputscope │ ├── main │ └── runTest.java │ ├── stringvsa │ ├── backwardslicing │ │ ├── BackwardContext.java │ │ ├── BackwardController.java │ │ ├── CallStackItem.java │ │ ├── DataSourceType.java │ │ ├── ICollecter.java │ │ └── TaintRules.java │ ├── base │ │ ├── ExecTrace.java │ │ ├── GlobalStatistics.java │ │ ├── ParameterTransferStmt.java │ │ ├── StmtPoint.java │ │ └── TargetType.java │ ├── forwardexec │ │ ├── SimulateEngine.java │ │ └── StmtPath.java │ ├── graph │ │ ├── CallGraph.java │ │ ├── CallGraphNode.java │ │ ├── DGraph.java │ │ ├── HeapObject.java │ │ ├── IDGNode.java │ │ ├── ValuePoint.java │ │ └── specialcase │ │ │ └── FindInClassAdd.java │ ├── main │ │ ├── ApkContext.java │ │ └── Config.java │ └── utility │ │ ├── BlockGenerator.java │ │ ├── BlockUtility.java │ │ ├── ErrorHandler.java │ │ ├── FileUtility.java │ │ ├── FunctionUtility.java │ │ ├── ListUtility.java │ │ ├── Logger.java │ │ ├── MethodUtility.java │ │ └── OtherUtility.java │ └── taintanalysis │ ├── base │ ├── SinkMethod.java │ ├── SourcePoint.java │ └── TaintQuestion.java │ ├── main │ ├── CrossPath.java │ ├── QuestionGenerator.java │ └── TResSolve.java │ ├── solver │ ├── CallStackItem.java │ ├── SimulationContext.java │ ├── SimulationEngine.java │ ├── StmtItem.java │ └── TaintQuestionSolver.java │ └── utility │ ├── BlockGenerator.java │ ├── FileUtility.java │ ├── ListUtility.java │ ├── Logger.java │ ├── MethodUtility.java │ └── TimeUtility.java └── taintrules.json /.classpath: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | InputScope_TVSA 4 | 5 | 6 | 7 | 8 | 9 | org.eclipse.jdt.core.javabuilder 10 | 11 | 12 | 13 | 14 | 15 | org.eclipse.jdt.core.javanature 16 | 17 | 18 | -------------------------------------------------------------------------------- /.settings/org.eclipse.jdt.core.prefs: -------------------------------------------------------------------------------- 1 | eclipse.preferences.version=1 2 | org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled 3 | org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8 4 | org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve 5 | org.eclipse.jdt.core.compiler.compliance=1.8 6 | org.eclipse.jdt.core.compiler.debug.lineNumber=generate 7 | org.eclipse.jdt.core.compiler.debug.localVariable=generate 8 | org.eclipse.jdt.core.compiler.debug.sourceFile=generate 9 | org.eclipse.jdt.core.compiler.problem.assertIdentifier=error 10 | org.eclipse.jdt.core.compiler.problem.enumIdentifier=error 11 | org.eclipse.jdt.core.compiler.source=1.8 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # InputScope 2 | **InputScope** is a static analysis tool to automatically uncover hidden behaviors from user-input validation in mobile apps. The key components of **InputScope** are **Taint Analysis** and **String Value Analysis**. With these two components, **InputScope** takes the apk file of an app as input and uncovers both the context of user-input validation and also the comparison content that can be used with identify different types of hidden behaviors with a set of policies. 3 | 4 | For more details, please see the following [running example](#jump) and [our paper](https://web.cse.ohio-state.edu/~lin.3021/file/SP20.pdf) (S&P 2020) 5 | 6 | # Dependencies 7 | This is an Eclipse project that depends on Flowdroid: 8 | 9 | - [flowdroid](https://github.com/secure-software-engineering/FlowDroid) 10 | - [soot-infoflow-android](https://github.com/secure-software-engineering/FlowDroid/tree/master/soot-infoflow-android "soot-infoflow-android") 11 | - [soot-infoflow-cmd](https://github.com/secure-software-engineering/FlowDroid/tree/master/soot-infoflow-cmd "soot-infoflow-cmd") 12 | - [soot-infoflow-summaries](https://github.com/secure-software-engineering/FlowDroid/tree/master/soot-infoflow-summaries "soot-infoflow-summaries") 13 | - [soot-infoflow](https://github.com/secure-software-engineering/FlowDroid/tree/master/soot-infoflow "soot-infoflow") 14 | 15 | # Running Example 16 | 17 | ### target example code from *example/InputScopeExample.apk* 18 | 19 | ```java 20 | ... 21 | 22 | public class LoginActivity extends AppCompatActivity { 23 | 24 | private String successmsg = "Success"; 25 | private String failmsg = "Fail"; 26 | 27 | 28 | @Override 29 | public void onCreate(Bundle savedInstanceState) { 30 | ... 31 | final EditText masterpwdEditText = findViewById(R.id.masterpwd); 32 | final Button masterpwdButton = findViewById(R.id.b_masterpwd); 33 | SharedPreferences sharedpreferences = getApplicationContext().getSharedPreferences("password", Context.MODE_PRIVATE); 34 | SharedPreferences.Editor editor = sharedpreferences.edit(); 35 | editor.putString("pwd", "tryMasterPwd"); 36 | editor.commit(); 37 | ... 38 | masterpwdButton.setOnClickListener(new View.OnClickListener() { 39 | @Override 40 | public void onClick(View v) { 41 | masterpwdActions(masterpwdEditText.getText().toString()); 42 | } 43 | }); 44 | ... 45 | } 46 | 47 | private void masterpwdActions(String value){ 48 | SharedPreferences sharePre = getApplicationContext().getSharedPreferences("password", Context.MODE_PRIVATE); 49 | String fromSP = sharePre.getString("pwd", "non_exist"); 50 | 51 | //user-input validation 52 | if (value.equals(fromSP) || value.equals("test_mp")){ 53 | Toast.makeText(getApplicationContext(), "Master Password Test "+successmsg, Toast.LENGTH_LONG).show(); 54 | }else{ 55 | Toast.makeText(getApplicationContext(), "Master Password Test "+failmsg, Toast.LENGTH_LONG).show(); 56 | } 57 | } 58 | } 59 | ``` 60 | 61 | ### run 62 | Please make sure the taintrules.json file is in the same directory as InputScope.jar 63 | ```sh 64 | $ java -jar InputScope.jar ./example/InputScopeExample.apk ./libs/android.jar 65 | May 20, 2019 8:53:14 PM brut.androlib.res.AndrolibResources loadMainPkg 66 | INFO: Loading resource table... 67 | ... 68 | 69 | {"sinks":[{"unit":"$z0 = virtualinvoke $r1.(\"test_mp\")","method":"","src":["HARDCODED_STR"],"values":[{"0":["test_mp"]}]},{"unit":"$z0 = virtualinvoke $r1.($r4)","method":"","src":["LOCALFILEShare","HARDCODED_STR"],"values":[{"0":["SharedPreferences_GetString->\"pwd\""]}]}],"source":{"unit":"$r4 = virtualinvoke $r3.()","method":"","unitIndex":4}} 70 | 71 | ... 72 | ``` 73 | 74 | ### example result explanation 75 | ```json 76 | { 77 | "sinks":[ 78 | { 79 | "unit":"$z0 = virtualinvoke $r1.(\"test_mp\")", 80 | "method":"", 81 | "src":[ 82 | "HARDCODED_STR" 83 | ], 84 | "values":[ 85 | { 86 | "0":[ 87 | "test_mp" 88 | ] 89 | } 90 | ] 91 | }, 92 | { 93 | "unit":"$z0 = virtualinvoke $r1.($r4)", 94 | "method":"", 95 | "src":[ 96 | "LOCALFILEShare", 97 | "HARDCODED_STR" 98 | ], 99 | "values":[ 100 | { 101 | "0":[ 102 | "SharedPreferences_GetString->\"pwd\"" 103 | ] 104 | } 105 | ] 106 | } 107 | ], 108 | "source":{ 109 | "unit":"$r4 = virtualinvoke $r3.()", 110 | "method":"", 111 | "unitIndex":4 112 | } 113 | } 114 | ``` 115 | **source** includes information about a single user-input, and each **sink** is for one input validation of such user-input. 116 | 117 | # Citing 118 | 119 | If you create a research work that uses our work, please cite the associated paper: 120 | ``` 121 | @inproceedings{inputscope:sp20, 122 | author = {Qingchuan Zhao and Chaoshun Zuo and Brendan Dolan-Gavitt and Giancarlo Pellegrino and Zhiqiang Lin} , 123 | title = {Automatic Uncovering of Hidden Behaviors From Input Validation in Mobile Apps}, 124 | booktitle = {Proceedings of the 2020 IEEE Symposium on Security and Privacy}, 125 | address = {San Francisco, CA}, 126 | month = {May}, 127 | year = 2020, 128 | } 129 | ``` 130 | -------------------------------------------------------------------------------- /bin/org/json/CDL.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/CDL.class -------------------------------------------------------------------------------- /bin/org/json/Cookie.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/Cookie.class -------------------------------------------------------------------------------- /bin/org/json/CookieList.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/CookieList.class -------------------------------------------------------------------------------- /bin/org/json/HTTP.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/HTTP.class -------------------------------------------------------------------------------- /bin/org/json/HTTPTokener.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/HTTPTokener.class -------------------------------------------------------------------------------- /bin/org/json/JSONArray.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONArray.class -------------------------------------------------------------------------------- /bin/org/json/JSONException.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONException.class -------------------------------------------------------------------------------- /bin/org/json/JSONML.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONML.class -------------------------------------------------------------------------------- /bin/org/json/JSONObject$Null.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONObject$Null.class -------------------------------------------------------------------------------- /bin/org/json/JSONObject.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONObject.class -------------------------------------------------------------------------------- /bin/org/json/JSONPointer$Builder.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONPointer$Builder.class -------------------------------------------------------------------------------- /bin/org/json/JSONPointer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONPointer.class -------------------------------------------------------------------------------- /bin/org/json/JSONPointerException.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONPointerException.class -------------------------------------------------------------------------------- /bin/org/json/JSONString.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONString.class -------------------------------------------------------------------------------- /bin/org/json/JSONStringer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONStringer.class -------------------------------------------------------------------------------- /bin/org/json/JSONTokener.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONTokener.class -------------------------------------------------------------------------------- /bin/org/json/JSONWriter.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/JSONWriter.class -------------------------------------------------------------------------------- /bin/org/json/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2002 JSON.org 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | The Software shall be used for Good, not Evil. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /bin/org/json/Property.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/Property.class -------------------------------------------------------------------------------- /bin/org/json/README: -------------------------------------------------------------------------------- 1 | JSON in Java [package org.json] 2 | 3 | JSON is a light-weight, language independent, data interchange format. 4 | See http://www.JSON.org/ 5 | 6 | The files in this package implement JSON encoders/decoders in Java. 7 | It also includes the capability to convert between JSON and XML, HTTP 8 | headers, Cookies, and CDL. 9 | 10 | This is a reference implementation. There is a large number of JSON packages 11 | in Java. Perhaps someday the Java community will standardize on one. Until 12 | then, choose carefully. 13 | 14 | The license includes this restriction: "The software shall be used for good, 15 | not evil." If your conscience cannot live with that, then choose a different 16 | package. 17 | 18 | The package compiles on Java 1.6-1.8. 19 | 20 | 21 | JSONObject.java: The JSONObject can parse text from a String or a JSONTokener 22 | to produce a map-like object. The object provides methods for manipulating its 23 | contents, and for producing a JSON compliant object serialization. 24 | 25 | JSONArray.java: The JSONObject can parse text from a String or a JSONTokener 26 | to produce a vector-like object. The object provides methods for manipulating 27 | its contents, and for producing a JSON compliant array serialization. 28 | 29 | JSONTokener.java: The JSONTokener breaks a text into a sequence of individual 30 | tokens. It can be constructed from a String, Reader, or InputStream. 31 | 32 | JSONException.java: The JSONException is the standard exception type thrown 33 | by this package. 34 | 35 | JSONPointer.java: Implementation of 36 | [JSON Pointer (RFC 6901)](https://tools.ietf.org/html/rfc6901). Supports 37 | JSON Pointers both in the form of string representation and URI fragment 38 | representation. 39 | 40 | JSONString.java: The JSONString interface requires a toJSONString method, 41 | allowing an object to provide its own serialization. 42 | 43 | JSONStringer.java: The JSONStringer provides a convenient facility for 44 | building JSON strings. 45 | 46 | JSONWriter.java: The JSONWriter provides a convenient facility for building 47 | JSON text through a writer. 48 | 49 | 50 | CDL.java: CDL provides support for converting between JSON and comma 51 | delimited lists. 52 | 53 | Cookie.java: Cookie provides support for converting between JSON and cookies. 54 | 55 | CookieList.java: CookieList provides support for converting between JSON and 56 | cookie lists. 57 | 58 | HTTP.java: HTTP provides support for converting between JSON and HTTP headers. 59 | 60 | HTTPTokener.java: HTTPTokener extends JSONTokener for parsing HTTP headers. 61 | 62 | XML.java: XML provides support for converting between JSON and XML. 63 | 64 | JSONML.java: JSONML provides support for converting between JSONML and XML. 65 | 66 | XMLTokener.java: XMLTokener extends JSONTokener for parsing XML text. 67 | 68 | Unit tests are maintained in a separate project. Contributing developers can test 69 | JSON-java pull requests with the code in this project: 70 | https://github.com/stleary/JSON-Java-unit-test 71 | 72 | Numeric types in this package comply with ECMA-404: The JSON Data Interchange Format 73 | (http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf) and 74 | RFC 7159: The JavaScript Object Notation (JSON) Data Interchange Format 75 | (https://tools.ietf.org/html/rfc7159#section-6). 76 | This package fully supports Integer, Long, and Double Java types. Partial support 77 | for BigInteger and BigDecimal values in JSONObject and JSONArray objects is provided 78 | in the form of get(), opt(), and put() API methods. 79 | 80 | Although 1.6 compatibility is currently supported, it is not a project goal and may be 81 | removed in some future release. 82 | 83 | In compliance with RFC7159 page 10 section 9, the parser is more lax with what is valid 84 | JSON than the Generator. For Example, the tab character (U+0009) is allowed when reading 85 | JSON Text strings, but when output by the Generator, tab is properly converted to \t in 86 | the string. Other instances may occur where reading invalid JSON text does not cause an 87 | error to be generated. Malformed JSON Texts such as missing end " (quote) on strings or 88 | invalid number formats (1.2e6.3) will cause errors as such documents can not be read 89 | reliably. 90 | 91 | Release history: 92 | 93 | 20160810 Revert code that was breaking opt*() methods. 94 | 95 | 20160807 This release contains a bug in the JSONObject.opt*() and JSONArray.opt*() methods, 96 | it is not recommended for use. 97 | Java 1.6 compatability fixed, JSONArray.toList() and JSONObject.toMap(), 98 | RFC4180 compatibility, JSONPointer, some exception fixes, optional XML type conversion. 99 | Contains the latest code as of 7 Aug, 2016 100 | 101 | 20160212 Java 1.6 compatibility, OSGi bundle. Contains the latest code as of 12 Feb, 2016. 102 | 103 | 20151123 JSONObject and JSONArray initialization with generics. Contains the 104 | latest code as of 23 Nov, 2015. 105 | 106 | 20150729 Checkpoint for Maven central repository release. Contains the latest code 107 | as of 29 July, 2015. 108 | 109 | JSON-java releases can be found by searching the Maven repository for groupId "org.json" 110 | and artifactId "json". For example: 111 | https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.json%22%20AND%20a%3A%22json%22 112 | -------------------------------------------------------------------------------- /bin/org/json/XML.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/XML.class -------------------------------------------------------------------------------- /bin/org/json/XMLTokener.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/org/json/XMLTokener.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/main/runTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/main/runTest.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/backwardslicing/BackwardContext.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/backwardslicing/BackwardContext.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/backwardslicing/BackwardController.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/backwardslicing/BackwardController.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/backwardslicing/CallStackItem.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/backwardslicing/CallStackItem.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/backwardslicing/DataSourceType.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/backwardslicing/DataSourceType.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/backwardslicing/ICollecter.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/backwardslicing/ICollecter.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/backwardslicing/TaintRules.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/backwardslicing/TaintRules.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/base/ExecTrace.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/base/ExecTrace.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/base/GlobalStatistics.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/base/GlobalStatistics.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/base/ParameterTransferStmt$LinkedVariableBox.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/base/ParameterTransferStmt$LinkedVariableBox.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/base/ParameterTransferStmt.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/base/ParameterTransferStmt.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/base/StmtPoint.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/base/StmtPoint.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/base/TargetType.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/base/TargetType.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/forwardexec/SimulateEngine.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/forwardexec/SimulateEngine.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/forwardexec/StmtPath.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/forwardexec/StmtPath.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/graph/CallGraph.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/graph/CallGraph.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/graph/CallGraphNode.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/graph/CallGraphNode.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/graph/DGraph.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/graph/DGraph.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/graph/HeapObject.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/graph/HeapObject.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/graph/IDGNode.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/graph/IDGNode.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/graph/ValuePoint.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/graph/ValuePoint.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/graph/specialcase/FindInClassAdd.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/graph/specialcase/FindInClassAdd.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/main/ApkContext.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/main/ApkContext.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/main/Config.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/main/Config.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/BlockGenerator.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/BlockGenerator.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/BlockUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/BlockUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/ErrorHandler.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/ErrorHandler.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/FileUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/FileUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/FunctionUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/FunctionUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/ListUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/ListUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/Logger.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/Logger.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/MethodUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/MethodUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$AddCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$AddCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$AndCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$AndCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$Compute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$Compute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$DivCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$DivCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$MulCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$MulCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$OrCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$OrCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$ShlCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$ShlCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$ShrCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$ShrCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$SubCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$SubCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$UshrCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$UshrCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$XorCompute.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility$XorCompute.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/stringvsa/utility/OtherUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/base/SinkMethod.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/base/SinkMethod.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/base/SourcePoint.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/base/SourcePoint.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/base/TaintQuestion.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/base/TaintQuestion.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/main/CrossPath.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/main/CrossPath.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/main/QuestionGenerator.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/main/QuestionGenerator.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/main/TResSolve.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/main/TResSolve.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/solver/CallStackItem.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/solver/CallStackItem.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/solver/SimulationContext.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/solver/SimulationContext.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/solver/SimulationEngine.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/solver/SimulationEngine.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/solver/StmtItem.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/solver/StmtItem.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/solver/TaintQuestionSolver.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/solver/TaintQuestionSolver.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/utility/BlockGenerator.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/utility/BlockGenerator.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/utility/FileUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/utility/FileUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/utility/ListUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/utility/ListUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/utility/Logger.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/utility/Logger.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/utility/MethodUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/utility/MethodUtility.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/utility/TimeUtility$1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/utility/TimeUtility$1.class -------------------------------------------------------------------------------- /bin/osu/seclab/inputscope/taintanalysis/utility/TimeUtility.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/bin/osu/seclab/inputscope/taintanalysis/utility/TimeUtility.class -------------------------------------------------------------------------------- /example/InputScopeExample.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/example/InputScopeExample.apk -------------------------------------------------------------------------------- /libs/android.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/libs/android.jar -------------------------------------------------------------------------------- /libs/apktool-lib_fat.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/libs/apktool-lib_fat.jar -------------------------------------------------------------------------------- /libs/javatuples-1.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/libs/javatuples-1.2.jar -------------------------------------------------------------------------------- /libs/json-20151123.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/libs/json-20151123.jar -------------------------------------------------------------------------------- /libs/xmlpull-1.1.3.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OSUSecLab/InputScope/00136f2a771dd800f41246cf58115963dafc2822/libs/xmlpull-1.1.3.1.jar -------------------------------------------------------------------------------- /src/org/json/CDL.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2002 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | /** 28 | * This provides static methods to convert comma delimited text into a 29 | * JSONArray, and to convert a JSONArray into comma delimited text. Comma 30 | * delimited text is a very popular format for data interchange. It is 31 | * understood by most database, spreadsheet, and organizer programs. 32 | *

33 | * Each row of text represents a row in a table or a data record. Each row 34 | * ends with a NEWLINE character. Each row contains one or more values. 35 | * Values are separated by commas. A value can contain any character except 36 | * for comma, unless is is wrapped in single quotes or double quotes. 37 | *

38 | * The first row usually contains the names of the columns. 39 | *

40 | * A comma delimited list can be converted into a JSONArray of JSONObjects. 41 | * The names for the elements in the JSONObjects can be taken from the names 42 | * in the first row. 43 | * @author JSON.org 44 | * @version 2016-05-01 45 | */ 46 | public class CDL { 47 | 48 | /** 49 | * Get the next value. The value can be wrapped in quotes. The value can 50 | * be empty. 51 | * @param x A JSONTokener of the source text. 52 | * @return The value string, or null if empty. 53 | * @throws JSONException if the quoted string is badly formed. 54 | */ 55 | private static String getValue(JSONTokener x) throws JSONException { 56 | char c; 57 | char q; 58 | StringBuffer sb; 59 | do { 60 | c = x.next(); 61 | } while (c == ' ' || c == '\t'); 62 | switch (c) { 63 | case 0: 64 | return null; 65 | case '"': 66 | case '\'': 67 | q = c; 68 | sb = new StringBuffer(); 69 | for (;;) { 70 | c = x.next(); 71 | if (c == q) { 72 | //Handle escaped double-quote 73 | if(x.next() != '\"') 74 | { 75 | x.back(); 76 | break; 77 | } 78 | } 79 | if (c == 0 || c == '\n' || c == '\r') { 80 | throw x.syntaxError("Missing close quote '" + q + "'."); 81 | } 82 | sb.append(c); 83 | } 84 | return sb.toString(); 85 | case ',': 86 | x.back(); 87 | return ""; 88 | default: 89 | x.back(); 90 | return x.nextTo(','); 91 | } 92 | } 93 | 94 | /** 95 | * Produce a JSONArray of strings from a row of comma delimited values. 96 | * @param x A JSONTokener of the source text. 97 | * @return A JSONArray of strings. 98 | * @throws JSONException 99 | */ 100 | public static JSONArray rowToJSONArray(JSONTokener x) throws JSONException { 101 | JSONArray ja = new JSONArray(); 102 | for (;;) { 103 | String value = getValue(x); 104 | char c = x.next(); 105 | if (value == null || 106 | (ja.length() == 0 && value.length() == 0 && c != ',')) { 107 | return null; 108 | } 109 | ja.put(value); 110 | for (;;) { 111 | if (c == ',') { 112 | break; 113 | } 114 | if (c != ' ') { 115 | if (c == '\n' || c == '\r' || c == 0) { 116 | return ja; 117 | } 118 | throw x.syntaxError("Bad character '" + c + "' (" + 119 | (int)c + ")."); 120 | } 121 | c = x.next(); 122 | } 123 | } 124 | } 125 | 126 | /** 127 | * Produce a JSONObject from a row of comma delimited text, using a 128 | * parallel JSONArray of strings to provides the names of the elements. 129 | * @param names A JSONArray of names. This is commonly obtained from the 130 | * first row of a comma delimited text file using the rowToJSONArray 131 | * method. 132 | * @param x A JSONTokener of the source text. 133 | * @return A JSONObject combining the names and values. 134 | * @throws JSONException 135 | */ 136 | public static JSONObject rowToJSONObject(JSONArray names, JSONTokener x) 137 | throws JSONException { 138 | JSONArray ja = rowToJSONArray(x); 139 | return ja != null ? ja.toJSONObject(names) : null; 140 | } 141 | 142 | /** 143 | * Produce a comma delimited text row from a JSONArray. Values containing 144 | * the comma character will be quoted. Troublesome characters may be 145 | * removed. 146 | * @param ja A JSONArray of strings. 147 | * @return A string ending in NEWLINE. 148 | */ 149 | public static String rowToString(JSONArray ja) { 150 | StringBuilder sb = new StringBuilder(); 151 | for (int i = 0; i < ja.length(); i += 1) { 152 | if (i > 0) { 153 | sb.append(','); 154 | } 155 | Object object = ja.opt(i); 156 | if (object != null) { 157 | String string = object.toString(); 158 | if (string.length() > 0 && (string.indexOf(',') >= 0 || 159 | string.indexOf('\n') >= 0 || string.indexOf('\r') >= 0 || 160 | string.indexOf(0) >= 0 || string.charAt(0) == '"')) { 161 | sb.append('"'); 162 | int length = string.length(); 163 | for (int j = 0; j < length; j += 1) { 164 | char c = string.charAt(j); 165 | if (c >= ' ' && c != '"') { 166 | sb.append(c); 167 | } 168 | } 169 | sb.append('"'); 170 | } else { 171 | sb.append(string); 172 | } 173 | } 174 | } 175 | sb.append('\n'); 176 | return sb.toString(); 177 | } 178 | 179 | /** 180 | * Produce a JSONArray of JSONObjects from a comma delimited text string, 181 | * using the first row as a source of names. 182 | * @param string The comma delimited text. 183 | * @return A JSONArray of JSONObjects. 184 | * @throws JSONException 185 | */ 186 | public static JSONArray toJSONArray(String string) throws JSONException { 187 | return toJSONArray(new JSONTokener(string)); 188 | } 189 | 190 | /** 191 | * Produce a JSONArray of JSONObjects from a comma delimited text string, 192 | * using the first row as a source of names. 193 | * @param x The JSONTokener containing the comma delimited text. 194 | * @return A JSONArray of JSONObjects. 195 | * @throws JSONException 196 | */ 197 | public static JSONArray toJSONArray(JSONTokener x) throws JSONException { 198 | return toJSONArray(rowToJSONArray(x), x); 199 | } 200 | 201 | /** 202 | * Produce a JSONArray of JSONObjects from a comma delimited text string 203 | * using a supplied JSONArray as the source of element names. 204 | * @param names A JSONArray of strings. 205 | * @param string The comma delimited text. 206 | * @return A JSONArray of JSONObjects. 207 | * @throws JSONException 208 | */ 209 | public static JSONArray toJSONArray(JSONArray names, String string) 210 | throws JSONException { 211 | return toJSONArray(names, new JSONTokener(string)); 212 | } 213 | 214 | /** 215 | * Produce a JSONArray of JSONObjects from a comma delimited text string 216 | * using a supplied JSONArray as the source of element names. 217 | * @param names A JSONArray of strings. 218 | * @param x A JSONTokener of the source text. 219 | * @return A JSONArray of JSONObjects. 220 | * @throws JSONException 221 | */ 222 | public static JSONArray toJSONArray(JSONArray names, JSONTokener x) 223 | throws JSONException { 224 | if (names == null || names.length() == 0) { 225 | return null; 226 | } 227 | JSONArray ja = new JSONArray(); 228 | for (;;) { 229 | JSONObject jo = rowToJSONObject(names, x); 230 | if (jo == null) { 231 | break; 232 | } 233 | ja.put(jo); 234 | } 235 | if (ja.length() == 0) { 236 | return null; 237 | } 238 | return ja; 239 | } 240 | 241 | 242 | /** 243 | * Produce a comma delimited text from a JSONArray of JSONObjects. The 244 | * first row will be a list of names obtained by inspecting the first 245 | * JSONObject. 246 | * @param ja A JSONArray of JSONObjects. 247 | * @return A comma delimited text. 248 | * @throws JSONException 249 | */ 250 | public static String toString(JSONArray ja) throws JSONException { 251 | JSONObject jo = ja.optJSONObject(0); 252 | if (jo != null) { 253 | JSONArray names = jo.names(); 254 | if (names != null) { 255 | return rowToString(names) + toString(names, ja); 256 | } 257 | } 258 | return null; 259 | } 260 | 261 | /** 262 | * Produce a comma delimited text from a JSONArray of JSONObjects using 263 | * a provided list of names. The list of names is not included in the 264 | * output. 265 | * @param names A JSONArray of strings. 266 | * @param ja A JSONArray of JSONObjects. 267 | * @return A comma delimited text. 268 | * @throws JSONException 269 | */ 270 | public static String toString(JSONArray names, JSONArray ja) 271 | throws JSONException { 272 | if (names == null || names.length() == 0) { 273 | return null; 274 | } 275 | StringBuffer sb = new StringBuffer(); 276 | for (int i = 0; i < ja.length(); i += 1) { 277 | JSONObject jo = ja.optJSONObject(i); 278 | if (jo != null) { 279 | sb.append(rowToString(jo.toJSONArray(names))); 280 | } 281 | } 282 | return sb.toString(); 283 | } 284 | } 285 | -------------------------------------------------------------------------------- /src/org/json/Cookie.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2002 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | /** 28 | * Convert a web browser cookie specification to a JSONObject and back. 29 | * JSON and Cookies are both notations for name/value pairs. 30 | * @author JSON.org 31 | * @version 2015-12-09 32 | */ 33 | public class Cookie { 34 | 35 | /** 36 | * Produce a copy of a string in which the characters '+', '%', '=', ';' 37 | * and control characters are replaced with "%hh". This is a gentle form 38 | * of URL encoding, attempting to cause as little distortion to the 39 | * string as possible. The characters '=' and ';' are meta characters in 40 | * cookies. By convention, they are escaped using the URL-encoding. This is 41 | * only a convention, not a standard. Often, cookies are expected to have 42 | * encoded values. We encode '=' and ';' because we must. We encode '%' and 43 | * '+' because they are meta characters in URL encoding. 44 | * @param string The source string. 45 | * @return The escaped result. 46 | */ 47 | public static String escape(String string) { 48 | char c; 49 | String s = string.trim(); 50 | int length = s.length(); 51 | StringBuilder sb = new StringBuilder(length); 52 | for (int i = 0; i < length; i += 1) { 53 | c = s.charAt(i); 54 | if (c < ' ' || c == '+' || c == '%' || c == '=' || c == ';') { 55 | sb.append('%'); 56 | sb.append(Character.forDigit((char)((c >>> 4) & 0x0f), 16)); 57 | sb.append(Character.forDigit((char)(c & 0x0f), 16)); 58 | } else { 59 | sb.append(c); 60 | } 61 | } 62 | return sb.toString(); 63 | } 64 | 65 | 66 | /** 67 | * Convert a cookie specification string into a JSONObject. The string 68 | * will contain a name value pair separated by '='. The name and the value 69 | * will be unescaped, possibly converting '+' and '%' sequences. The 70 | * cookie properties may follow, separated by ';', also represented as 71 | * name=value (except the secure property, which does not have a value). 72 | * The name will be stored under the key "name", and the value will be 73 | * stored under the key "value". This method does not do checking or 74 | * validation of the parameters. It only converts the cookie string into 75 | * a JSONObject. 76 | * @param string The cookie specification string. 77 | * @return A JSONObject containing "name", "value", and possibly other 78 | * members. 79 | * @throws JSONException 80 | */ 81 | public static JSONObject toJSONObject(String string) throws JSONException { 82 | String name; 83 | JSONObject jo = new JSONObject(); 84 | Object value; 85 | JSONTokener x = new JSONTokener(string); 86 | jo.put("name", x.nextTo('=')); 87 | x.next('='); 88 | jo.put("value", x.nextTo(';')); 89 | x.next(); 90 | while (x.more()) { 91 | name = unescape(x.nextTo("=;")); 92 | if (x.next() != '=') { 93 | if (name.equals("secure")) { 94 | value = Boolean.TRUE; 95 | } else { 96 | throw x.syntaxError("Missing '=' in cookie parameter."); 97 | } 98 | } else { 99 | value = unescape(x.nextTo(';')); 100 | x.next(); 101 | } 102 | jo.put(name, value); 103 | } 104 | return jo; 105 | } 106 | 107 | 108 | /** 109 | * Convert a JSONObject into a cookie specification string. The JSONObject 110 | * must contain "name" and "value" members. 111 | * If the JSONObject contains "expires", "domain", "path", or "secure" 112 | * members, they will be appended to the cookie specification string. 113 | * All other members are ignored. 114 | * @param jo A JSONObject 115 | * @return A cookie specification string 116 | * @throws JSONException 117 | */ 118 | public static String toString(JSONObject jo) throws JSONException { 119 | StringBuilder sb = new StringBuilder(); 120 | 121 | sb.append(escape(jo.getString("name"))); 122 | sb.append("="); 123 | sb.append(escape(jo.getString("value"))); 124 | if (jo.has("expires")) { 125 | sb.append(";expires="); 126 | sb.append(jo.getString("expires")); 127 | } 128 | if (jo.has("domain")) { 129 | sb.append(";domain="); 130 | sb.append(escape(jo.getString("domain"))); 131 | } 132 | if (jo.has("path")) { 133 | sb.append(";path="); 134 | sb.append(escape(jo.getString("path"))); 135 | } 136 | if (jo.optBoolean("secure")) { 137 | sb.append(";secure"); 138 | } 139 | return sb.toString(); 140 | } 141 | 142 | /** 143 | * Convert %hh sequences to single characters, and 144 | * convert plus to space. 145 | * @param string A string that may contain 146 | * + (plus) and 147 | * %hh sequences. 148 | * @return The unescaped string. 149 | */ 150 | public static String unescape(String string) { 151 | int length = string.length(); 152 | StringBuilder sb = new StringBuilder(length); 153 | for (int i = 0; i < length; ++i) { 154 | char c = string.charAt(i); 155 | if (c == '+') { 156 | c = ' '; 157 | } else if (c == '%' && i + 2 < length) { 158 | int d = JSONTokener.dehexchar(string.charAt(i + 1)); 159 | int e = JSONTokener.dehexchar(string.charAt(i + 2)); 160 | if (d >= 0 && e >= 0) { 161 | c = (char)(d * 16 + e); 162 | i += 2; 163 | } 164 | } 165 | sb.append(c); 166 | } 167 | return sb.toString(); 168 | } 169 | } 170 | -------------------------------------------------------------------------------- /src/org/json/CookieList.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2002 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | import java.util.Iterator; 28 | 29 | /** 30 | * Convert a web browser cookie list string to a JSONObject and back. 31 | * @author JSON.org 32 | * @version 2015-12-09 33 | */ 34 | public class CookieList { 35 | 36 | /** 37 | * Convert a cookie list into a JSONObject. A cookie list is a sequence 38 | * of name/value pairs. The names are separated from the values by '='. 39 | * The pairs are separated by ';'. The names and the values 40 | * will be unescaped, possibly converting '+' and '%' sequences. 41 | * 42 | * To add a cookie to a cooklist, 43 | * cookielistJSONObject.put(cookieJSONObject.getString("name"), 44 | * cookieJSONObject.getString("value")); 45 | * @param string A cookie list string 46 | * @return A JSONObject 47 | * @throws JSONException 48 | */ 49 | public static JSONObject toJSONObject(String string) throws JSONException { 50 | JSONObject jo = new JSONObject(); 51 | JSONTokener x = new JSONTokener(string); 52 | while (x.more()) { 53 | String name = Cookie.unescape(x.nextTo('=')); 54 | x.next('='); 55 | jo.put(name, Cookie.unescape(x.nextTo(';'))); 56 | x.next(); 57 | } 58 | return jo; 59 | } 60 | 61 | /** 62 | * Convert a JSONObject into a cookie list. A cookie list is a sequence 63 | * of name/value pairs. The names are separated from the values by '='. 64 | * The pairs are separated by ';'. The characters '%', '+', '=', and ';' 65 | * in the names and values are replaced by "%hh". 66 | * @param jo A JSONObject 67 | * @return A cookie list string 68 | * @throws JSONException 69 | */ 70 | public static String toString(JSONObject jo) throws JSONException { 71 | boolean b = false; 72 | Iterator keys = jo.keys(); 73 | String string; 74 | StringBuilder sb = new StringBuilder(); 75 | while (keys.hasNext()) { 76 | string = keys.next(); 77 | if (!jo.isNull(string)) { 78 | if (b) { 79 | sb.append(';'); 80 | } 81 | sb.append(Cookie.escape(string)); 82 | sb.append("="); 83 | sb.append(Cookie.escape(jo.getString(string))); 84 | b = true; 85 | } 86 | } 87 | return sb.toString(); 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /src/org/json/HTTP.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2002 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | import java.util.Iterator; 28 | 29 | /** 30 | * Convert an HTTP header to a JSONObject and back. 31 | * @author JSON.org 32 | * @version 2015-12-09 33 | */ 34 | public class HTTP { 35 | 36 | /** Carriage return/line feed. */ 37 | public static final String CRLF = "\r\n"; 38 | 39 | /** 40 | * Convert an HTTP header string into a JSONObject. It can be a request 41 | * header or a response header. A request header will contain 42 | * 

{
 43 |      *    Method: "POST" (for example),
 44 |      *    "Request-URI": "/" (for example),
 45 |      *    "HTTP-Version": "HTTP/1.1" (for example)
 46 |      * }
47 | * A response header will contain 48 | * 
{
 49 |      *    "HTTP-Version": "HTTP/1.1" (for example),
 50 |      *    "Status-Code": "200" (for example),
 51 |      *    "Reason-Phrase": "OK" (for example)
 52 |      * }
53 | * In addition, the other parameters in the header will be captured, using 54 | * the HTTP field names as JSON names, so that 
 55 |      *    Date: Sun, 26 May 2002 18:06:04 GMT
 56 |      *    Cookie: Q=q2=PPEAsg--; B=677gi6ouf29bn&b=2&f=s
 57 |      *    Cache-Control: no-cache
58 | * become 59 | * 
{...
 60 |      *    Date: "Sun, 26 May 2002 18:06:04 GMT",
 61 |      *    Cookie: "Q=q2=PPEAsg--; B=677gi6ouf29bn&b=2&f=s",
 62 |      *    "Cache-Control": "no-cache",
 63 |      * ...}
64 | * It does no further checking or conversion. It does not parse dates. 65 | * It does not do '%' transforms on URLs. 66 | * @param string An HTTP header string. 67 | * @return A JSONObject containing the elements and attributes 68 | * of the XML string. 69 | * @throws JSONException 70 | */ 71 | public static JSONObject toJSONObject(String string) throws JSONException { 72 | JSONObject jo = new JSONObject(); 73 | HTTPTokener x = new HTTPTokener(string); 74 | String token; 75 | 76 | token = x.nextToken(); 77 | if (token.toUpperCase().startsWith("HTTP")) { 78 | 79 | // Response 80 | 81 | jo.put("HTTP-Version", token); 82 | jo.put("Status-Code", x.nextToken()); 83 | jo.put("Reason-Phrase", x.nextTo('\0')); 84 | x.next(); 85 | 86 | } else { 87 | 88 | // Request 89 | 90 | jo.put("Method", token); 91 | jo.put("Request-URI", x.nextToken()); 92 | jo.put("HTTP-Version", x.nextToken()); 93 | } 94 | 95 | // Fields 96 | 97 | while (x.more()) { 98 | String name = x.nextTo(':'); 99 | x.next(':'); 100 | jo.put(name, x.nextTo('\0')); 101 | x.next(); 102 | } 103 | return jo; 104 | } 105 | 106 | 107 | /** 108 | * Convert a JSONObject into an HTTP header. A request header must contain 109 | * 
{
110 |      *    Method: "POST" (for example),
111 |      *    "Request-URI": "/" (for example),
112 |      *    "HTTP-Version": "HTTP/1.1" (for example)
113 |      * }
114 | * A response header must contain 115 | * 
{
116 |      *    "HTTP-Version": "HTTP/1.1" (for example),
117 |      *    "Status-Code": "200" (for example),
118 |      *    "Reason-Phrase": "OK" (for example)
119 |      * }
120 | * Any other members of the JSONObject will be output as HTTP fields. 121 | * The result will end with two CRLF pairs. 122 | * @param jo A JSONObject 123 | * @return An HTTP header string. 124 | * @throws JSONException if the object does not contain enough 125 | * information. 126 | */ 127 | public static String toString(JSONObject jo) throws JSONException { 128 | Iterator keys = jo.keys(); 129 | String string; 130 | StringBuilder sb = new StringBuilder(); 131 | if (jo.has("Status-Code") && jo.has("Reason-Phrase")) { 132 | sb.append(jo.getString("HTTP-Version")); 133 | sb.append(' '); 134 | sb.append(jo.getString("Status-Code")); 135 | sb.append(' '); 136 | sb.append(jo.getString("Reason-Phrase")); 137 | } else if (jo.has("Method") && jo.has("Request-URI")) { 138 | sb.append(jo.getString("Method")); 139 | sb.append(' '); 140 | sb.append('"'); 141 | sb.append(jo.getString("Request-URI")); 142 | sb.append('"'); 143 | sb.append(' '); 144 | sb.append(jo.getString("HTTP-Version")); 145 | } else { 146 | throw new JSONException("Not enough material for an HTTP header."); 147 | } 148 | sb.append(CRLF); 149 | while (keys.hasNext()) { 150 | string = keys.next(); 151 | if (!"HTTP-Version".equals(string) && !"Status-Code".equals(string) && 152 | !"Reason-Phrase".equals(string) && !"Method".equals(string) && 153 | !"Request-URI".equals(string) && !jo.isNull(string)) { 154 | sb.append(string); 155 | sb.append(": "); 156 | sb.append(jo.getString(string)); 157 | sb.append(CRLF); 158 | } 159 | } 160 | sb.append(CRLF); 161 | return sb.toString(); 162 | } 163 | } 164 | -------------------------------------------------------------------------------- /src/org/json/HTTPTokener.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2002 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | /** 28 | * The HTTPTokener extends the JSONTokener to provide additional methods 29 | * for the parsing of HTTP headers. 30 | * @author JSON.org 31 | * @version 2015-12-09 32 | */ 33 | public class HTTPTokener extends JSONTokener { 34 | 35 | /** 36 | * Construct an HTTPTokener from a string. 37 | * @param string A source string. 38 | */ 39 | public HTTPTokener(String string) { 40 | super(string); 41 | } 42 | 43 | 44 | /** 45 | * Get the next token or string. This is used in parsing HTTP headers. 46 | * @throws JSONException 47 | * @return A String. 48 | */ 49 | public String nextToken() throws JSONException { 50 | char c; 51 | char q; 52 | StringBuilder sb = new StringBuilder(); 53 | do { 54 | c = next(); 55 | } while (Character.isWhitespace(c)); 56 | if (c == '"' || c == '\'') { 57 | q = c; 58 | for (;;) { 59 | c = next(); 60 | if (c < ' ') { 61 | throw syntaxError("Unterminated string."); 62 | } 63 | if (c == q) { 64 | return sb.toString(); 65 | } 66 | sb.append(c); 67 | } 68 | } 69 | for (;;) { 70 | if (c == 0 || Character.isWhitespace(c)) { 71 | return sb.toString(); 72 | } 73 | sb.append(c); 74 | c = next(); 75 | } 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /src/org/json/JSONException.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /** 4 | * The JSONException is thrown by the JSON.org classes when things are amiss. 5 | * 6 | * @author JSON.org 7 | * @version 2015-12-09 8 | */ 9 | public class JSONException extends RuntimeException { 10 | /** Serialization ID */ 11 | private static final long serialVersionUID = 0; 12 | 13 | /** 14 | * Constructs a JSONException with an explanatory message. 15 | * 16 | * @param message 17 | * Detail about the reason for the exception. 18 | */ 19 | public JSONException(final String message) { 20 | super(message); 21 | } 22 | 23 | /** 24 | * Constructs a JSONException with an explanatory message and cause. 25 | * 26 | * @param message 27 | * Detail about the reason for the exception. 28 | * @param cause 29 | * The cause. 30 | */ 31 | public JSONException(final String message, final Throwable cause) { 32 | super(message, cause); 33 | } 34 | 35 | /** 36 | * Constructs a new JSONException with the specified cause. 37 | * 38 | * @param cause 39 | * The cause. 40 | */ 41 | public JSONException(final Throwable cause) { 42 | super(cause.getMessage(), cause); 43 | } 44 | 45 | } 46 | -------------------------------------------------------------------------------- /src/org/json/JSONPointer.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | import static java.lang.String.format; 4 | 5 | import java.io.UnsupportedEncodingException; 6 | import java.net.URLDecoder; 7 | import java.net.URLEncoder; 8 | import java.util.*; 9 | 10 | /* 11 | Copyright (c) 2002 JSON.org 12 | 13 | Permission is hereby granted, free of charge, to any person obtaining a copy 14 | of this software and associated documentation files (the "Software"), to deal 15 | in the Software without restriction, including without limitation the rights 16 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 17 | copies of the Software, and to permit persons to whom the Software is 18 | furnished to do so, subject to the following conditions: 19 | 20 | The above copyright notice and this permission notice shall be included in all 21 | copies or substantial portions of the Software. 22 | 23 | The Software shall be used for Good, not Evil. 24 | 25 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 26 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 27 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 28 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 29 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 30 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 31 | SOFTWARE. 32 | */ 33 | 34 | /** 35 | * A JSON Pointer is a simple query language defined for JSON documents by 36 | * RFC 6901. 37 | * 38 | * In a nutshell, JSONPointer allows the user to navigate into a JSON document 39 | * using strings, and retrieve targeted objects, like a simple form of XPATH. 40 | * Path segments are separated by the '/' char, which signifies the root of 41 | * the document when it appears as the first char of the string. Array 42 | * elements are navigated using ordinals, counting from 0. JSONPointer strings 43 | * may be extended to any arbitrary number of segments. If the navigation 44 | * is successful, the matched item is returned. A matched item may be a 45 | * JSONObject, a JSONArray, or a JSON value. If the JSONPointer string building 46 | * fails, an appropriate exception is thrown. If the navigation fails to find 47 | * a match, a JSONPointerException is thrown. 48 | * 49 | * @author JSON.org 50 | * @version 2016-05-14 51 | */ 52 | public class JSONPointer { 53 | 54 | // used for URL encoding and decoding 55 | private static final String ENCODING = "utf-8"; 56 | 57 | /** 58 | * This class allows the user to build a JSONPointer in steps, using 59 | * exactly one segment in each step. 60 | */ 61 | public static class Builder { 62 | 63 | // Segments for the eventual JSONPointer string 64 | private final List refTokens = new ArrayList(); 65 | 66 | /** 67 | * Creates a {@code JSONPointer} instance using the tokens previously set using the 68 | * {@link #append(String)} method calls. 69 | */ 70 | public JSONPointer build() { 71 | return new JSONPointer(refTokens); 72 | } 73 | 74 | /** 75 | * Adds an arbitary token to the list of reference tokens. It can be any non-null value. 76 | * 77 | * Unlike in the case of JSON string or URI fragment representation of JSON pointers, the 78 | * argument of this method MUST NOT be escaped. If you want to query the property called 79 | * {@code "a~b"} then you should simply pass the {@code "a~b"} string as-is, there is no 80 | * need to escape it as {@code "a~0b"}. 81 | * 82 | * @param token the new token to be appended to the list 83 | * @return {@code this} 84 | * @throws NullPointerException if {@code token} is null 85 | */ 86 | public Builder append(String token) { 87 | if (token == null) { 88 | throw new NullPointerException("token cannot be null"); 89 | } 90 | refTokens.add(token); 91 | return this; 92 | } 93 | 94 | /** 95 | * Adds an integer to the reference token list. Although not necessarily, mostly this token will 96 | * denote an array index. 97 | * 98 | * @param arrayIndex the array index to be added to the token list 99 | * @return {@code this} 100 | */ 101 | public Builder append(int arrayIndex) { 102 | refTokens.add(String.valueOf(arrayIndex)); 103 | return this; 104 | } 105 | } 106 | 107 | /** 108 | * Static factory method for {@link Builder}. Example usage: 109 | * 110 | * 

111 |      * JSONPointer pointer = JSONPointer.builder()
112 |      *       .append("obj")
113 |      *       .append("other~key").append("another/key")
114 |      *       .append("\"")
115 |      *       .append(0)
116 |      *       .build();
117 |      *
118 | * 119 | * @return a builder instance which can be used to construct a {@code JSONPointer} instance by chained 120 | * {@link Builder#append(String)} calls. 121 | */ 122 | public static Builder builder() { 123 | return new Builder(); 124 | } 125 | 126 | // Segments for the JSONPointer string 127 | private final List refTokens; 128 | 129 | /** 130 | * Pre-parses and initializes a new {@code JSONPointer} instance. If you want to 131 | * evaluate the same JSON Pointer on different JSON documents then it is recommended 132 | * to keep the {@code JSONPointer} instances due to performance considerations. 133 | * 134 | * @param pointer the JSON String or URI Fragment representation of the JSON pointer. 135 | * @throws IllegalArgumentException if {@code pointer} is not a valid JSON pointer 136 | */ 137 | public JSONPointer(String pointer) { 138 | if (pointer == null) { 139 | throw new NullPointerException("pointer cannot be null"); 140 | } 141 | if (pointer.isEmpty()) { 142 | refTokens = Collections.emptyList(); 143 | return; 144 | } 145 | if (pointer.startsWith("#/")) { 146 | pointer = pointer.substring(2); 147 | try { 148 | pointer = URLDecoder.decode(pointer, ENCODING); 149 | } catch (UnsupportedEncodingException e) { 150 | throw new RuntimeException(e); 151 | } 152 | } else if (pointer.startsWith("/")) { 153 | pointer = pointer.substring(1); 154 | } else { 155 | throw new IllegalArgumentException("a JSON pointer should start with '/' or '#/'"); 156 | } 157 | refTokens = new ArrayList(); 158 | for (String token : pointer.split("/")) { 159 | refTokens.add(unescape(token)); 160 | } 161 | } 162 | 163 | public JSONPointer(List refTokens) { 164 | this.refTokens = new ArrayList(refTokens); 165 | } 166 | 167 | private String unescape(String token) { 168 | return token.replace("~1", "/").replace("~0", "~") 169 | .replace("\\\"", "\"") 170 | .replace("\\\\", "\\"); 171 | } 172 | 173 | /** 174 | * Evaluates this JSON Pointer on the given {@code document}. The {@code document} 175 | * is usually a {@link JSONObject} or a {@link JSONArray} instance, but the empty 176 | * JSON Pointer ({@code ""}) can be evaluated on any JSON values and in such case the 177 | * returned value will be {@code document} itself. 178 | * 179 | * @param document the JSON document which should be the subject of querying. 180 | * @return the result of the evaluation 181 | * @throws JSONPointerException if an error occurs during evaluation 182 | */ 183 | public Object queryFrom(Object document) { 184 | if (refTokens.isEmpty()) { 185 | return document; 186 | } 187 | Object current = document; 188 | for (String token : refTokens) { 189 | if (current instanceof JSONObject) { 190 | current = ((JSONObject) current).opt(unescape(token)); 191 | } else if (current instanceof JSONArray) { 192 | current = readByIndexToken(current, token); 193 | } else { 194 | throw new JSONPointerException(format( 195 | "value [%s] is not an array or object therefore its key %s cannot be resolved", current, 196 | token)); 197 | } 198 | } 199 | return current; 200 | } 201 | 202 | /** 203 | * Matches a JSONArray element by ordinal position 204 | * @param current the JSONArray to be evaluated 205 | * @param indexToken the array index in string form 206 | * @return the matched object. If no matching item is found a 207 | * JSONPointerException is thrown 208 | */ 209 | private Object readByIndexToken(Object current, String indexToken) { 210 | try { 211 | int index = Integer.parseInt(indexToken); 212 | JSONArray currentArr = (JSONArray) current; 213 | if (index >= currentArr.length()) { 214 | throw new JSONPointerException(format("index %d is out of bounds - the array has %d elements", index, 215 | currentArr.length())); 216 | } 217 | return currentArr.get(index); 218 | } catch (NumberFormatException e) { 219 | throw new JSONPointerException(format("%s is not an array index", indexToken), e); 220 | } 221 | } 222 | 223 | /** 224 | * Returns a string representing the JSONPointer path value using string 225 | * representation 226 | */ 227 | @Override 228 | public String toString() { 229 | StringBuilder rval = new StringBuilder(""); 230 | for (String token: refTokens) { 231 | rval.append('/').append(escape(token)); 232 | } 233 | return rval.toString(); 234 | } 235 | 236 | /** 237 | * Escapes path segment values to an unambiguous form. 238 | * The escape char to be inserted is '~'. The chars to be escaped 239 | * are ~, which maps to ~0, and /, which maps to ~1. Backslashes 240 | * and double quote chars are also escaped. 241 | * @param token the JSONPointer segment value to be escaped 242 | * @return the escaped value for the token 243 | */ 244 | private String escape(String token) { 245 | return token.replace("~", "~0") 246 | .replace("/", "~1") 247 | .replace("\\", "\\\\") 248 | .replace("\"", "\\\""); 249 | } 250 | 251 | /** 252 | * Returns a string representing the JSONPointer path value using URI 253 | * fragment identifier representation 254 | */ 255 | public String toURIFragment() { 256 | try { 257 | StringBuilder rval = new StringBuilder("#"); 258 | for (String token : refTokens) { 259 | rval.append('/').append(URLEncoder.encode(token, ENCODING)); 260 | } 261 | return rval.toString(); 262 | } catch (UnsupportedEncodingException e) { 263 | throw new RuntimeException(e); 264 | } 265 | } 266 | 267 | } 268 | -------------------------------------------------------------------------------- /src/org/json/JSONPointerException.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2002 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | /** 28 | * The JSONPointerException is thrown by {@link JSONPointer} if an error occurs 29 | * during evaluating a pointer. 30 | * 31 | * @author JSON.org 32 | * @version 2016-05-13 33 | */ 34 | public class JSONPointerException extends JSONException { 35 | private static final long serialVersionUID = 8872944667561856751L; 36 | 37 | public JSONPointerException(String message) { 38 | super(message); 39 | } 40 | 41 | public JSONPointerException(String message, Throwable cause) { 42 | super(message, cause); 43 | } 44 | 45 | } 46 | -------------------------------------------------------------------------------- /src/org/json/JSONString.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | /** 3 | * The JSONString interface allows a toJSONString() 4 | * method so that a class can change the behavior of 5 | * JSONObject.toString(), JSONArray.toString(), 6 | * and JSONWriter.value(Object). The 7 | * toJSONString method will be used instead of the default behavior 8 | * of using the Object's toString() method and quoting the result. 9 | */ 10 | public interface JSONString { 11 | /** 12 | * The toJSONString method allows a class to produce its own JSON 13 | * serialization. 14 | * 15 | * @return A strictly syntactically correct JSON text. 16 | */ 17 | public String toJSONString(); 18 | } 19 | -------------------------------------------------------------------------------- /src/org/json/JSONStringer.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2006 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | import java.io.StringWriter; 28 | 29 | /** 30 | * JSONStringer provides a quick and convenient way of producing JSON text. 31 | * The texts produced strictly conform to JSON syntax rules. No whitespace is 32 | * added, so the results are ready for transmission or storage. Each instance of 33 | * JSONStringer can produce one JSON text. 34 | *

35 | * A JSONStringer instance provides a value method for appending 36 | * values to the 37 | * text, and a key 38 | * method for adding keys before values in objects. There are array 39 | * and endArray methods that make and bound array values, and 40 | * object and endObject methods which make and bound 41 | * object values. All of these methods return the JSONWriter instance, 42 | * permitting cascade style. For example, 

43 |  * myString = new JSONStringer()
44 |  *     .object()
45 |  *         .key("JSON")
46 |  *         .value("Hello, World!")
47 |  *     .endObject()
48 |  *     .toString();
which produces the string 
49 |  * {"JSON":"Hello, World!"}
50 | *

51 | * The first method called must be array or object. 52 | * There are no methods for adding commas or colons. JSONStringer adds them for 53 | * you. Objects and arrays can be nested up to 20 levels deep. 54 | *

55 | * This can sometimes be easier than using a JSONObject to build a string. 56 | * @author JSON.org 57 | * @version 2015-12-09 58 | */ 59 | public class JSONStringer extends JSONWriter { 60 | /** 61 | * Make a fresh JSONStringer. It can be used to build one JSON text. 62 | */ 63 | public JSONStringer() { 64 | super(new StringWriter()); 65 | } 66 | 67 | /** 68 | * Return the JSON text. This method is used to obtain the product of the 69 | * JSONStringer instance. It will return null if there was a 70 | * problem in the construction of the JSON text (such as the calls to 71 | * array were not properly balanced with calls to 72 | * endArray). 73 | * @return The JSON text. 74 | */ 75 | public String toString() { 76 | return this.mode == 'd' ? this.writer.toString() : null; 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /src/org/json/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2002 JSON.org 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | The Software shall be used for Good, not Evil. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/org/json/Property.java: -------------------------------------------------------------------------------- 1 | package org.json; 2 | 3 | /* 4 | Copyright (c) 2002 JSON.org 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | The Software shall be used for Good, not Evil. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | */ 26 | 27 | import java.util.Enumeration; 28 | import java.util.Iterator; 29 | import java.util.Properties; 30 | 31 | /** 32 | * Converts a Property file data into JSONObject and back. 33 | * @author JSON.org 34 | * @version 2015-05-05 35 | */ 36 | public class Property { 37 | /** 38 | * Converts a property file object into a JSONObject. The property file object is a table of name value pairs. 39 | * @param properties java.util.Properties 40 | * @return JSONObject 41 | * @throws JSONException 42 | */ 43 | public static JSONObject toJSONObject(java.util.Properties properties) throws JSONException { 44 | JSONObject jo = new JSONObject(); 45 | if (properties != null && !properties.isEmpty()) { 46 | Enumeration enumProperties = properties.propertyNames(); 47 | while(enumProperties.hasMoreElements()) { 48 | String name = (String)enumProperties.nextElement(); 49 | jo.put(name, properties.getProperty(name)); 50 | } 51 | } 52 | return jo; 53 | } 54 | 55 | /** 56 | * Converts the JSONObject into a property file object. 57 | * @param jo JSONObject 58 | * @return java.util.Properties 59 | * @throws JSONException 60 | */ 61 | public static Properties toProperties(JSONObject jo) throws JSONException { 62 | Properties properties = new Properties(); 63 | if (jo != null) { 64 | Iterator keys = jo.keys(); 65 | while (keys.hasNext()) { 66 | String name = keys.next(); 67 | properties.put(name, jo.getString(name)); 68 | } 69 | } 70 | return properties; 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /src/org/json/README: -------------------------------------------------------------------------------- 1 | JSON in Java [package org.json] 2 | 3 | JSON is a light-weight, language independent, data interchange format. 4 | See http://www.JSON.org/ 5 | 6 | The files in this package implement JSON encoders/decoders in Java. 7 | It also includes the capability to convert between JSON and XML, HTTP 8 | headers, Cookies, and CDL. 9 | 10 | This is a reference implementation. There is a large number of JSON packages 11 | in Java. Perhaps someday the Java community will standardize on one. Until 12 | then, choose carefully. 13 | 14 | The license includes this restriction: "The software shall be used for good, 15 | not evil." If your conscience cannot live with that, then choose a different 16 | package. 17 | 18 | The package compiles on Java 1.6-1.8. 19 | 20 | 21 | JSONObject.java: The JSONObject can parse text from a String or a JSONTokener 22 | to produce a map-like object. The object provides methods for manipulating its 23 | contents, and for producing a JSON compliant object serialization. 24 | 25 | JSONArray.java: The JSONObject can parse text from a String or a JSONTokener 26 | to produce a vector-like object. The object provides methods for manipulating 27 | its contents, and for producing a JSON compliant array serialization. 28 | 29 | JSONTokener.java: The JSONTokener breaks a text into a sequence of individual 30 | tokens. It can be constructed from a String, Reader, or InputStream. 31 | 32 | JSONException.java: The JSONException is the standard exception type thrown 33 | by this package. 34 | 35 | JSONPointer.java: Implementation of 36 | [JSON Pointer (RFC 6901)](https://tools.ietf.org/html/rfc6901). Supports 37 | JSON Pointers both in the form of string representation and URI fragment 38 | representation. 39 | 40 | JSONString.java: The JSONString interface requires a toJSONString method, 41 | allowing an object to provide its own serialization. 42 | 43 | JSONStringer.java: The JSONStringer provides a convenient facility for 44 | building JSON strings. 45 | 46 | JSONWriter.java: The JSONWriter provides a convenient facility for building 47 | JSON text through a writer. 48 | 49 | 50 | CDL.java: CDL provides support for converting between JSON and comma 51 | delimited lists. 52 | 53 | Cookie.java: Cookie provides support for converting between JSON and cookies. 54 | 55 | CookieList.java: CookieList provides support for converting between JSON and 56 | cookie lists. 57 | 58 | HTTP.java: HTTP provides support for converting between JSON and HTTP headers. 59 | 60 | HTTPTokener.java: HTTPTokener extends JSONTokener for parsing HTTP headers. 61 | 62 | XML.java: XML provides support for converting between JSON and XML. 63 | 64 | JSONML.java: JSONML provides support for converting between JSONML and XML. 65 | 66 | XMLTokener.java: XMLTokener extends JSONTokener for parsing XML text. 67 | 68 | Unit tests are maintained in a separate project. Contributing developers can test 69 | JSON-java pull requests with the code in this project: 70 | https://github.com/stleary/JSON-Java-unit-test 71 | 72 | Numeric types in this package comply with ECMA-404: The JSON Data Interchange Format 73 | (http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf) and 74 | RFC 7159: The JavaScript Object Notation (JSON) Data Interchange Format 75 | (https://tools.ietf.org/html/rfc7159#section-6). 76 | This package fully supports Integer, Long, and Double Java types. Partial support 77 | for BigInteger and BigDecimal values in JSONObject and JSONArray objects is provided 78 | in the form of get(), opt(), and put() API methods. 79 | 80 | Although 1.6 compatibility is currently supported, it is not a project goal and may be 81 | removed in some future release. 82 | 83 | In compliance with RFC7159 page 10 section 9, the parser is more lax with what is valid 84 | JSON than the Generator. For Example, the tab character (U+0009) is allowed when reading 85 | JSON Text strings, but when output by the Generator, tab is properly converted to \t in 86 | the string. Other instances may occur where reading invalid JSON text does not cause an 87 | error to be generated. Malformed JSON Texts such as missing end " (quote) on strings or 88 | invalid number formats (1.2e6.3) will cause errors as such documents can not be read 89 | reliably. 90 | 91 | Release history: 92 | 93 | 20160810 Revert code that was breaking opt*() methods. 94 | 95 | 20160807 This release contains a bug in the JSONObject.opt*() and JSONArray.opt*() methods, 96 | it is not recommended for use. 97 | Java 1.6 compatability fixed, JSONArray.toList() and JSONObject.toMap(), 98 | RFC4180 compatibility, JSONPointer, some exception fixes, optional XML type conversion. 99 | Contains the latest code as of 7 Aug, 2016 100 | 101 | 20160212 Java 1.6 compatibility, OSGi bundle. Contains the latest code as of 12 Feb, 2016. 102 | 103 | 20151123 JSONObject and JSONArray initialization with generics. Contains the 104 | latest code as of 23 Nov, 2015. 105 | 106 | 20150729 Checkpoint for Maven central repository release. Contains the latest code 107 | as of 29 July, 2015. 108 | 109 | JSON-java releases can be found by searching the Maven repository for groupId "org.json" 110 | and artifactId "json". For example: 111 | https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.json%22%20AND%20a%3A%22json%22 112 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/main/runTest.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.main; 2 | 3 | import java.util.ArrayList; 4 | import java.util.Collections; 5 | import java.util.HashMap; 6 | import java.util.HashSet; 7 | import java.util.Hashtable; 8 | import java.util.List; 9 | 10 | import org.jf.smali.SmaliMethodParameter; 11 | import org.json.JSONArray; 12 | import org.json.JSONObject; 13 | 14 | import osu.seclab.inputscope.stringvsa.backwardslicing.TaintRules; 15 | import osu.seclab.inputscope.stringvsa.graph.CallGraph; 16 | import osu.seclab.inputscope.stringvsa.graph.DGraph; 17 | import osu.seclab.inputscope.stringvsa.graph.IDGNode; 18 | import osu.seclab.inputscope.stringvsa.graph.ValuePoint; 19 | import osu.seclab.inputscope.stringvsa.utility.Logger; 20 | import osu.seclab.inputscope.taintanalysis.base.TaintQuestion; 21 | import osu.seclab.inputscope.taintanalysis.main.QuestionGenerator; 22 | import osu.seclab.inputscope.taintanalysis.utility.FileUtility; 23 | import osu.seclab.inputscope.taintanalysis.utility.TimeUtility; 24 | import soot.Scene; 25 | import soot.options.Options; 26 | 27 | public class runTest { 28 | public static String path; 29 | public static String pn; 30 | static Hashtable> m2m; 31 | 32 | // args[0] app package name 33 | // args[1] android.jar path 34 | public static void main(String[] args) { 35 | 36 | String fp = ""; 37 | fp = args[0]; 38 | 39 | // String ajar = "android.jar"; 40 | String ajar = args[1]; 41 | path = fp; 42 | 43 | 44 | String[] tpn = fp.split("/"); 45 | pn = tpn[tpn.length - 1].substring(0, tpn[tpn.length - 1].length() - 4); 46 | System.out.println(pn); 47 | 48 | Options.v().set_src_prec(Options.src_prec_apk); 49 | Options.v().set_process_dir(Collections.singletonList(fp)); 50 | Options.v().set_force_android_jar(ajar); 51 | Options.v().set_process_multiple_dex(true); 52 | Options.v().set_android_api_version(24); 53 | Options.v().set_output_format(Options.output_format_none); 54 | Options.v().set_force_overwrite(true); 55 | Options.v().set_allow_phantom_refs(true); 56 | Options.v().set_whole_program(true); 57 | Options.v().ignore_resolution_errors(); 58 | 59 | Scene.v().loadNecessaryClasses(); 60 | TimeUtility.startWatcherBruce(7 * 60); 61 | 62 | // Taint Analysis 63 | QuestionGenerator qg = new QuestionGenerator(); 64 | 65 | HashSet init_taint_res = qg.generateInputQuestions().solveInputQuestions(false); 66 | 67 | HashSet taint_res = combineTaintRes(init_taint_res); 68 | 69 | System.out.println("\n===============Taint Analysis Result===============\n"); 70 | 71 | for (String result : taint_res) 72 | System.out.println(result.toString()); 73 | 74 | 75 | // String VSA 76 | CallGraph.init(); 77 | System.out.println("\n===============String Value Analysis Result===============\n"); 78 | HashSet strVSA_res = runStrVSA(taint_res); 79 | 80 | System.out.println("\n===============Final Result===============\n"); 81 | 82 | for (String result : strVSA_res) { 83 | System.out.println(result.toString()); 84 | FileUtility.wf("./" + pn, result.toString(), true); 85 | } 86 | 87 | } 88 | 89 | public static HashSet combineTaintRes(HashSet taint_res) { 90 | Hashtable cres = new Hashtable(); 91 | for (String result : taint_res) { 92 | JSONObject cur_json = new JSONObject(result); 93 | String tmp_key = cur_json.getJSONObject("source").get("unit").toString(); 94 | tmp_key += cur_json.getJSONObject("source").get("method").toString(); 95 | tmp_key += cur_json.getJSONObject("source").get("unitIndex").toString(); 96 | if (!cres.containsKey(tmp_key)) { 97 | JSONObject tmp_json = new JSONObject(); 98 | tmp_json.put("sinks", cur_json.getJSONArray("sinks")); 99 | tmp_json.put("source", cur_json.getJSONObject("source")); 100 | cres.put(tmp_key, tmp_json.toString()); 101 | 102 | } else { 103 | JSONObject tmp_json = new JSONObject(cres.get(tmp_key)); 104 | for (Object nsink : cur_json.getJSONArray("sinks")) { 105 | boolean isHave = false; 106 | for (Object osink : tmp_json.getJSONArray("sinks")) { 107 | if (checkSinkJsonStrEquality(nsink.toString(), osink.toString())) { 108 | isHave = true; 109 | break; 110 | } 111 | } 112 | if (!isHave) { 113 | tmp_json.getJSONArray("sinks").put((JSONObject) nsink); 114 | } 115 | } 116 | cres.put(tmp_key, tmp_json.toString()); 117 | } 118 | } 119 | HashSet ret_res = new HashSet(); 120 | for (String tkey : cres.keySet()) { 121 | ret_res.add(cres.get(tkey).toString()); 122 | } 123 | return ret_res; 124 | 125 | 126 | } 127 | 128 | public static boolean checkSinkJsonStrEquality(String jstr1, String jstr2) { 129 | JSONObject json1 = new JSONObject(jstr1); 130 | JSONObject json2 = new JSONObject(jstr2); 131 | if (!json1.getString("unit").equals(json2.getString("unit"))) { 132 | return false; 133 | } else if (!json1.getString("method").equals(json2.getString("method"))) { 134 | return false; 135 | } else if (!json1.getString("taint_var").equals(json2.getString("taint_var"))) { 136 | return false; 137 | } else if (!json1.get("unitIndex").toString().equals(json2.get("unitIndex").toString())) { 138 | return false; 139 | } 140 | return true; 141 | } 142 | 143 | public static HashSet runStrVSA(HashSet tres) { 144 | HashSet results = null; 145 | HashSet fresults = new HashSet(); 146 | String tmp_smtd; 147 | String tmp_sinstr; 148 | String tmp_tvar; 149 | String tmp_rinstr; 150 | 151 | for (String result : tres) { 152 | m2m = new Hashtable>(); 153 | JSONObject cur_json = new JSONObject(result); 154 | JSONArray sinks_arr = cur_json.getJSONArray("sinks"); 155 | for (Object str : sinks_arr) { 156 | tmp_smtd = ((JSONObject) str).getString("method").trim(); 157 | tmp_sinstr = ((JSONObject) str).getString("unit").trim(); 158 | tmp_tvar = ((JSONObject) str).getString("taint_var").trim(); 159 | tmp_rinstr = tmp_sinstr.replace(tmp_tvar, "taintedVariable"); 160 | if (!m2m.containsKey(tmp_smtd)) { 161 | m2m.put(tmp_smtd, new Hashtable()); 162 | } 163 | if (!m2m.get(tmp_smtd).contains(tmp_rinstr)) { 164 | m2m.get(tmp_smtd).put(tmp_rinstr, tmp_sinstr); 165 | } 166 | } 167 | results = vsa(m2m); 168 | 169 | for (String tmp_res : results) { 170 | JSONObject tmp_json = new JSONObject(tmp_res); 171 | tmp_json.put("source", cur_json.get("source")); 172 | fresults.add(tmp_json.toString()); 173 | } 174 | 175 | 176 | } 177 | 178 | return fresults; 179 | } 180 | 181 | public static HashSet vsa(Hashtable> m2m2) { 182 | 183 | DGraph dg = new DGraph(); 184 | 185 | List allvps = new ArrayList(); 186 | List vps = null; 187 | JSONObject tmp; 188 | 189 | for (String tmtd : m2m2.keySet()) { 190 | 191 | vps = ValuePoint.find(dg, tmtd, m2m2.get(tmtd), 10000); 192 | for (ValuePoint vp : vps) { 193 | // vp.print(); 194 | allvps.add(vp); 195 | } 196 | } 197 | 198 | dg.solve(allvps); 199 | 200 | HashSet result = new HashSet(); 201 | 202 | JSONObject result_json = new JSONObject(); 203 | 204 | for (IDGNode tn : dg.getNodes()) { 205 | Logger.print(tn.toString()); 206 | } 207 | 208 | for (ValuePoint vp : allvps) { 209 | tmp = vp.toJson(); 210 | if (tmp.has("values")) 211 | Logger.print(tmp.getJSONArray("values").toString()); 212 | result_json.append("sinks", vp.toJson()); 213 | } 214 | // result.put("package", pn); 215 | 216 | System.out.println(result_json.toString()); 217 | 218 | if (!result.contains(result_json.toString())) { 219 | result.add(result_json.toString()); 220 | } 221 | 222 | 223 | return result; 224 | } 225 | 226 | public static void saveFinalResult(HashSet taint_res, HashSet vsa_res) { 227 | JSONObject result = new JSONObject(); 228 | // JSONObject tmp_result = new JSONObject(); 229 | for (String tres : taint_res) { 230 | JSONObject cur_tres = new JSONObject(tres); 231 | result.put("package", pn); 232 | 233 | result.put("source", cur_tres.get("source")); 234 | 235 | } 236 | } 237 | 238 | } 239 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/backwardslicing/BackwardController.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.backwardslicing; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | import soot.SootMethod; 7 | import osu.seclab.inputscope.stringvsa.graph.DGraph; 8 | import osu.seclab.inputscope.stringvsa.graph.ValuePoint; 9 | import osu.seclab.inputscope.stringvsa.main.Config; 10 | 11 | public class BackwardController { 12 | static BackwardController sc = new BackwardController(); 13 | 14 | public static BackwardController getInstance() { 15 | return sc; 16 | } 17 | 18 | private BackwardController() { 19 | 20 | } 21 | 22 | public static void main(String[] args) { 23 | // TODO Auto-generated method stub 24 | 25 | } 26 | 27 | public List doBackWard(ValuePoint vp, DGraph dg) { 28 | List bcs = new ArrayList(); 29 | bcs.add(new BackwardContext(vp, dg)); 30 | 31 | long stime = System.currentTimeMillis(); 32 | BackwardContext bc; 33 | while (true) { 34 | 35 | bc = null; 36 | for (BackwardContext tmp : bcs) { 37 | if (!tmp.backWardHasFinished()) { 38 | bc = tmp; 39 | break; 40 | } 41 | } 42 | if (bc == null) { 43 | break; 44 | } 45 | bcs.addAll(bc.oneStepBackWard()); 46 | 47 | 48 | if (Config.BackwardContextTimeOut != -1 && System.currentTimeMillis() - stime > Config.BackwardContextTimeOut) { 49 | for (BackwardContext tmp : bcs) { 50 | tmp.finished(); 51 | } 52 | } 53 | } 54 | 55 | bcs.forEach(var -> { 56 | var.printExceTrace(); 57 | }); 58 | 59 | return bcs; 60 | 61 | } 62 | 63 | } 64 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/backwardslicing/CallStackItem.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.backwardslicing; 2 | 3 | import soot.SootMethod; 4 | import soot.Unit; 5 | import soot.Value; 6 | import soot.toolkits.graph.Block; 7 | 8 | public class CallStackItem { 9 | SootMethod smethd; 10 | Block blcok; 11 | Unit currentInstruction; 12 | Value returnTarget; 13 | 14 | public CallStackItem(SootMethod smethd, Block blcok, Unit currentInstruction, Value returnTarget) { 15 | super(); 16 | this.smethd = smethd; 17 | this.blcok = blcok; 18 | this.currentInstruction = currentInstruction; 19 | this.returnTarget = returnTarget; 20 | } 21 | 22 | public SootMethod getSmethd() { 23 | return smethd; 24 | } 25 | 26 | public void setSmethd(SootMethod smethd) { 27 | this.smethd = smethd; 28 | } 29 | 30 | public Block getBlcok() { 31 | return blcok; 32 | } 33 | 34 | public void setBlcok(Block blcok) { 35 | this.blcok = blcok; 36 | } 37 | 38 | public Unit getCurrentInstruction() { 39 | return currentInstruction; 40 | } 41 | 42 | public void setCurrentInstruction(Unit currentInstruction) { 43 | this.currentInstruction = currentInstruction; 44 | } 45 | 46 | public Value getReturnTarget(int fff) { 47 | return returnTarget; 48 | } 49 | 50 | public void setReturnTarget(Value returnTarget) { 51 | this.returnTarget = returnTarget; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/backwardslicing/DataSourceType.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.backwardslicing; 2 | 3 | public enum DataSourceType { 4 | HARDCODED_STR, HARDCODED_NUM, SYSTEM_API, DEVICES_RET, LOCALFILE, LOCALFILESql, LOCALFILEShare, UI, INTERNET_RET, NATIVE_CALL, NOCALLER, NO_HANDLED_CALL, INTENT, BUNDLE, List, crypto; 5 | } 6 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/backwardslicing/ICollecter.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.backwardslicing; 2 | 3 | import java.util.List; 4 | 5 | public interface ICollecter { 6 | public void clear(); 7 | 8 | public void put(BackwardContext bc); 9 | 10 | public List retrieve(); 11 | } 12 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/backwardslicing/TaintRules.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.backwardslicing; 2 | 3 | import java.io.IOException; 4 | import java.nio.file.Files; 5 | import java.nio.file.Paths; 6 | import java.util.ArrayList; 7 | import java.util.HashMap; 8 | import java.util.List; 9 | 10 | import org.json.JSONObject; 11 | 12 | public class TaintRules { 13 | 14 | static String RULE_PATH = "taintrules.json"; 15 | static String RULE_TAINT_KEY = "taint"; 16 | static String RULE_TAINT_BASENAME = "base"; 17 | static String RULE_TAINT_ALLARGS = "args"; 18 | static String RULE_TAINT_ARGS_PRE = "arg"; 19 | static String RULE_TAINT_IS_SYS_API_SRC = "isSystemAPISrc"; 20 | 21 | static JSONObject rules; 22 | static { 23 | String rjs = null; 24 | try { 25 | rjs = new String(Files.readAllBytes(Paths.get(RULE_PATH))); 26 | } catch (IOException e) { 27 | System.err.println("TaintRules load error!"); 28 | e.printStackTrace(); 29 | System.exit(0); 30 | } 31 | 32 | rules = new JSONObject(rjs); 33 | } 34 | 35 | private TaintRules() { 36 | } 37 | 38 | static TaintRules tr = new TaintRules(); 39 | 40 | public static TaintRules getInstance() { 41 | return tr; 42 | } 43 | 44 | HashMap CACHEisBaseIntrested = new HashMap(); 45 | HashMap> CACHEgetInterestedArgIndexes = new HashMap>(); 46 | 47 | public boolean hasRuleFor(String msig) { 48 | return rules.has(msig); 49 | } 50 | 51 | public boolean isBaseIntrested(String msig) { 52 | if (CACHEisBaseIntrested.containsKey(msig)) { 53 | return CACHEisBaseIntrested.get(msig); 54 | } 55 | boolean res = rules.getJSONObject(msig).getJSONArray(RULE_TAINT_KEY).toList().contains(RULE_TAINT_BASENAME); 56 | CACHEisBaseIntrested.put(msig, res); 57 | return res; 58 | } 59 | 60 | public List getInterestedArgIndexes(String msig, int argsLen) { 61 | if (CACHEgetInterestedArgIndexes.containsKey(msig)) { 62 | return CACHEgetInterestedArgIndexes.get(msig); 63 | } 64 | 65 | List indexes = new ArrayList(); 66 | List ts = rules.getJSONObject(msig).getJSONArray(RULE_TAINT_KEY).toList(); 67 | 68 | for (int i = 0; i < argsLen; i++) { 69 | if (ts.contains(RULE_TAINT_ALLARGS) || ts.contains(RULE_TAINT_ARGS_PRE + i)) { 70 | indexes.add(i); 71 | } 72 | } 73 | CACHEgetInterestedArgIndexes.put(msig, indexes); 74 | return indexes; 75 | 76 | } 77 | 78 | public List getDataSrc(String msig) { 79 | if (rules.getJSONObject(msig).has(RULE_TAINT_IS_SYS_API_SRC)) 80 | return rules.getJSONObject(msig).getJSONArray(RULE_TAINT_IS_SYS_API_SRC).toList(); 81 | return null; 82 | } 83 | 84 | 85 | } 86 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/base/ExecTrace.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.base; 2 | 3 | import java.util.ArrayList; 4 | 5 | import soot.jimple.Stmt; 6 | 7 | public class ExecTrace { 8 | ArrayList sts = new ArrayList(); 9 | } 10 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/base/GlobalStatistics.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.base; 2 | 3 | import org.json.JSONObject; 4 | 5 | public class GlobalStatistics { 6 | static GlobalStatistics gs = new GlobalStatistics(); 7 | 8 | private GlobalStatistics() { 9 | } 10 | 11 | public static GlobalStatistics getInstance() { 12 | return gs; 13 | } 14 | 15 | public void countGetString() { 16 | getString++; 17 | } 18 | 19 | public void countAppendString() { 20 | appendString++; 21 | } 22 | 23 | public void countFormatString() { 24 | formatString++; 25 | } 26 | 27 | public void countDiveIntoMethodCall() { 28 | diveIntoMethodCall++; 29 | } 30 | 31 | public void countBackWard2Caller() { 32 | backWard2Caller++; 33 | } 34 | 35 | public void updateMaxCallStack(int i) { 36 | if (i > maxCallStack) 37 | maxCallStack = i; 38 | } 39 | 40 | int getString = 0; 41 | int appendString = 0; 42 | int formatString = 0; 43 | int diveIntoMethodCall = 0; 44 | int backWard2Caller = 0; 45 | int maxCallStack = 0; 46 | 47 | public static int replace = 0; 48 | public static int addExp = 0; 49 | public static int subExp = 0; 50 | public static int mulExp = 0; 51 | public static int divExp = 0; 52 | public static int andExp = 0; 53 | public static int orExp = 0; 54 | public static int shlExp = 0; 55 | public static int shrExp = 0; 56 | public static int xorExp = 0; 57 | public static int ushrExp = 0; 58 | 59 | public JSONObject toJson() { 60 | JSONObject result = new JSONObject(); 61 | result.put("getString", getString); 62 | result.put("appendString", appendString); 63 | result.put("formatString", formatString); 64 | result.put("diveIntoMethodCall", diveIntoMethodCall); 65 | result.put("backWard2Caller", backWard2Caller); 66 | result.put("maxCallStack", maxCallStack); 67 | result.put("addExp", addExp); 68 | result.put("subExp", subExp); 69 | result.put("mulExp", mulExp); 70 | result.put("divExp", divExp); 71 | result.put("andExp", andExp); 72 | result.put("orExp", orExp); 73 | result.put("shlExp", shlExp); 74 | result.put("shrExp", shrExp); 75 | result.put("xorExp", xorExp); 76 | result.put("ushrExp", ushrExp); 77 | return result; 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/base/ParameterTransferStmt.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.base; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | import soot.Unit; 7 | import soot.UnitBox; 8 | import soot.UnitPrinter; 9 | import soot.Value; 10 | import soot.ValueBox; 11 | import soot.jimple.ArrayRef; 12 | import soot.jimple.AssignStmt; 13 | import soot.jimple.FieldRef; 14 | import soot.jimple.InvokeExpr; 15 | import soot.jimple.internal.VariableBox; 16 | import soot.tagkit.Host; 17 | import soot.tagkit.Tag; 18 | import soot.util.Switch; 19 | 20 | public class ParameterTransferStmt implements AssignStmt { 21 | 22 | private static final long serialVersionUID = 1L; 23 | Value left; 24 | Value right; 25 | 26 | public ParameterTransferStmt(Value left, Value right) { 27 | super(); 28 | this.left = left; 29 | this.right = right; 30 | } 31 | 32 | @Override 33 | public String toString() { 34 | // TODO Auto-generated method stub 35 | return String.format("%s = %s", left, right); 36 | } 37 | 38 | @Override 39 | public Value getLeftOp() { 40 | // TODO Auto-generated method stub 41 | return left; 42 | } 43 | 44 | @Override 45 | public Value getRightOp() { 46 | // TODO Auto-generated method stub 47 | return right; 48 | } 49 | 50 | @Override 51 | public ValueBox getLeftOpBox() { 52 | // TODO Auto-generated method stub 53 | return null; 54 | } 55 | 56 | @Override 57 | public ValueBox getRightOpBox() { 58 | // TODO Auto-generated method stub 59 | return null; 60 | } 61 | 62 | @Override 63 | public void toString(UnitPrinter up) { 64 | // TODO Auto-generated method stub 65 | 66 | } 67 | 68 | @Override 69 | public boolean containsInvokeExpr() { 70 | // TODO Auto-generated method stub 71 | return false; 72 | } 73 | 74 | @Override 75 | public InvokeExpr getInvokeExpr() { 76 | // TODO Auto-generated method stub 77 | return null; 78 | } 79 | 80 | @Override 81 | public ValueBox getInvokeExprBox() { 82 | // TODO Auto-generated method stub 83 | return null; 84 | } 85 | 86 | @Override 87 | public boolean containsArrayRef() { 88 | // TODO Auto-generated method stub 89 | return false; 90 | } 91 | 92 | @Override 93 | public ArrayRef getArrayRef() { 94 | // TODO Auto-generated method stub 95 | return null; 96 | } 97 | 98 | @Override 99 | public ValueBox getArrayRefBox() { 100 | // TODO Auto-generated method stub 101 | return null; 102 | } 103 | 104 | @Override 105 | public boolean containsFieldRef() { 106 | // TODO Auto-generated method stub 107 | return false; 108 | } 109 | 110 | @Override 111 | public FieldRef getFieldRef() { 112 | // TODO Auto-generated method stub 113 | return null; 114 | } 115 | 116 | @Override 117 | public ValueBox getFieldRefBox() { 118 | // TODO Auto-generated method stub 119 | return null; 120 | } 121 | 122 | @Override 123 | public List getUseBoxes() { 124 | // TODO Auto-generated method stub 125 | return null; 126 | } 127 | 128 | @Override 129 | public List getDefBoxes() { 130 | // TODO Auto-generated method stub 131 | return null; 132 | } 133 | 134 | @Override 135 | public List getUnitBoxes() { 136 | // TODO Auto-generated method stub 137 | return null; 138 | } 139 | 140 | @Override 141 | public List getBoxesPointingToThis() { 142 | // TODO Auto-generated method stub 143 | return null; 144 | } 145 | 146 | @Override 147 | public void addBoxPointingToThis(UnitBox b) { 148 | // TODO Auto-generated method stub 149 | 150 | } 151 | 152 | @Override 153 | public void removeBoxPointingToThis(UnitBox b) { 154 | // TODO Auto-generated method stub 155 | 156 | } 157 | 158 | @Override 159 | public void clearUnitBoxes() { 160 | // TODO Auto-generated method stub 161 | 162 | } 163 | 164 | @Override 165 | public List getUseAndDefBoxes() { 166 | 167 | List ret = new ArrayList(); 168 | ret.add(new LinkedVariableBox(left)); 169 | ret.add(new LinkedVariableBox(right)); 170 | return ret; 171 | } 172 | 173 | private static class LinkedVariableBox extends VariableBox { 174 | /** 175 | * 176 | */ 177 | private static final long serialVersionUID = 1L; 178 | 179 | private LinkedVariableBox(Value v) { 180 | super(v); 181 | } 182 | 183 | public boolean canContainValue(Value v) { 184 | 185 | return true; 186 | } 187 | } 188 | 189 | @Override 190 | public boolean fallsThrough() { 191 | // TODO Auto-generated method stub 192 | return false; 193 | } 194 | 195 | @Override 196 | public boolean branches() { 197 | // TODO Auto-generated method stub 198 | return false; 199 | } 200 | 201 | @Override 202 | public void redirectJumpsToThisTo(Unit newLocation) { 203 | // TODO Auto-generated method stub 204 | 205 | } 206 | 207 | @Override 208 | public void apply(Switch sw) { 209 | // TODO Auto-generated method stub 210 | 211 | } 212 | 213 | @Override 214 | public List getTags() { 215 | // TODO Auto-generated method stub 216 | return null; 217 | } 218 | 219 | @Override 220 | public Tag getTag(String aName) { 221 | // TODO Auto-generated method stub 222 | return null; 223 | } 224 | 225 | @Override 226 | public void addTag(Tag t) { 227 | // TODO Auto-generated method stub 228 | 229 | } 230 | 231 | @Override 232 | public void removeTag(String name) { 233 | // TODO Auto-generated method stub 234 | 235 | } 236 | 237 | @Override 238 | public boolean hasTag(String aName) { 239 | // TODO Auto-generated method stub 240 | return false; 241 | } 242 | 243 | @Override 244 | public void removeAllTags() { 245 | // TODO Auto-generated method stub 246 | 247 | } 248 | 249 | @Override 250 | public void addAllTagsOf(Host h) { 251 | // TODO Auto-generated method stub 252 | 253 | } 254 | 255 | @Override 256 | public int getJavaSourceStartLineNumber() { 257 | // TODO Auto-generated method stub 258 | return 0; 259 | } 260 | 261 | @Override 262 | public int getJavaSourceStartColumnNumber() { 263 | // TODO Auto-generated method stub 264 | return 0; 265 | } 266 | 267 | @Override 268 | public void setLeftOp(Value variable) { 269 | // TODO Auto-generated method stub 270 | 271 | } 272 | 273 | @Override 274 | public void setRightOp(Value rvalue) { 275 | // TODO Auto-generated method stub 276 | 277 | } 278 | 279 | public ParameterTransferStmt clone() { 280 | return new ParameterTransferStmt(this.getLeftOp(), this.getRightOp()); 281 | } 282 | 283 | } 284 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/base/StmtPoint.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.base; 2 | 3 | import java.util.ArrayList; 4 | import java.util.HashSet; 5 | import java.util.List; 6 | 7 | import org.json.JSONObject; 8 | 9 | import com.google.common.collect.ContiguousSet; 10 | 11 | import osu.seclab.inputscope.stringvsa.graph.CallGraph; 12 | import osu.seclab.inputscope.stringvsa.graph.CallGraphNode; 13 | import osu.seclab.inputscope.stringvsa.main.Config; 14 | import osu.seclab.inputscope.stringvsa.utility.BlockGenerator; 15 | import osu.seclab.inputscope.stringvsa.utility.BlockUtility; 16 | import osu.seclab.inputscope.stringvsa.utility.Logger; 17 | import osu.seclab.inputscope.stringvsa.utility.MethodUtility; 18 | import soot.PatchingChain; 19 | import soot.Scene; 20 | import soot.SootField; 21 | import soot.SootMethod; 22 | import soot.Unit; 23 | import soot.ValueBox; 24 | import soot.dava.internal.AST.ASTTryNode.container; 25 | import soot.jimple.FieldRef; 26 | import soot.jimple.Stmt; 27 | import soot.toolkits.graph.Block; 28 | import soot.toolkits.graph.CompleteBlockGraph; 29 | 30 | public class StmtPoint { 31 | SootMethod method_location; 32 | Block block_location; 33 | Unit instruction_location; 34 | 35 | public StmtPoint(SootMethod method_location, Block block_location, Unit instruction_location) { 36 | super(); 37 | this.method_location = method_location; 38 | this.block_location = block_location; 39 | this.instruction_location = instruction_location; 40 | } 41 | 42 | public SootMethod getMethod_location() { 43 | return method_location; 44 | } 45 | 46 | public void setMethod_location(SootMethod method_location) { 47 | this.method_location = method_location; 48 | } 49 | 50 | public Block getBlock_location() { 51 | return block_location; 52 | } 53 | 54 | public void setBlock_location(Block block_location) { 55 | this.block_location = block_location; 56 | } 57 | 58 | public Unit getInstruction_location() { 59 | return instruction_location; 60 | } 61 | 62 | public void setInstruction_location(Unit instruction_location) { 63 | this.instruction_location = instruction_location; 64 | } 65 | 66 | public JSONObject toJson() { 67 | JSONObject js = new JSONObject(); 68 | js.put("method", this.getMethod_location()); 69 | js.put("block", this.getBlock_location().getIndexInMethod()); 70 | js.put("stmt", this.getInstruction_location()); 71 | return js; 72 | } 73 | 74 | public static List findCaller(String signature) { 75 | List sps = new ArrayList(); 76 | 77 | HashSet ms = new HashSet(); 78 | SootMethod sm = null; 79 | try { 80 | sm = Scene.v().getMethod(signature); 81 | } catch (Exception e) { 82 | return sps; 83 | } 84 | 85 | if (sm == null) { 86 | Logger.printW("[Failed Find Caller: No Caller] " + signature); 87 | return sps; 88 | } 89 | 90 | ms.add(sm); 91 | if (Config.PARSEINTERFACECALL && sm.getName().charAt(0) != '<') { 92 | MethodUtility.findAllPointerOfThisMethod(ms, sm.getSubSignature(), sm.getDeclaringClass()); 93 | } 94 | 95 | CallGraphNode node; 96 | CompleteBlockGraph cbg; 97 | Block block; 98 | for (SootMethod tmpm : ms) { 99 | 100 | node = CallGraph.getNode(tmpm.toString()); 101 | if (node == null) 102 | continue; 103 | for (CallGraphNode bn : node.getCallBy()) { 104 | PatchingChain us = bn.getSmthd().retrieveActiveBody().getUnits(); 105 | for (Unit unit : us) { 106 | if (unit instanceof Stmt) { 107 | if (((Stmt) unit).containsInvokeExpr()) { 108 | if (((Stmt) unit).getInvokeExpr().getMethod() == node.getSmthd()) { 109 | cbg = BlockGenerator.getInstance().generate(bn.getSmthd().retrieveActiveBody()); 110 | block = BlockUtility.findLocatedBlock(cbg, unit); 111 | sps.add(new StmtPoint(bn.getSmthd(), block, unit)); 112 | 113 | } 114 | } 115 | } 116 | } 117 | } 118 | } 119 | return sps; 120 | } 121 | 122 | public static List findSetter(SootField sootField) { 123 | List sps = new ArrayList(); 124 | 125 | HashSet mthdes = CallGraph.getSetter(sootField); 126 | CompleteBlockGraph cbg; 127 | Block block; 128 | if (mthdes != null) { 129 | for (SootMethod mthd : mthdes) { 130 | PatchingChain us = mthd.retrieveActiveBody().getUnits(); 131 | for (Unit unit : us) { 132 | if (unit instanceof Stmt) { 133 | for (ValueBox vbox : ((Stmt) unit).getDefBoxes()) { 134 | if (vbox.getValue() instanceof FieldRef 135 | && ((FieldRef) vbox.getValue()).getField() == sootField) { 136 | cbg = BlockGenerator.getInstance().generate(mthd.retrieveActiveBody()); 137 | block = BlockUtility.findLocatedBlock(cbg, unit); 138 | sps.add(new StmtPoint(mthd, block, unit)); 139 | } 140 | } 141 | } 142 | } 143 | } 144 | } else { 145 | Logger.printW("no Setter " + sootField); 146 | } 147 | 148 | return sps; 149 | } 150 | 151 | } 152 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/base/TargetType.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.base; 2 | 3 | public enum TargetType { 4 | RIGHTPART(-1),BASEOBJECT(-2); 5 | int tid; 6 | private TargetType(int id){ 7 | tid = id; 8 | } 9 | 10 | public int getType(){ 11 | return tid; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/forwardexec/StmtPath.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.forwardexec; 2 | 3 | import java.util.List; 4 | 5 | import soot.Unit; 6 | import osu.seclab.inputscope.stringvsa.base.StmtPoint; 7 | 8 | public interface StmtPath { 9 | 10 | public Unit getStmtPathHeader(); 11 | 12 | public Unit getSuccsinStmtPath(Unit u); 13 | 14 | public Unit getPredsinStmtPath(Unit u); 15 | 16 | public Unit getStmtPathTail(); 17 | 18 | public List getStmtPath(); 19 | } 20 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/graph/CallGraph.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.graph; 2 | 3 | import java.util.HashSet; 4 | import java.util.Hashtable; 5 | 6 | import osu.seclab.inputscope.stringvsa.utility.ListUtility; 7 | import osu.seclab.inputscope.stringvsa.utility.Logger; 8 | import soot.Body; 9 | import soot.Scene; 10 | import soot.SootClass; 11 | import soot.SootField; 12 | import soot.SootMethod; 13 | import soot.Unit; 14 | import soot.Value; 15 | import soot.ValueBox; 16 | import soot.jimple.FieldRef; 17 | import soot.jimple.Stmt; 18 | 19 | public class CallGraph { 20 | 21 | static Hashtable nodes = new Hashtable(); 22 | 23 | static Hashtable> fieldSetters = new Hashtable>(); 24 | 25 | public static void init() { 26 | long st = System.currentTimeMillis(); 27 | CallGraphNode tmp; 28 | Value tv; 29 | FieldRef fr; 30 | String str; 31 | for (SootClass sclas : Scene.v().getClasses()) { 32 | 33 | for (SootMethod smthd : sclas.getMethods()) { 34 | 35 | tmp = new CallGraphNode(smthd); 36 | nodes.put(smthd.toString(), tmp); 37 | if (smthd.isConcrete()) 38 | smthd.retrieveActiveBody(); 39 | } 40 | } 41 | Logger.printI("[CG time]:" + (System.currentTimeMillis() - st)); 42 | for (SootClass sclas : Scene.v().getClasses()) { 43 | for (SootMethod smthd : ListUtility.clone(sclas.getMethods())) { 44 | 45 | if (!smthd.isConcrete()) 46 | continue; 47 | Body body = smthd.retrieveActiveBody(); 48 | if (body == null) 49 | continue; 50 | for (Unit unit : body.getUnits()) { 51 | if (unit instanceof Stmt) { 52 | if (((Stmt) unit).containsInvokeExpr()) { 53 | try { 54 | 55 | addCall(smthd, ((Stmt) unit).getInvokeExpr().getMethod()); 56 | } catch (Exception e) { 57 | Logger.printW(e.getMessage()); 58 | } 59 | } 60 | for (ValueBox var : ((Stmt) unit).getDefBoxes()) { 61 | tv = var.getValue(); 62 | 63 | if (tv instanceof FieldRef) { 64 | fr = (FieldRef) tv; 65 | if (fr.getField().getDeclaringClass().isApplicationClass()) { 66 | str = fr.getField().toString(); 67 | if (!fieldSetters.containsKey(str)) { 68 | fieldSetters.put(str, new HashSet()); 69 | } 70 | fieldSetters.get(str).add(smthd); 71 | } 72 | } 73 | } 74 | } 75 | } 76 | } 77 | } 78 | 79 | Logger.printI("[CG time]:" + (System.currentTimeMillis() - st)); 80 | } 81 | 82 | private static void addCall(SootMethod from, SootMethod to) { 83 | CallGraphNode fn, tn; 84 | fn = getNode(from); 85 | tn = getNode(to); 86 | 87 | 88 | if (fn == null || tn == null) { 89 | return; 90 | } 91 | 92 | fn.addCallTo(tn); 93 | tn.addCallBy(fn); 94 | 95 | } 96 | 97 | public static CallGraphNode getNode(SootMethod from) { 98 | return getNode(from.toString()); 99 | } 100 | 101 | public static CallGraphNode getNode(String from) { 102 | return nodes.get(from); 103 | } 104 | 105 | public static HashSet getSetter(SootField sootField) { 106 | return fieldSetters.get(sootField.toString()); 107 | } 108 | } 109 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/graph/CallGraphNode.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.graph; 2 | 3 | import java.util.HashSet; 4 | 5 | import soot.SootMethod; 6 | 7 | public class CallGraphNode { 8 | SootMethod smthd; 9 | 10 | HashSet callBy = new HashSet(); 11 | HashSet callTo = new HashSet(); 12 | 13 | public CallGraphNode(SootMethod smthd) { 14 | this.smthd = smthd; 15 | } 16 | 17 | public void addCallBy(CallGraphNode smtd) { 18 | callBy.add(smtd); 19 | } 20 | 21 | public void addCallTo(CallGraphNode smtd) { 22 | callTo.add(smtd); 23 | } 24 | 25 | public HashSet getCallBy() { 26 | return callBy; 27 | } 28 | 29 | public HashSet getCallTo() { 30 | return callTo; 31 | } 32 | 33 | public SootMethod getSmthd() { 34 | return smthd; 35 | } 36 | 37 | } 38 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/graph/DGraph.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.graph; 2 | 3 | import java.util.HashSet; 4 | import java.util.List; 5 | 6 | import org.json.JSONObject; 7 | 8 | import osu.seclab.inputscope.stringvsa.utility.Logger; 9 | 10 | public class DGraph { 11 | HashSet nodes = new HashSet(); 12 | 13 | public void addNode(IDGNode node) { 14 | nodes.add(node); 15 | } 16 | 17 | public void removeNode(IDGNode node) { 18 | nodes.remove(node); 19 | } 20 | 21 | public HashSet getNodes() { 22 | return nodes; 23 | } 24 | 25 | public void solve(List vps) { 26 | for (ValuePoint vp : vps) 27 | this.addNode(vp); 28 | 29 | IDGNode tnode; 30 | initAllIfNeed(); 31 | while (true) { 32 | initAllIfNeed(); 33 | tnode = getNextSolvableNode(); 34 | 35 | if (hasSolvedAllTarget(vps)) { 36 | Logger.print("[DONE]: Solved All Targets!"); 37 | return; 38 | } 39 | // 40 | if (tnode == null) { 41 | Logger.print("[DONE]: No Solvable Node Left!"); 42 | if (try2PartiallySolve()) { 43 | continue; 44 | } else { 45 | Logger.print("[DONE]: No PartiallySolvable Node Left!"); 46 | return; 47 | } 48 | } 49 | 50 | tnode.solve(); 51 | 52 | } 53 | } 54 | 55 | public void initAllIfNeed() { 56 | IDGNode whoNeedInit; 57 | while (true) { 58 | whoNeedInit = null; 59 | for (IDGNode tmp : nodes) 60 | if (!tmp.inited()) { 61 | whoNeedInit = tmp; 62 | break; 63 | } 64 | if (whoNeedInit == null) { 65 | return; 66 | } else { 67 | whoNeedInit.initIfHavenot(); 68 | } 69 | } 70 | } 71 | 72 | private IDGNode getNextSolvableNode() { 73 | for (IDGNode tmp : nodes) { 74 | if (tmp.getUnsovledDependentsCount() == 0 && !tmp.hasSolved()) { 75 | return tmp; 76 | } 77 | } 78 | return null; 79 | } 80 | 81 | private boolean try2PartiallySolve() { 82 | for (IDGNode tmp : nodes) { 83 | if (tmp.canBePartiallySolve()) { 84 | return true; 85 | } 86 | } 87 | return false; 88 | } 89 | 90 | private boolean hasSolvedAllTarget(List vps) { 91 | for (ValuePoint vp : vps) { 92 | if (!vp.hasSolved()) 93 | return false; 94 | } 95 | return true; 96 | } 97 | 98 | public JSONObject toJson() { 99 | JSONObject result = new JSONObject(); 100 | JSONObject jnodes = new JSONObject(); 101 | JSONObject jedges = new JSONObject(); 102 | for (IDGNode node : nodes) { 103 | jnodes.put(node.hashCode() + "", node.getClass().getSimpleName()); 104 | for (IDGNode subn : node.getDependents()) { 105 | jedges.append(node.hashCode() + "", subn.hashCode() + ""); 106 | } 107 | } 108 | result.put("nodes", jnodes); 109 | result.put("edges", jedges); 110 | return result; 111 | } 112 | } 113 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/graph/HeapObject.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.graph; 2 | 3 | import java.util.ArrayList; 4 | import java.util.Collections; 5 | import java.util.HashMap; 6 | import java.util.HashSet; 7 | import java.util.List; 8 | import java.util.Set; 9 | 10 | import osu.seclab.inputscope.stringvsa.backwardslicing.BackwardContext; 11 | import osu.seclab.inputscope.stringvsa.backwardslicing.DataSourceType; 12 | import osu.seclab.inputscope.stringvsa.base.StmtPoint; 13 | import osu.seclab.inputscope.stringvsa.base.TargetType; 14 | import osu.seclab.inputscope.stringvsa.graph.specialcase.FindInClassAdd; 15 | import osu.seclab.inputscope.stringvsa.utility.Logger; 16 | import soot.SootField; 17 | import soot.jimple.Stmt; 18 | 19 | public class HeapObject implements IDGNode { 20 | DGraph dg; 21 | 22 | SootField sootField; 23 | boolean inited = false; 24 | boolean solved = false; 25 | ArrayList vps; 26 | HashSet solvedVps = new HashSet(); 27 | 28 | ArrayList>> result = new ArrayList>>(); 29 | 30 | private HeapObject(DGraph dg, SootField sootField) { 31 | this.dg = dg; 32 | this.sootField = sootField; 33 | } 34 | 35 | @Override 36 | public Set getDependents() { 37 | // TODO Auto-generated method stub 38 | 39 | HashSet dps = new HashSet(); 40 | for (ValuePoint vp : vps) { 41 | dps.add(vp); 42 | } 43 | return dps; 44 | 45 | } 46 | 47 | @Override 48 | public int getUnsovledDependentsCount() { 49 | // TODO Auto-generated method stub 50 | int count = 0; 51 | for (IDGNode vp : getDependents()) { 52 | if (!vp.hasSolved()) { 53 | count++; 54 | } 55 | } 56 | return count; 57 | } 58 | 59 | @Override 60 | public boolean hasSolved() { 61 | // TODO Auto-generated method stub 62 | return solved; 63 | } 64 | 65 | @Override 66 | public void solve() { 67 | // TODO Auto-generated method stub 68 | solved = true; 69 | Logger.print("[HEAP SOLVE]" + sootField); 70 | Logger.print("[SOLVING ME]" + this.hashCode()); 71 | 72 | for (ValuePoint vp : vps) { 73 | ArrayList>> vpResult = vp.getResult(); 74 | for (HashMap> res : vpResult) { 75 | if (res.containsKey(-1)) { 76 | result.add(res); 77 | } 78 | } 79 | } 80 | } 81 | 82 | @Override 83 | public boolean canBePartiallySolve() { 84 | boolean can = false; 85 | for (ValuePoint vp : vps) { 86 | if (!solvedVps.contains(vp) && vp.hasSolved()) { 87 | solvedVps.add(vp); 88 | can = true; 89 | for (HashMap> res : vp.getResult()) { 90 | if (res.containsKey(-1)) { 91 | result.add(res); 92 | } 93 | } 94 | } 95 | } 96 | if (can) { 97 | solved = true; 98 | } 99 | return can; 100 | } 101 | 102 | @Override 103 | public void initIfHavenot() { 104 | // TODO Auto-generated method stub 105 | vps = new ArrayList(); 106 | ValuePoint tmp; 107 | List sps = StmtPoint.findSetter(sootField); 108 | 109 | for (StmtPoint sp : sps) { 110 | tmp = new ValuePoint(dg, sp.getMethod_location(), sp.getBlock_location(), sp.getInstruction_location(), Collections.singletonList(TargetType.RIGHTPART.getType())); 111 | tmp.setAppendix(sootField.toString()); 112 | vps.add(tmp); 113 | } 114 | 115 | if (FindInClassAdd.isAddable(sootField)) 116 | for (StmtPoint sp : FindInClassAdd.getAll(dg, sootField)) { 117 | int targetRegIndex = ((Stmt) sp.getInstruction_location()).getInvokeExpr().getArgCount() - 1; 118 | tmp = new ValuePoint(dg, sp.getMethod_location(), sp.getBlock_location(), sp.getInstruction_location(), Collections.singletonList(targetRegIndex)); 119 | tmp.setAppendix(sootField.toString()); 120 | vps.add(tmp); 121 | } 122 | 123 | Logger.print("[HEAP INIT]" + sootField + " " + StmtPoint.findSetter(sootField).size()); 124 | 125 | inited = true; 126 | 127 | } 128 | 129 | @Override 130 | public boolean inited() { 131 | // TODO Auto-generated method stub 132 | return inited; 133 | } 134 | 135 | @Override 136 | public ArrayList>> getResult() { 137 | return result; 138 | } 139 | 140 | @Override 141 | public int hashCode() { 142 | final int prime = 31; 143 | int result = 1; 144 | result = prime * result + ((sootField == null) ? 0 : sootField.hashCode()); 145 | return result; 146 | } 147 | 148 | @Override 149 | public boolean equals(Object obj) { 150 | if (this == obj) 151 | return true; 152 | if (obj == null) 153 | return false; 154 | if (getClass() != obj.getClass()) 155 | return false; 156 | HeapObject other = (HeapObject) obj; 157 | if (sootField == null) { 158 | if (other.sootField != null) 159 | return false; 160 | } else if (!sootField.equals(other.sootField)) 161 | return false; 162 | return true; 163 | } 164 | 165 | @Override 166 | public String toString() { 167 | // TODO Auto-generated method stub 168 | if (!inited) 169 | return super.toString(); 170 | StringBuilder sb = new StringBuilder(); 171 | sb.append("==========================="); 172 | sb.append(this.hashCode()); 173 | sb.append("===========================\n"); 174 | sb.append("Field: " + sootField + "\n"); 175 | sb.append("Solved: " + hasSolved() + "\n"); 176 | sb.append("Depend: "); 177 | for (IDGNode var : this.getDependents()) { 178 | sb.append(var.hashCode()); 179 | sb.append(", "); 180 | } 181 | sb.append("\n"); 182 | sb.append("ValueSet: \n"); 183 | for (HashMap> resl : result) { 184 | sb.append(" "); 185 | for (int i : resl.keySet()) { 186 | sb.append(" |" + i + ":"); 187 | for (String str : resl.get(i)) { 188 | sb.append(str + ","); 189 | } 190 | } 191 | sb.append("\n"); 192 | } 193 | 194 | return sb.toString(); 195 | } 196 | 197 | static HashMap hos = new HashMap(); 198 | 199 | public static HeapObject getInstance(DGraph dg, SootField sootField) { 200 | String str = sootField.toString(); 201 | if (!hos.containsKey(str)) { 202 | hos.put(str, new HeapObject(dg, sootField)); 203 | } 204 | return hos.get(str); 205 | } 206 | 207 | @Override 208 | public Set getDirectAndIndirectDependents(Set ret) { 209 | // TODO Auto-generated method stub 210 | for (IDGNode i : this.getDependents()) { 211 | if (!ret.contains(i)) { 212 | ret.add(i); 213 | i.getDirectAndIndirectDependents(ret); 214 | } 215 | } 216 | return ret; 217 | } 218 | 219 | @Override 220 | public HashSet getDataSrcs() { 221 | Set dps = new HashSet(); 222 | getDirectAndIndirectDependents(dps); 223 | 224 | HashSet toRet = new HashSet(); 225 | for (IDGNode i : dps) { 226 | if (i instanceof ValuePoint) { 227 | for (BackwardContext bc : ((ValuePoint) i).getBcs()) { 228 | toRet.addAll(bc.getDataSrcs()); 229 | } 230 | } 231 | } 232 | return toRet; 233 | } 234 | 235 | @Override 236 | public HashSet getDataHcStrings() { 237 | // TODO Auto-generated method stub 238 | Set dps = new HashSet(); 239 | getDirectAndIndirectDependents(dps); 240 | 241 | HashSet toRet = new HashSet(); 242 | for (IDGNode i : dps) { 243 | if (i instanceof ValuePoint) { 244 | for (BackwardContext bc : ((ValuePoint) i).getBcs()) { 245 | toRet.addAll(bc.getHcStrings()); 246 | } 247 | } 248 | } 249 | return toRet; 250 | } 251 | } 252 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/graph/IDGNode.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.graph; 2 | 3 | import java.util.ArrayList; 4 | import java.util.HashMap; 5 | import java.util.HashSet; 6 | import java.util.Set; 7 | 8 | import osu.seclab.inputscope.stringvsa.backwardslicing.DataSourceType; 9 | 10 | public interface IDGNode { 11 | 12 | public Set getDependents(); 13 | 14 | public Set getDirectAndIndirectDependents(Set ret); 15 | 16 | public int getUnsovledDependentsCount(); 17 | 18 | public boolean hasSolved(); 19 | 20 | public void solve(); 21 | 22 | public boolean canBePartiallySolve(); 23 | 24 | public void initIfHavenot(); 25 | 26 | public boolean inited(); 27 | 28 | public HashSet getDataSrcs(); 29 | 30 | public HashSet getDataHcStrings(); 31 | 32 | public ArrayList>> getResult(); 33 | } 34 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/graph/specialcase/FindInClassAdd.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.graph.specialcase; 2 | 3 | import java.util.ArrayList; 4 | import java.util.HashSet; 5 | import java.util.Iterator; 6 | import java.util.List; 7 | 8 | import soot.Body; 9 | import soot.Local; 10 | import soot.SootField; 11 | import soot.SootMethod; 12 | import soot.Unit; 13 | import soot.Value; 14 | import soot.ValueBox; 15 | import soot.jimple.AssignStmt; 16 | import soot.jimple.FieldRef; 17 | import soot.jimple.InstanceInvokeExpr; 18 | import soot.toolkits.graph.Block; 19 | import soot.toolkits.graph.CompleteBlockGraph; 20 | import osu.seclab.inputscope.stringvsa.base.StmtPoint; 21 | import osu.seclab.inputscope.stringvsa.graph.DGraph; 22 | import osu.seclab.inputscope.stringvsa.utility.BlockGenerator; 23 | 24 | public class FindInClassAdd { 25 | 26 | public static List getAll(DGraph dg, SootField sf) { 27 | // sf.getDeclaringClass(). 28 | List sps = new ArrayList(); 29 | Body body; 30 | boolean contains; 31 | System.out.println(sf.getDeclaringClass()); 32 | 33 | for (SootMethod sm : sf.getDeclaringClass().getMethods()) { 34 | body = sm.retrieveActiveBody(); 35 | contains = false; 36 | for (ValueBox vb : body.getUseAndDefBoxes()) { 37 | 38 | if (vb.getValue() instanceof FieldRef) 39 | if (((FieldRef) vb.getValue()).getField().equals(sf)) { 40 | contains = true; 41 | break; 42 | } 43 | } 44 | if (contains) 45 | sps.addAll(onSootMethod(dg, sf, sm)); 46 | } 47 | return sps; 48 | } 49 | 50 | private static List onSootMethod(DGraph dg, SootField sf, SootMethod sm) { 51 | List sps = new ArrayList(); 52 | 53 | CompleteBlockGraph cbg = BlockGenerator.getInstance().generate(sm.retrieveActiveBody()); 54 | Local reg = null; 55 | Unit tu; 56 | Value tv; 57 | for (Block block : cbg.getBlocks()) { 58 | Iterator us = block.iterator(); 59 | while (us.hasNext()) { 60 | tu = us.next(); 61 | if (reg == null) { 62 | if (tu instanceof AssignStmt) { 63 | Value vvv = ((AssignStmt) tu).getRightOp(); 64 | if (vvv instanceof FieldRef && ((FieldRef) vvv).getField().equals(sf)) { 65 | reg = (Local) ((AssignStmt) tu).getLeftOp(); 66 | } 67 | } 68 | } else { 69 | for (ValueBox vb : tu.getUseAndDefBoxes()) { 70 | tv = vb.getValue(); 71 | if (tv instanceof InstanceInvokeExpr) { 72 | 73 | if (((InstanceInvokeExpr) tv).getBase().equivTo(reg) && tmths.contains(((InstanceInvokeExpr) tv).getMethod().getName())) { 74 | sps.add(new StmtPoint(sm, block, tu)); 75 | } 76 | } 77 | } 78 | } 79 | 80 | } 81 | } 82 | return sps; 83 | } 84 | 85 | static HashSet tmths = new HashSet(); 86 | static HashSet addableClasses = new HashSet(); 87 | static { 88 | tmths.add("put"); 89 | tmths.add("add"); 90 | 91 | addableClasses.add("java.util.Map"); 92 | addableClasses.add("java.util.HashMap"); 93 | addableClasses.add("java.util.Set"); 94 | addableClasses.add("java.util.HashSet"); 95 | addableClasses.add("java.util.ArrayList"); 96 | addableClasses.add("java.util.List"); 97 | } 98 | 99 | public static boolean isAddable(SootField sf) { 100 | return addableClasses.contains(sf.getType().toString()); 101 | } 102 | 103 | } 104 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/main/ApkContext.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.main; 2 | 3 | import java.io.File; 4 | import java.io.IOException; 5 | import java.util.zip.ZipException; 6 | 7 | import brut.androlib.AndrolibException; 8 | import brut.androlib.res.AndrolibResources; 9 | import brut.androlib.res.data.ResID; 10 | import brut.androlib.res.data.ResPackage; 11 | import brut.androlib.res.data.ResTable; 12 | import brut.androlib.res.data.value.ResStringValue; 13 | import brut.directory.ExtFile; 14 | import soot.jimple.infoflow.android.axml.ApkHandler; 15 | import soot.jimple.infoflow.android.manifest.ProcessManifest; 16 | import soot.jimple.infoflow.android.resources.ARSCFileParser; 17 | 18 | public class ApkContext { 19 | String path = null; 20 | ApkHandler apkh = null; 21 | ProcessManifest mfest = null; 22 | ARSCFileParser afp = null; 23 | ResPackage[] resps = null; 24 | 25 | private ApkContext(String path) { 26 | this.path = path; 27 | } 28 | 29 | public String getAbsolutePath() throws ZipException, IOException, AndrolibException { 30 | if (apkh == null) { 31 | init(); 32 | } 33 | 34 | return apkh.getAbsolutePath(); 35 | } 36 | 37 | public String getPackageName() { 38 | try { 39 | if (apkh == null) { 40 | init(); 41 | } 42 | 43 | if (mfest != null) 44 | return mfest.getPackageName(); 45 | 46 | } catch (Exception e) { 47 | } 48 | 49 | return null; 50 | } 51 | 52 | 53 | public String getIdentifier(String name, String type, String packageName) { 54 | for (ResPackage resp : resps) { 55 | try { 56 | return resp.getType(type).getResSpec(name).getId().id + ""; 57 | 58 | } catch (AndrolibException e) { 59 | // TODO Auto-generated catch block 60 | e.printStackTrace(); 61 | } 62 | 63 | } 64 | 65 | return "-1"; 66 | } 67 | 68 | public void init() throws ZipException, IOException, AndrolibException { 69 | apkh = new ApkHandler(path); 70 | 71 | afp = new ARSCFileParser(); 72 | afp.parse(apkh.getInputStream("resources.arsc")); 73 | try { 74 | mfest = new ProcessManifest(apkh.getInputStream("AndroidManifest.xml")); 75 | } catch (Exception e) { 76 | } 77 | ExtFile apkFile = new ExtFile(new File(path)); 78 | 79 | AndrolibResources res = new AndrolibResources(); 80 | ResTable resTab = res.getResTable(apkFile, true); 81 | resps = res.getResPackagesFromApk(apkFile, resTab, true); 82 | 83 | apkh.close(); 84 | } 85 | 86 | public String findResource(int id) { 87 | 88 | String str = String.format("[XML String:%s]", id); 89 | try { 90 | if (apkh == null) { 91 | init(); 92 | } 93 | 94 | 95 | for (ResPackage resp : resps) { 96 | if (resp.getResSpec(new ResID(id)) != null) { 97 | str = ((ResStringValue) resp.getResSpec(new ResID(id)).getDefaultResource().getValue()).encodeAsResXmlValue(); 98 | break; 99 | } 100 | } 101 | } catch (Exception e) { 102 | e.printStackTrace(); 103 | } 104 | return str; 105 | } 106 | 107 | static ApkContext apkcontext = null; 108 | 109 | public static ApkContext getInstance(String path) { 110 | apkcontext = new ApkContext(path); 111 | return apkcontext; 112 | } 113 | 114 | public static ApkContext getInstance() { 115 | return apkcontext; 116 | } 117 | 118 | } 119 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/main/Config.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.main; 2 | 3 | public class Config { 4 | 5 | public static String RESULTDIR = "./valuesetResult/"; 6 | public static String LOGDIR = "./logs/"; 7 | public static String APPCONFIGDIR = "./../appsWithTargetHashes/"; 8 | public static boolean PARSEINTERFACECALL = true; 9 | 10 | public static int MAXMETHODCHAINLEN = 100; 11 | 12 | public static int BackwardContextTimeOut = -1; 13 | 14 | static { 15 | 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/BlockGenerator.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.util.ArrayList; 4 | import java.util.HashSet; 5 | import java.util.Hashtable; 6 | import java.util.List; 7 | 8 | import org.javatuples.Pair; 9 | 10 | import soot.Body; 11 | import soot.toolkits.graph.Block; 12 | import soot.toolkits.graph.CompleteBlockGraph; 13 | 14 | public class BlockGenerator { 15 | static BlockGenerator bg = new BlockGenerator(); 16 | 17 | public static BlockGenerator getInstance() { 18 | return bg; 19 | } 20 | 21 | private BlockGenerator() { 22 | } 23 | 24 | Hashtable ht = new Hashtable(); 25 | 26 | public CompleteBlockGraph generate(Body b) { 27 | if (!ht.containsKey(b)) { 28 | ht.put(b, new CompleteBlockGraph(b)); 29 | } 30 | return ht.get(b); 31 | } 32 | 33 | public static boolean isCircle(Block b, Block current, CompleteBlockGraph cbg, HashSet history) { 34 | if (history.contains(current)) { 35 | return false; 36 | } 37 | boolean isc = false; 38 | 39 | history.add(current); 40 | for (Block blk : cbg.getPredsOf(current)) { 41 | if (b == blk) 42 | isc = true; 43 | else 44 | isc |= isCircle(b, blk, cbg, history); 45 | if (isc) 46 | return isc; 47 | } 48 | history.remove(current); 49 | return isc; 50 | } 51 | 52 | public static void removeCircleBlocks(List bs, Block current, CompleteBlockGraph cbg) { 53 | HashSet toRemove = new HashSet(); 54 | 55 | for (Block blk : bs) { 56 | 57 | if (isCircle(current, blk, cbg, new HashSet())) { 58 | toRemove.add(blk); 59 | } 60 | } 61 | for (Block blk : toRemove) { 62 | bs.remove(blk); 63 | System.out.println("removed!!!"); 64 | System.out.println(blk); 65 | } 66 | 67 | } 68 | 69 | public static boolean isCircle(Block blk, Block current, CompleteBlockGraph cbg) { 70 | // args order is correct 71 | return isCircle(current, blk, cbg, new HashSet()); 72 | } 73 | 74 | public static List removeBlocksThatHaveBeenVisitedTwice(ArrayList> bks, List targets) { 75 | 76 | 77 | ArrayList> hit = new ArrayList>(); 78 | 79 | hit.add(bks.get(0)); 80 | 81 | Pair lastone = bks.get(0); 82 | int index = 1; 83 | int blen = bks.size(); 84 | boolean iwasInOthersubcall = false; 85 | while (index < blen) { 86 | 87 | if (bks.get(index).getValue1() < lastone.getValue1()) 88 | break; 89 | 90 | if (bks.get(index).getValue1() != lastone.getValue1()) { 91 | iwasInOthersubcall = true; 92 | } else { 93 | if (iwasInOthersubcall) { 94 | iwasInOthersubcall = false; 95 | if (bks.get(index).getValue0() != lastone.getValue0()) { 96 | Logger.printW("looks like call stack not even"); 97 | } 98 | } else { 99 | lastone = bks.get(index); 100 | hit.add(lastone); 101 | } 102 | } 103 | index++; 104 | } 105 | 106 | if (iwasInOthersubcall) 107 | Logger.printW("looks like call stack not evenb"); 108 | 109 | List toRet = new ArrayList(); 110 | for (Block current : targets) { 111 | int visitedTimes = 0; 112 | Body myBody = current.getBody(); 113 | for (Pair block : hit) { 114 | if (!block.getValue0().getBody().equals(myBody)) { 115 | Logger.printW("looks like call stack not evenc"); 116 | break; 117 | } 118 | 119 | if (block.getValue0().getIndexInMethod() == current.getIndexInMethod()) 120 | visitedTimes++; 121 | } 122 | if (visitedTimes < 2) 123 | toRet.add(current); 124 | } 125 | 126 | return toRet; 127 | } 128 | 129 | } 130 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/BlockUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.util.Iterator; 4 | 5 | import soot.Unit; 6 | import soot.toolkits.graph.Block; 7 | import soot.toolkits.graph.CompleteBlockGraph; 8 | 9 | public class BlockUtility { 10 | 11 | public static Block findLocatedBlock(CompleteBlockGraph cbg, Unit unit) { 12 | // TODO Auto-generated method stub 13 | 14 | for (Block block : cbg.getBlocks()) { 15 | Iterator us = block.iterator(); 16 | while (us.hasNext()) { 17 | if (us.next() == unit) { 18 | return block; 19 | } 20 | } 21 | } 22 | return null; 23 | 24 | } 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/ErrorHandler.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.lang.Thread.UncaughtExceptionHandler; 4 | 5 | public class ErrorHandler implements UncaughtExceptionHandler { 6 | String tag; 7 | 8 | public ErrorHandler(String tag) { 9 | this.tag = tag; 10 | } 11 | 12 | @Override 13 | public void uncaughtException(Thread t, Throwable e) { 14 | // TODO Auto-generated method stub 15 | StringBuilder sb = new StringBuilder(); 16 | sb.append("File: " + tag); 17 | sb.append('\n'); 18 | sb.append("Msge: " + e.getMessage()); 19 | sb.append('\n'); 20 | for (StackTraceElement st : e.getStackTrace()) { 21 | sb.append(" " + st.toString()); 22 | sb.append('\n'); 23 | } 24 | Logger.printE(sb.toString()); 25 | } 26 | 27 | } 28 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/FileUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.io.BufferedWriter; 4 | import java.io.FileWriter; 5 | import java.io.IOException; 6 | import java.io.PrintWriter; 7 | 8 | public class FileUtility { 9 | 10 | public static void wf(String path, String content, boolean append) { 11 | try { 12 | PrintWriter out = new PrintWriter(new BufferedWriter(new FileWriter(path, append))); 13 | out.println(content); 14 | out.close(); 15 | } catch (IOException e) { 16 | e.printStackTrace(); 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/FunctionUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.util.HashSet; 4 | import java.util.List; 5 | 6 | import osu.seclab.inputscope.stringvsa.forwardexec.SimulateEngine; 7 | import soot.Value; 8 | import soot.jimple.ArrayRef; 9 | import soot.jimple.InvokeExpr; 10 | 11 | public class FunctionUtility { 12 | 13 | @SuppressWarnings("unchecked") 14 | public static void String_format(SimulateEngine se, Value leftop, InvokeExpr vie, Value strFormat, Value strList) { 15 | 16 | 17 | se.getCurrentValues().remove(leftop); 18 | HashSet sformat = se.getContent(strFormat); 19 | if (sformat.size() <= 0) 20 | return; 21 | 22 | if (!se.getCurrentValues().containsKey(strList)) 23 | return; 24 | 25 | HashSet hs_len = se.getContent(strList); 26 | if (hs_len.size() <= 0) 27 | return; 28 | int len = Integer.parseInt(hs_len.toArray()[0] + ""); 29 | ArrayRef[] argRefs = new ArrayRef[len]; 30 | int foundCount = 0; 31 | for (Value val : se.getCurrentValues().keySet()) { 32 | if (val instanceof ArrayRef && ((ArrayRef) val).getBase().equivTo(strList)) { 33 | argRefs[Integer.parseInt(((ArrayRef) val).getIndex().toString())] = (ArrayRef) val; 34 | foundCount++; 35 | } 36 | } 37 | if (foundCount != len) { 38 | Logger.printW("Some Args are unknow " + vie); 39 | return; 40 | } 41 | 42 | for (ArrayRef argRef : argRefs) { 43 | se.getContent(argRef).size(); 44 | } 45 | 46 | int[] maxIndex = new int[len]; 47 | List[] vs = new List[len]; 48 | int[] indexes = new int[len]; 49 | HashSet tmp; 50 | for (int i = 0; i < len; i++) { 51 | tmp = se.getContent(argRefs[i]); 52 | vs[i] = ListUtility.Array2List((tmp.toArray(new String[tmp.size()]))); 53 | maxIndex[i] = vs[i].size(); 54 | 55 | indexes[i] = 0; 56 | } 57 | 58 | Object[] obj = new Object[len]; 59 | for (String formt : sformat) { 60 | for (int i = 0; i < len; i++) { 61 | indexes[i] = 0; 62 | } 63 | do { 64 | for (int i = 0; i < len; i++) { 65 | obj[i] = vs[i].get(indexes[i]); 66 | } 67 | System.out.println(formt+" "+formt.getClass()); 68 | System.out.println(obj+" "+ obj.getClass()); 69 | 70 | 71 | se.setInitValue(leftop, String.format(formt, obj), true); 72 | } while (move2Next(maxIndex, indexes)); 73 | } 74 | } 75 | 76 | public static boolean move2Next(int[] maxIndex, int[] indexes) { 77 | indexes[0]++; 78 | for (int i = 0; i < maxIndex.length; i++) { 79 | if (indexes[i] >= maxIndex[i]) { 80 | indexes[i] = 0; 81 | if (i + 1 >= maxIndex.length) { 82 | return false; 83 | } 84 | indexes[i + 1]++; 85 | } 86 | } 87 | return true; 88 | } 89 | 90 | public static void main(String[] arg) { 91 | String a = "%s-%s"; 92 | Object[] obj = new Object[2]; 93 | obj[0] = "aa"; 94 | obj[1] = "bb"; 95 | System.out.println(String.format(a, obj)); 96 | } 97 | 98 | } 99 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/ListUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | import soot.PatchingChain; 7 | import soot.Unit; 8 | 9 | public class ListUtility { 10 | 11 | public static List chain2List(PatchingChain us) { 12 | List ls = new ArrayList(); 13 | for (Unit inst : us) { 14 | ls.add(inst); 15 | } 16 | return ls; 17 | } 18 | 19 | public static List Array2List(T[] ts) { 20 | List ls = new ArrayList(); 21 | for (T inst : ts) { 22 | ls.add(inst); 23 | } 24 | return ls; 25 | } 26 | 27 | public static List clone(List ls) { 28 | List list = new ArrayList(); 29 | for (T t : ls) { 30 | list.add(t); 31 | } 32 | return list; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/Logger.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | public class Logger { 4 | public static String TAG = "Logger"; 5 | static boolean showMsg = false; 6 | 7 | public static void printI(String args) { 8 | if (showMsg) 9 | System.out.println(TAG + args); 10 | } 11 | 12 | public static void printW(String args) { 13 | String str = TAG + "[W]" + args; 14 | if (showMsg) 15 | System.out.println(str); 16 | // FileUtility.wf("./warnings/warnning.txt", str, true); 17 | } 18 | 19 | public static void print(String args) { 20 | if (showMsg) 21 | System.out.println(TAG + args); 22 | } 23 | 24 | public static void printE(String args) { 25 | args = TAG + args; 26 | // FileUtility.wf("./warnings/error.txt", args, true); 27 | if (showMsg) 28 | System.out.println(args); 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/MethodUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.util.HashSet; 4 | 5 | import soot.Scene; 6 | import soot.SootClass; 7 | import soot.SootMethod; 8 | 9 | public class MethodUtility { 10 | 11 | public static boolean hash(String args) { 12 | try { 13 | return (Scene.v().getMethod(args) != null); 14 | } catch (Exception e) { 15 | } 16 | return false; 17 | } 18 | 19 | public static String dex2Soot_mthd(String sig) { 20 | String[] rest = sig.split("->"); 21 | String cls = dex2Soot_class(rest[0]); 22 | 23 | rest = rest[1].split("\\("); 24 | String mname = rest[0]; 25 | 26 | rest = rest[1].split("\\)"); 27 | String ret = rest[1]; 28 | if (ret.equals("V")) 29 | ret = "void"; 30 | else 31 | ret = dex2Soot_class(ret); 32 | 33 | rest = rest[0].split(";"); 34 | String pas = ""; 35 | for (String str : rest) { 36 | pas += dex2Soot_class(str) + ","; 37 | } 38 | pas = pas.replace(",,", ","); 39 | while (pas.endsWith(",")) 40 | pas = pas.substring(0, pas.length() - 1); 41 | return String.format("<%s: %s %s(%s)>", cls, ret, mname, pas); 42 | } 43 | 44 | public static String dex2Soot_class(String sig) { 45 | sig = sig.trim(); 46 | if (sig.endsWith(";")) { 47 | sig = sig.substring(0, sig.length() - 1); 48 | } 49 | if (sig.startsWith("L")) { 50 | sig = sig.substring(1, sig.length()); 51 | } 52 | 53 | return sig.replace('/', '.'); 54 | } 55 | 56 | public static void findAllPointerOfThisMethod(HashSet ms, String subSig, SootClass sc) { 57 | 58 | try { 59 | if (sc.getMethod(subSig) != null) { 60 | ms.add(sc.getMethod(subSig)); 61 | } 62 | } catch (Exception e) { 63 | } 64 | 65 | if (sc.toString().equals("java.lang.Object")) { 66 | return; 67 | } 68 | 69 | if (sc.getSuperclass() != sc && sc.getSuperclass() != null) { 70 | findAllPointerOfThisMethod(ms, subSig, sc.getSuperclass()); 71 | } 72 | for (SootClass itf : sc.getInterfaces()) { 73 | findAllPointerOfThisMethod(ms, subSig, itf); 74 | } 75 | 76 | } 77 | 78 | 79 | 80 | } 81 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/stringvsa/utility/OtherUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.stringvsa.utility; 2 | 3 | import java.util.HashSet; 4 | 5 | import osu.seclab.inputscope.stringvsa.base.GlobalStatistics; 6 | import soot.Value; 7 | import soot.jimple.BinopExpr; 8 | import soot.jimple.DoubleConstant; 9 | import soot.jimple.FloatConstant; 10 | import soot.jimple.IntConstant; 11 | import soot.jimple.LongConstant; 12 | import soot.jimple.StringConstant; 13 | import soot.jimple.UshrExpr; 14 | import soot.jimple.internal.JAddExpr; 15 | import soot.jimple.internal.JAndExpr; 16 | import soot.jimple.internal.JDivExpr; 17 | import soot.jimple.internal.JMulExpr; 18 | import soot.jimple.internal.JOrExpr; 19 | import soot.jimple.internal.JShlExpr; 20 | import soot.jimple.internal.JShrExpr; 21 | import soot.jimple.internal.JSubExpr; 22 | import soot.jimple.internal.JXorExpr; 23 | 24 | public class OtherUtility { 25 | 26 | public static boolean isStrConstant(Object obj) { 27 | return obj instanceof StringConstant; 28 | } 29 | 30 | public static boolean isNumConstant(Object obj) { 31 | return obj instanceof IntConstant || obj instanceof LongConstant || obj instanceof FloatConstant || obj instanceof DoubleConstant; 32 | } 33 | 34 | public static boolean isInt(String s) { 35 | try { 36 | Integer.parseInt(s); 37 | return true; 38 | } 39 | 40 | catch (NumberFormatException er) { 41 | return false; 42 | } 43 | } 44 | 45 | public static int string2Int(String i) { 46 | return Integer.parseInt(i); 47 | } 48 | 49 | public static long string2Long(String i) { 50 | return Long.parseLong(i); 51 | } 52 | 53 | public static float string2Float(String i) { 54 | return Float.parseFloat(i); 55 | } 56 | 57 | public static double string2Double(String i) { 58 | return Double.parseDouble(i); 59 | } 60 | 61 | public static boolean computeBasedOnType(Value to, BinopExpr exp, HashSet currentValues, HashSet opt2, HashSet newValues) { 62 | boolean isInt = to.getType().toString().equals("int"); 63 | boolean isLong = to.getType().toString().equals("long"); 64 | boolean isFloat = to.getType().toString().equals("float"); 65 | boolean isDouble = to.getType().toString().equals("double"); 66 | 67 | Compute compu = null; 68 | if (exp instanceof JAddExpr) { 69 | GlobalStatistics.addExp++; 70 | compu = new AddCompute(); 71 | } else if (exp instanceof JSubExpr) { 72 | GlobalStatistics.subExp++; 73 | compu = new SubCompute(); 74 | } else if (exp instanceof JMulExpr) { 75 | GlobalStatistics.mulExp++; 76 | compu = new MulCompute(); 77 | } else if (exp instanceof JDivExpr) { 78 | GlobalStatistics.divExp++; 79 | compu = new DivCompute(); 80 | } else if (exp instanceof JAndExpr) { 81 | GlobalStatistics.andExp++; 82 | compu = new AndCompute(); 83 | } else if (exp instanceof JOrExpr) { 84 | GlobalStatistics.orExp++; 85 | compu = new OrCompute(); 86 | } else if (exp instanceof JShlExpr) { 87 | GlobalStatistics.shlExp++; 88 | compu = new ShlCompute(); 89 | } else if (exp instanceof JShrExpr) { 90 | GlobalStatistics.shrExp++; 91 | compu = new ShrCompute(); 92 | } else if (exp instanceof JXorExpr) { 93 | GlobalStatistics.xorExp++; 94 | compu = new XorCompute(); 95 | } else if (exp instanceof UshrExpr) { 96 | GlobalStatistics.ushrExp++; 97 | compu = new UshrCompute(); 98 | } else { 99 | Logger.printW(String.format("[OtherUtility][W] [unknow compute]: %s", exp)); 100 | return false; 101 | } 102 | 103 | for (String apd : currentValues) { 104 | for (String str : opt2) { 105 | if (isInt) { 106 | newValues.add(compu.doit(OtherUtility.string2Int(apd), OtherUtility.string2Int(str))); 107 | } else if (isLong) { 108 | newValues.add(compu.doit(OtherUtility.string2Long(apd), OtherUtility.string2Long(str))); 109 | } else if (isFloat) { 110 | newValues.add(compu.doit(OtherUtility.string2Float(apd), OtherUtility.string2Float(str))); 111 | } else if (isDouble) { 112 | newValues.add(compu.doit(OtherUtility.string2Double(apd), OtherUtility.string2Double(str))); 113 | } else 114 | newValues.add(apd + str); 115 | } 116 | } 117 | 118 | return true; 119 | } 120 | 121 | interface Compute { 122 | public String doit(T one, T two); 123 | } 124 | 125 | static class AddCompute implements Compute { 126 | public String doit(T one, T two) { 127 | if (one.getClass() == Integer.class) { 128 | return (Integer) ((Integer) one + (Integer) two) + ""; 129 | } 130 | if (one.getClass() == Long.class) { 131 | return (((Long) one).longValue() + ((Long) two).longValue()) + ""; 132 | } 133 | if (one.getClass() == Double.class) { 134 | return (((Double) one).doubleValue() + ((Double) two).doubleValue()) + ""; 135 | } 136 | if (one.getClass() == Float.class) { 137 | return (((Float) one).floatValue() + ((Float) two).floatValue()) + ""; 138 | } 139 | Logger.printW(String.format("[OtherUtility][W] [unknow add]: %s (%s)", one, two)); 140 | return ""; 141 | } 142 | } 143 | 144 | static class SubCompute implements Compute { 145 | public String doit(T one, T two) { 146 | if (one.getClass() == Integer.class) { 147 | return (Integer) ((Integer) one - (Integer) two) + ""; 148 | } 149 | if (one.getClass() == Long.class) { 150 | return (((Long) one).longValue() - ((Long) two).longValue()) + ""; 151 | } 152 | if (one.getClass() == Double.class) { 153 | return (((Double) one).doubleValue() - ((Double) two).doubleValue()) + ""; 154 | } 155 | if (one.getClass() == Float.class) { 156 | return (((Float) one).floatValue() - ((Float) two).floatValue()) + ""; 157 | } 158 | Logger.printW(String.format("[OtherUtility][W] [unknow sub]: %s (%s)", one, two)); 159 | return ""; 160 | } 161 | } 162 | 163 | static class MulCompute implements Compute { 164 | public String doit(T one, T two) { 165 | if (one.getClass() == Integer.class) { 166 | return (Integer) ((Integer) one * (Integer) two) + ""; 167 | } 168 | if (one.getClass() == Long.class) { 169 | return (((Long) one).longValue() * ((Long) two).longValue()) + ""; 170 | } 171 | if (one.getClass() == Double.class) { 172 | return (((Double) one).doubleValue() * ((Double) two).doubleValue()) + ""; 173 | } 174 | if (one.getClass() == Float.class) { 175 | return (((Float) one).floatValue() * ((Float) two).floatValue()) + ""; 176 | } 177 | Logger.printW(String.format("[OtherUtility][W] [unknow mul]: %s (%s)", one, two)); 178 | return ""; 179 | } 180 | } 181 | 182 | static class DivCompute implements Compute { 183 | public String doit(T one, T two) { 184 | if (one.getClass() == Integer.class) { 185 | return (Integer) ((Integer) one / (Integer) two) + ""; 186 | } 187 | if (one.getClass() == Long.class) { 188 | System.out.println(((Long) one).longValue() + " " + ((Long) two).longValue()); 189 | return (((Long) one).longValue() / ((Long) two).longValue()) + ""; 190 | } 191 | if (one.getClass() == Double.class) { 192 | return (((Double) one).doubleValue() / ((Double) two).doubleValue()) + ""; 193 | } 194 | if (one.getClass() == Float.class) { 195 | return (((Float) one).floatValue() / ((Float) two).floatValue()) + ""; 196 | } 197 | Logger.printW(String.format("[OtherUtility][W] [unknow div]: %s (%s)", one, two)); 198 | return ""; 199 | } 200 | } 201 | 202 | static class AndCompute implements Compute { 203 | public String doit(T one, T two) { 204 | if (one.getClass() == Integer.class) { 205 | return (Integer) ((Integer) one & (Integer) two) + ""; 206 | } 207 | if (one.getClass() == Long.class) { 208 | return (((Long) one).longValue() & ((Long) two).longValue()) + ""; 209 | } 210 | Logger.printW(String.format("[OtherUtility][W] [unknow And]: %s (%s)", one, two)); 211 | return ""; 212 | } 213 | } 214 | 215 | static class OrCompute implements Compute { 216 | public String doit(T one, T two) { 217 | if (one.getClass() == Integer.class) { 218 | return (Integer) ((Integer) one | (Integer) two) + ""; 219 | } 220 | if (one.getClass() == Long.class) { 221 | return (((Long) one).longValue() | ((Long) two).longValue()) + ""; 222 | } 223 | Logger.printW(String.format("[OtherUtility][W] [unknow Or]: %s (%s)", one, two)); 224 | return ""; 225 | } 226 | } 227 | 228 | static class ShlCompute implements Compute { 229 | public String doit(T one, T two) { 230 | if (one.getClass() == Integer.class) { 231 | return (Integer) ((Integer) one << (Integer) two) + ""; 232 | } 233 | if (one.getClass() == Long.class) { 234 | return (((Long) one).longValue() << ((Long) two).longValue()) + ""; 235 | } 236 | Logger.printW(String.format("[OtherUtility][W] [unknow Shl]: %s (%s)", one, two)); 237 | return ""; 238 | } 239 | } 240 | 241 | static class ShrCompute implements Compute { 242 | public String doit(T one, T two) { 243 | if (one.getClass() == Integer.class) { 244 | return (Integer) ((Integer) one >> (Integer) two) + ""; 245 | } 246 | if (one.getClass() == Long.class) { 247 | return (((Long) one).longValue() >> ((Long) two).longValue()) + ""; 248 | } 249 | Logger.printW(String.format("[OtherUtility][W] [unknow Shr]: %s (%s)", one, two)); 250 | return ""; 251 | } 252 | } 253 | 254 | static class XorCompute implements Compute { 255 | public String doit(T one, T two) { 256 | if (one.getClass() == Integer.class) { 257 | return (Integer) ((Integer) one ^ (Integer) two) + ""; 258 | } 259 | if (one.getClass() == Long.class) { 260 | return (((Long) one).longValue() ^ ((Long) two).longValue()) + ""; 261 | } 262 | Logger.printW(String.format("[OtherUtility][W] [unknow Xor]: %s (%s)", one, two)); 263 | return ""; 264 | } 265 | } 266 | 267 | static class UshrCompute implements Compute { 268 | public String doit(T one, T two) { 269 | if (one.getClass() == Integer.class) { 270 | return (Integer) ((Integer) one >>> (Integer) two) + ""; 271 | } 272 | if (one.getClass() == Long.class) { 273 | return (((Long) one).longValue() >>> ((Long) two).longValue()) + ""; 274 | } 275 | Logger.printW(String.format("[OtherUtility][W] [unknow Ushr]: %s (%s)", one, two)); 276 | return ""; 277 | } 278 | } 279 | } 280 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/base/SinkMethod.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.base; 2 | 3 | import soot.Scene; 4 | import soot.SootMethod; 5 | 6 | public class SinkMethod { 7 | SootMethod methodLocation; 8 | 9 | public SinkMethod(SootMethod methodLocation) { 10 | this.methodLocation = methodLocation; 11 | } 12 | 13 | public SinkMethod(String methodSig) { 14 | this.methodLocation = Scene.v().getMethod(methodSig); 15 | } 16 | 17 | public SootMethod getMethodLocation() { 18 | return methodLocation; 19 | } 20 | 21 | public void setMethodLocation(SootMethod methodLocation) { 22 | this.methodLocation = methodLocation; 23 | } 24 | 25 | } -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/base/SourcePoint.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.base; 2 | 3 | import soot.SootMethod; 4 | import soot.Unit; 5 | import soot.Value; 6 | import soot.toolkits.graph.Block; 7 | 8 | public class SourcePoint { 9 | SootMethod methodLocation; 10 | Block blockLocation; 11 | Unit instructionLocation; 12 | Value tartgetValue; 13 | 14 | public SourcePoint(SootMethod methodLocation, Block blockLocation, Unit instructionLocation, Value tartgetValue) { 15 | this.methodLocation = methodLocation; 16 | this.blockLocation = blockLocation; 17 | this.instructionLocation = instructionLocation; 18 | this.tartgetValue = tartgetValue; 19 | } 20 | 21 | public SootMethod getMethodLocation() { 22 | return methodLocation; 23 | } 24 | 25 | public void setMethodLocation(SootMethod methodLocation) { 26 | this.methodLocation = methodLocation; 27 | } 28 | 29 | public Block getBlockLocation() { 30 | return blockLocation; 31 | } 32 | 33 | public void setBlockLocation(Block blockLocation) { 34 | this.blockLocation = blockLocation; 35 | } 36 | 37 | public Unit getInstructionLocation() { 38 | return instructionLocation; 39 | } 40 | 41 | public void setInstructionLocation(Unit instructionLocation) { 42 | this.instructionLocation = instructionLocation; 43 | } 44 | 45 | public Value getTartgetValue() { 46 | return tartgetValue; 47 | } 48 | 49 | public void setTartgetValue(Value tartgetValue) { 50 | this.tartgetValue = tartgetValue; 51 | } 52 | 53 | } 54 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/base/TaintQuestion.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.base; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | import osu.seclab.inputscope.taintanalysis.solver.SimulationContext; 7 | import soot.SootMethod; 8 | 9 | public class TaintQuestion { 10 | SourcePoint sourcep; 11 | List sinks; 12 | 13 | List sContexts = new ArrayList<>(); 14 | 15 | public TaintQuestion(SourcePoint sourcep) { 16 | setSourcep(sourcep); 17 | sinks = new ArrayList<>(); 18 | 19 | SimulationContext sc = new SimulationContext(sourcep.getMethodLocation(), sourcep.getBlockLocation(), sourcep.getInstructionLocation()); 20 | sc.addIntrestedVariable(sourcep.getTartgetValue()); 21 | sContexts.add(sc); 22 | 23 | } 24 | 25 | public SourcePoint getSourcep() { 26 | return sourcep; 27 | } 28 | 29 | public void setSourcep(SourcePoint sourcep) { 30 | this.sourcep = sourcep; 31 | } 32 | 33 | public List getSinks() { 34 | return sinks; 35 | } 36 | 37 | public void addSinks(SinkMethod sink) { 38 | this.sinks.add(sink); 39 | } 40 | 41 | public List getsContexts() { 42 | return sContexts; 43 | } 44 | 45 | public void addSContexts(SimulationContext sContext) { 46 | if (!sContexts.contains(sContext)) 47 | this.sContexts.add(sContext); 48 | } 49 | 50 | public boolean isSink(SootMethod sm) { 51 | 52 | for (SinkMethod sinkm : sinks) { 53 | if (sinkm.getMethodLocation().equals(sm)) 54 | return true; 55 | } 56 | return false; 57 | 58 | } 59 | 60 | public boolean isPositive() { 61 | for (SimulationContext sContext : sContexts) { 62 | if(sContext.isContainsSink()) 63 | return true; 64 | } 65 | return false; 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/main/CrossPath.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.main; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | import org.json.JSONObject; 7 | 8 | import osu.seclab.inputscope.taintanalysis.solver.SimulationContext; 9 | import osu.seclab.inputscope.taintanalysis.solver.StmtItem; 10 | import soot.Unit; 11 | 12 | public class CrossPath { 13 | 14 | Unit u; 15 | List inputs; 16 | List arrays; 17 | 18 | public CrossPath(Unit u, List inputs, List arrays) { 19 | super(); 20 | this.u = u; 21 | this.inputs = inputs; 22 | this.arrays = arrays; 23 | } 24 | 25 | public List getInputs() { 26 | return inputs; 27 | } 28 | 29 | public List getArrays() { 30 | return arrays; 31 | } 32 | 33 | public JSONObject toJson() { 34 | 35 | JSONObject tor = new JSONObject(); 36 | 37 | 38 | JSONObject input = new JSONObject(); 39 | JSONObject array = new JSONObject(); 40 | 41 | input.put("length", 0); 42 | array.put("length", 0); 43 | if (inputs != null && inputs.size() > 0) { 44 | ArrayList stmts = inputs.get(0).getInstructionTrace(); 45 | input.put("length", stmts.size()); 46 | for (int i = 0; i < stmts.size(); i++) { 47 | input.put(i + "", stmts.get(i).toJson(true)); 48 | } 49 | } 50 | 51 | if (arrays != null && arrays.size() > 0) { 52 | ArrayList stmts = arrays.get(0).getInstructionTrace(); 53 | array.put("length", stmts.size()); 54 | for (int i = 0; i < stmts.size(); i++) { 55 | array.put(i + "", stmts.get(i).toJson(true)); 56 | } 57 | } 58 | 59 | tor.put("input", input); 60 | tor.put("array", array); 61 | 62 | return tor; 63 | 64 | } 65 | 66 | } 67 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/main/QuestionGenerator.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.main; 2 | 3 | import java.util.ArrayList; 4 | import java.util.HashSet; 5 | import java.util.Hashtable; 6 | import java.util.List; 7 | 8 | import osu.seclab.inputscope.taintanalysis.base.SinkMethod; 9 | import osu.seclab.inputscope.taintanalysis.base.SourcePoint; 10 | import osu.seclab.inputscope.taintanalysis.base.TaintQuestion; 11 | import osu.seclab.inputscope.taintanalysis.solver.SimulationContext; 12 | import osu.seclab.inputscope.taintanalysis.solver.StmtItem; 13 | import osu.seclab.inputscope.taintanalysis.solver.TaintQuestionSolver; 14 | import osu.seclab.inputscope.taintanalysis.utility.BlockGenerator; 15 | import osu.seclab.inputscope.taintanalysis.utility.ListUtility; 16 | import osu.seclab.inputscope.taintanalysis.utility.Logger; 17 | import soot.Body; 18 | import soot.Scene; 19 | import soot.SootClass; 20 | import soot.SootMethod; 21 | import soot.Type; 22 | import soot.Unit; 23 | import soot.Value; 24 | import soot.jimple.AssignStmt; 25 | import soot.jimple.InvokeExpr; 26 | import soot.jimple.internal.JArrayRef; 27 | import soot.toolkits.graph.Block; 28 | 29 | public class QuestionGenerator { 30 | ArrayList tqInput; 31 | ArrayList tqArray; 32 | 33 | List solvedInput = new ArrayList(); 34 | List solvedArray = new ArrayList(); 35 | 36 | public QuestionGenerator generateInputQuestions() { 37 | 38 | ArrayList inputMetds = new ArrayList(); 39 | inputMetds.add(""); 40 | inputMetds.add(""); 41 | inputMetds.add(""); 42 | 43 | tqInput = new ArrayList(); 44 | tqArray = new ArrayList(); 45 | 46 | for (SootClass sclas : Scene.v().getClasses()) { 47 | for (SootMethod smthd : ListUtility.clone(sclas.getMethods())) { 48 | if (!smthd.isConcrete()) 49 | continue; 50 | 51 | Body body = smthd.retrieveActiveBody(); 52 | if (body == null) 53 | continue; 54 | 55 | List bs = BlockGenerator.getInstance().generate(body).getBlocks(); 56 | 57 | for (Block block : bs) { 58 | for (Unit unit : block) { 59 | if (unit instanceof AssignStmt) { 60 | if (((AssignStmt) unit).getRightOp() instanceof InvokeExpr) { 61 | 62 | if (inputMetds.contains(((InvokeExpr) ((AssignStmt) unit).getRightOp()).getMethodRef().getSignature())) 63 | generateOneQuestion(tqInput, smthd, block, unit, ((AssignStmt) unit).getLeftOp()); 64 | 65 | } 66 | } 67 | } 68 | } 69 | } 70 | } 71 | 72 | return this; 73 | } 74 | 75 | private void generateOneQuestion(ArrayList tqs, SootMethod smthd, Block block, Unit unit, Value value) { 76 | 77 | ArrayList sinkMetds = new ArrayList(); 78 | sinkMetds.add(""); 79 | sinkMetds.add(""); 80 | sinkMetds.add(""); 81 | sinkMetds.add(""); 82 | sinkMetds.add(""); 83 | sinkMetds.add(""); 84 | sinkMetds.add(""); 85 | sinkMetds.add(""); 86 | sinkMetds.add(""); 87 | // sinkMetds.add(""); 88 | sinkMetds.add(""); 89 | // sinkMetds.add(""); 90 | sinkMetds.add(""); 91 | // sinkMetds.add(""); 92 | sinkMetds.add(""); 93 | // sinkMetds.add(""); 94 | // sinkMetds.add(""); 95 | sinkMetds.add(""); 96 | sinkMetds.add(""); 97 | 98 | 99 | SourcePoint sp = new SourcePoint(smthd, block, unit, value); 100 | 101 | TaintQuestion tq = new TaintQuestion(sp); 102 | SinkMethod sm; 103 | 104 | for (String str : sinkMetds) { 105 | try { 106 | sm = new SinkMethod(Scene.v().getMethod(str)); 107 | tq.addSinks(sm); 108 | } catch (Exception e) { 109 | e.printStackTrace(); 110 | } 111 | } 112 | 113 | tqs.add(tq); 114 | 115 | print(); 116 | } 117 | 118 | public HashSet solveInputQuestions(boolean gArrayQuestions) { 119 | 120 | solvedInput = new ArrayList(); 121 | 122 | TaintQuestionSolver tgSolver = new TaintQuestionSolver(); 123 | int i = 0; 124 | int positive = 0; 125 | for (TaintQuestion tq : getTqInput()) { 126 | // System.out.println("Start Solving Q-"+i); 127 | // System.out.println(tq.getSourcep().getMethodLocation()); 128 | // System.out.println(tq.getSourcep().getBlockLocation()); 129 | // System.out.println("End Solving Q-"+i); 130 | tgSolver.solve(tq); 131 | // System.out.println("End Solving Q-" + i++); 132 | 133 | if (tq.isPositive()) { 134 | solvedInput.add(tq); 135 | // System.out.println("Question Q-"+ i + " is positive!\n"); 136 | positive++; 137 | }else{ 138 | // System.out.println("Question Q-"+ i + " is negative!\n"); 139 | } 140 | } 141 | 142 | System.out.println("Statistic: Total Questions:" + i + " Total Positive: " + positive); 143 | 144 | return TResSolve.saveSolved(solvedInput); 145 | 146 | } 147 | 148 | @SuppressWarnings("unchecked") 149 | public QuestionGenerator generateArrayQuestions(List solved) { 150 | HashSet sms = new HashSet(); 151 | 152 | ArrayList stmts; 153 | for (TaintQuestion tq : solved) { 154 | for (SimulationContext sc : tq.getsContexts()) { 155 | if (sc.isContainsSink()) { 156 | 157 | stmts = (ArrayList) sc.getInstructionTrace().clone(); 158 | 159 | while (!stmts.get(stmts.size() - 1).isContainsInteresting()) 160 | stmts.remove(stmts.size() - 1); 161 | 162 | for (StmtItem stmt : stmts) 163 | sms.add(stmt.getSm()); 164 | } 165 | } 166 | } 167 | 168 | for (SootMethod smthd : sms) { 169 | if (!smthd.isConcrete()) 170 | continue; 171 | Body body = smthd.retrieveActiveBody(); 172 | if (body == null) 173 | continue; 174 | 175 | List bs = BlockGenerator.getInstance().generate(body).getBlocks(); 176 | 177 | for (Block block : bs) { 178 | for (Unit unit : block) { 179 | if (unit instanceof AssignStmt) { 180 | if (((AssignStmt) unit).getRightOp() instanceof JArrayRef) { 181 | if (((JArrayRef) ((AssignStmt) unit).getRightOp()).getType().toString().equals("java.lang.String")) 182 | generateOneQuestion(tqArray, smthd, block, unit, ((AssignStmt) unit).getLeftOp()); 183 | } 184 | } 185 | } 186 | } 187 | } 188 | 189 | return this; 190 | } 191 | 192 | public void solveArrayQuestions() { 193 | 194 | TaintQuestionSolver tgSolver = new TaintQuestionSolver(); 195 | int i = 0; 196 | int positive = 0; 197 | for (TaintQuestion tq : getTqArray()) { 198 | System.out.println("aaa"); 199 | System.out.println(tq.getSourcep().getMethodLocation()); 200 | System.out.println(tq.getSourcep().getBlockLocation()); 201 | System.out.println("aaa"); 202 | tgSolver.solve(tq); 203 | System.out.println("ddd " + i++); 204 | 205 | if (tq.isPositive()) { 206 | solvedArray.add(tq); 207 | System.out.println("positive!"); 208 | positive++; 209 | } 210 | } 211 | 212 | System.out.println("ddd " + i + " " + positive); 213 | 214 | } 215 | 216 | public ArrayList checkOverlappingAndGetResults() { 217 | ArrayList paths = new ArrayList(); 218 | if (solvedInput.size() > 0 && solvedArray.size() > 0) { 219 | Hashtable> pointsInput = new Hashtable>(); 220 | Hashtable> pointsArray = new Hashtable>(); 221 | 222 | for (TaintQuestion tq : solvedInput) { 223 | for (SimulationContext sc : tq.getsContexts()) { 224 | if (sc.isContainsSink()) { 225 | for (StmtItem stmt : sc.getInstructionTrace()) { 226 | if (stmt.isContainsSink()) { 227 | if (!pointsInput.containsKey(stmt.getU())) 228 | pointsInput.put(stmt.getU(), new ArrayList()); 229 | pointsInput.get(stmt.getU()).add(sc); 230 | } 231 | } 232 | } 233 | } 234 | } 235 | 236 | for (TaintQuestion tq : solvedArray) { 237 | for (SimulationContext sc : tq.getsContexts()) { 238 | if (sc.isContainsSink()) { 239 | for (StmtItem stmt : sc.getInstructionTrace()) { 240 | if (stmt.isContainsSink()) { 241 | if (!pointsArray.containsKey(stmt.getU())) 242 | pointsArray.put(stmt.getU(), new ArrayList()); 243 | pointsArray.get(stmt.getU()).add(sc); 244 | } 245 | } 246 | } 247 | } 248 | } 249 | 250 | for (Unit u : pointsInput.keySet()) { 251 | if (pointsArray.containsKey(u)) { 252 | paths.add(new CrossPath(u, pointsInput.get(u), pointsArray.get(u))); 253 | } 254 | } 255 | 256 | } 257 | 258 | System.out.println(paths.size()); 259 | 260 | return paths; 261 | } 262 | 263 | public QuestionGenerator print() { 264 | Logger.print("tqInput size:" + tqInput.size()); 265 | Logger.print("tqArray size:" + tqArray.size()); 266 | return this; 267 | } 268 | 269 | public ArrayList getTqInput() { 270 | return tqInput; 271 | } 272 | 273 | public ArrayList getTqArray() { 274 | return tqArray; 275 | } 276 | 277 | } 278 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/main/TResSolve.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.main; 2 | 3 | import java.util.ArrayList; 4 | import java.util.HashSet; 5 | import java.util.List; 6 | 7 | import org.json.JSONObject; 8 | 9 | import osu.seclab.inputscope.main.runTest; 10 | import osu.seclab.inputscope.taintanalysis.base.TaintQuestion; 11 | import osu.seclab.inputscope.taintanalysis.solver.SimulationContext; 12 | import osu.seclab.inputscope.taintanalysis.solver.StmtItem; 13 | import osu.seclab.inputscope.taintanalysis.utility.FileUtility; 14 | import osu.seclab.inputscope.taintanalysis.utility.MethodUtility; 15 | 16 | public class TResSolve { 17 | 18 | @SuppressWarnings("unchecked") 19 | public static HashSet saveSolved(List solved) { 20 | 21 | HashSet svd = new HashSet(); 22 | ArrayList stmts; 23 | String tmp; 24 | for (TaintQuestion tq : solved) { 25 | 26 | JSONObject source = new JSONObject(); 27 | source.put("method", tq.getSourcep().getMethodLocation().toString()); 28 | source.put("unit", tq.getSourcep().getInstructionLocation().toString()); 29 | source.put("unitIndex", MethodUtility.getUnitIndex(tq.getSourcep().getMethodLocation(), tq.getSourcep().getInstructionLocation())); 30 | 31 | for (SimulationContext sc : tq.getsContexts()) { 32 | if (sc.isContainsSink()) { 33 | 34 | JSONObject ret = new JSONObject(); 35 | ret.put("package", runTest.pn); 36 | ret.put("source", source); 37 | 38 | stmts = (ArrayList) sc.getInstructionTrace().clone(); 39 | for (StmtItem stmt : stmts) 40 | if (stmt.isContainsSink()) { 41 | 42 | JSONObject sink = new JSONObject(); 43 | sink.put("method", stmt.getSm().toString()); 44 | sink.put("unit", stmt.getU()); 45 | sink.put("unitIndex", MethodUtility.getUnitIndex(stmt.getSm(), stmt.getU())); 46 | 47 | if (stmt.getCurIntst() != null) 48 | sink.put("taint_var", stmt.getCurIntst()); 49 | ret.append("sinks", sink); 50 | 51 | } 52 | tmp = ret.toString(); 53 | if (!svd.contains(tmp)) { 54 | svd.add(tmp); 55 | // FileUtility.wf("taintResTmp.txt", tmp, true); 56 | } 57 | } 58 | } 59 | } 60 | return svd; 61 | 62 | } 63 | 64 | } 65 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/solver/CallStackItem.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.solver; 2 | 3 | import soot.SootMethod; 4 | import soot.Unit; 5 | import soot.Value; 6 | import soot.toolkits.graph.Block; 7 | 8 | public class CallStackItem { 9 | SootMethod smethd; 10 | Block blcok; 11 | Unit currentInstruction; 12 | Value returnTarget; 13 | 14 | public CallStackItem(SootMethod smethd, Block blcok, Unit currentInstruction, Value returnTarget) { 15 | super(); 16 | this.smethd = smethd; 17 | this.blcok = blcok; 18 | this.currentInstruction = currentInstruction; 19 | this.returnTarget = returnTarget; 20 | } 21 | 22 | public SootMethod getSmethd() { 23 | return smethd; 24 | } 25 | 26 | public void setSmethd(SootMethod smethd) { 27 | this.smethd = smethd; 28 | } 29 | 30 | public Block getBlcok() { 31 | return blcok; 32 | } 33 | 34 | public void setBlcok(Block blcok) { 35 | this.blcok = blcok; 36 | } 37 | 38 | public Unit getCurrentInstruction() { 39 | return currentInstruction; 40 | } 41 | 42 | public void setCurrentInstruction(Unit currentInstruction) { 43 | this.currentInstruction = currentInstruction; 44 | } 45 | 46 | public Value getReturnTarget() { 47 | return returnTarget; 48 | } 49 | 50 | public void setReturnTarget(Value returnTarget) { 51 | this.returnTarget = returnTarget; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/solver/SimulationContext.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.solver; 2 | 3 | import java.util.ArrayList; 4 | import java.util.HashSet; 5 | import java.util.List; 6 | import java.util.Stack; 7 | 8 | import soot.SootMethod; 9 | import soot.Unit; 10 | import soot.Value; 11 | import soot.toolkits.graph.Block; 12 | 13 | public class SimulationContext { 14 | SootMethod methodLocation; 15 | Block blockLocation; 16 | Unit instructionLocation; 17 | 18 | HashSet intrestedVariable; 19 | // Bruce 20 | Value curInterestedVariable=null; 21 | 22 | 23 | ArrayList blockTrace; 24 | ArrayList instructionTrace; 25 | 26 | Stack callStack; 27 | 28 | boolean terminated = false; 29 | 30 | boolean containsSink = false; 31 | 32 | @SuppressWarnings("unchecked") 33 | public SimulationContext(SimulationContext src) { 34 | this.methodLocation = src.getMethodLocation(); 35 | this.blockLocation = src.getBlockLocation(); 36 | this.instructionLocation = src.getInstructionLocation(); 37 | this.intrestedVariable = (HashSet) src.getIntrestedVariable().clone(); 38 | this.blockTrace = (ArrayList) src.getBlockTrace().clone(); 39 | this.instructionTrace = (ArrayList) src.getInstructionTrace().clone(); 40 | callStack = (Stack) src.getCallStack().clone(); 41 | 42 | this.containsSink = src.isContainsSink(); 43 | } 44 | 45 | public SimulationContext(SootMethod methodLocation, Block blockLocation, Unit instructionLocation) { 46 | this.intrestedVariable = new HashSet(); 47 | this.instructionTrace = new ArrayList(); 48 | this.blockTrace = new ArrayList(); 49 | this.callStack = new Stack(); 50 | 51 | this.methodLocation = methodLocation; 52 | this.setBlockLocation(blockLocation); 53 | this.instructionLocation = instructionLocation; 54 | add2InstructionTrace(methodLocation, blockLocation, instructionLocation, true); 55 | } 56 | 57 | public SootMethod getMethodLocation() { 58 | return methodLocation; 59 | } 60 | 61 | public void setMethodLocation(SootMethod methodLocation) { 62 | this.methodLocation = methodLocation; 63 | } 64 | 65 | public Block getBlockLocation() { 66 | return blockLocation; 67 | } 68 | 69 | public void setBlockLocation(Block blockLocation) { 70 | this.blockLocation = blockLocation; 71 | blockTrace.add(blockLocation); 72 | } 73 | 74 | public Unit getInstructionLocation() { 75 | return instructionLocation; 76 | } 77 | 78 | public void setInstructionLocation(Unit instructionLocation, boolean containsInteresting) { 79 | this.instructionLocation = instructionLocation; 80 | } 81 | // public void setInstructionLocation(Unit instructionLocation, boolean containsInteresting, Value iv) { 82 | // this.instructionLocation = instructionLocation; 83 | // this.curInterestedVariable = iv; 84 | // } 85 | 86 | public boolean isTerminated() { 87 | return terminated || intrestedVariable.isEmpty(); 88 | } 89 | 90 | public void setTerminated(boolean terminated) { 91 | this.terminated = terminated; 92 | } 93 | 94 | public HashSet getIntrestedVariable() { 95 | return intrestedVariable; 96 | } 97 | 98 | public void setIntrestedVariable(HashSet intrestedVariable) { 99 | this.intrestedVariable = intrestedVariable; 100 | } 101 | 102 | public void addIntrestedVariable(Value intrestedVariable) { 103 | this.intrestedVariable.add(intrestedVariable); 104 | } 105 | 106 | public boolean isIntrested(Value intr) { 107 | return this.intrestedVariable.contains(intr); 108 | } 109 | 110 | public boolean containsIntrested(List intrs) { 111 | for (Value val : intrs) 112 | if (isIntrested(val)) 113 | return true; 114 | 115 | return false; 116 | } 117 | 118 | public ArrayList getBlockTrace() { 119 | return blockTrace; 120 | } 121 | 122 | public void setBlockTrace(ArrayList blockTrace) { 123 | this.blockTrace = blockTrace; 124 | } 125 | 126 | public ArrayList getInstructionTrace() { 127 | return instructionTrace; 128 | } 129 | 130 | public void setInstructionTrace(ArrayList instructionTrace) { 131 | this.instructionTrace = instructionTrace; 132 | } 133 | 134 | public void add2InstructionTrace(SootMethod methodLocation, Block blockLocation, Unit instructionLocation, boolean containsInteresting) { 135 | StmtItem sItem = new StmtItem(methodLocation, blockLocation, instructionLocation); 136 | sItem.setContainsInteresting(containsInteresting); 137 | this.getInstructionTrace().add(sItem); 138 | } 139 | 140 | public boolean isContainsSink() { 141 | return containsSink; 142 | } 143 | 144 | // public void setContainsSink(boolean containsSink) { 145 | // this.containsSink = containsSink; 146 | // this.getInstructionTrace().get(this.getInstructionTrace().size() - 1).setContainsSink(containsSink); 147 | // } 148 | 149 | public void setContainsSink(boolean containsSink, Value curIntst) { 150 | this.containsSink = containsSink; 151 | // this.getInstructionTrace().get(this.getInstructionTrace().size() - 1).setContainsSink(containsSink); 152 | this.getInstructionTrace().get(this.getInstructionTrace().size() - 1).setContainsSink(containsSink, curIntst); 153 | } 154 | 155 | public Stack getCallStack() { 156 | return callStack; 157 | } 158 | 159 | public void setCallStack(Stack callStack) { 160 | this.callStack = callStack; 161 | } 162 | 163 | public Value getCurInterestedVariable() { 164 | return curInterestedVariable; 165 | } 166 | 167 | public void setCurInterestedVariable(Value curInterestedVariable) { 168 | this.curInterestedVariable = curInterestedVariable; 169 | } 170 | 171 | } 172 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/solver/StmtItem.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.solver; 2 | 3 | import org.json.JSONObject; 4 | 5 | import osu.seclab.inputscope.taintanalysis.utility.MethodUtility; 6 | import soot.SootMethod; 7 | import soot.Unit; 8 | import soot.Value; 9 | import soot.toolkits.graph.Block; 10 | 11 | public class StmtItem { 12 | SootMethod sm; 13 | Block block; 14 | Unit u; 15 | int unitIndex; 16 | Value curIntst = null; 17 | 18 | boolean containsInteresting = false; 19 | boolean containsSink = false; 20 | 21 | public JSONObject toJson(boolean containsMethodDetailes) { 22 | JSONObject jsobj = new JSONObject(); 23 | 24 | jsobj.put("class", sm.getDeclaringClass().getName()); 25 | jsobj.put("method", containsMethodDetailes?MethodUtility.toJson(sm):sm.toString()); 26 | jsobj.put("unit", u); 27 | jsobj.put("unitIndex", unitIndex); 28 | 29 | return jsobj; 30 | } 31 | 32 | public StmtItem(SootMethod sm, Block block, Unit u) { 33 | super(); 34 | this.sm = sm; 35 | this.block = block; 36 | this.u = u; 37 | this.unitIndex = MethodUtility.getUnitIndex(sm, u); 38 | } 39 | 40 | public SootMethod getSm() { 41 | return sm; 42 | } 43 | 44 | public void setSm(SootMethod sm) { 45 | this.sm = sm; 46 | } 47 | 48 | public Block getBlock() { 49 | return block; 50 | } 51 | 52 | public void setBlock(Block block) { 53 | this.block = block; 54 | } 55 | 56 | public Unit getU() { 57 | return u; 58 | } 59 | 60 | public void setU(Unit u) { 61 | this.u = u; 62 | } 63 | 64 | public int getUnitIndex() { 65 | return unitIndex; 66 | } 67 | 68 | public void setUnitIndex(int unitIndex) { 69 | this.unitIndex = unitIndex; 70 | } 71 | 72 | public boolean isContainsInteresting() { 73 | return containsInteresting; 74 | } 75 | 76 | public void setContainsInteresting(boolean containsInteresting) { 77 | this.containsInteresting = containsInteresting; 78 | } 79 | 80 | public boolean isContainsSink() { 81 | return containsSink; 82 | } 83 | 84 | // public void setContainsSink(boolean containsSink) { 85 | // this.containsSink = containsSink; 86 | // } 87 | 88 | public void setContainsSink(boolean containsSink, Value curIntst) { 89 | this.containsSink = containsSink; 90 | this.curIntst = curIntst; 91 | } 92 | 93 | public Value getCurIntst() { 94 | return curIntst; 95 | } 96 | 97 | 98 | public String toString() { 99 | return String.format(" %s\t%s\n\t%s", u, containsSink, sm); 100 | } 101 | } 102 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/solver/TaintQuestionSolver.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.solver; 2 | 3 | import java.util.List; 4 | 5 | import osu.seclab.inputscope.taintanalysis.base.TaintQuestion; 6 | import osu.seclab.inputscope.taintanalysis.utility.Logger; 7 | 8 | public class TaintQuestionSolver { 9 | 10 | public void solve(TaintQuestion tq) { 11 | 12 | SimulationContext target = null; 13 | while (true) { 14 | 15 | // printState(tq); 16 | 17 | while (tq.getsContexts().size() > 10000) 18 | tq.getsContexts().remove(tq.getsContexts().size() - 1); 19 | 20 | target = null; 21 | for (SimulationContext sContext : tq.getsContexts()) { 22 | if (!sContext.isTerminated()) { 23 | target = sContext; 24 | break; 25 | } 26 | } 27 | 28 | if (target == null) 29 | break; 30 | 31 | processOneInstruction(tq, target); 32 | } 33 | print(tq); 34 | 35 | } 36 | 37 | public void processOneInstruction(TaintQuestion tq, SimulationContext sContext) { 38 | 39 | List diversed = SimulationEngine.getInstance().oneStepForward(tq, sContext); 40 | 41 | for (SimulationContext sc : diversed) { 42 | tq.addSContexts(sc); 43 | } 44 | } 45 | 46 | public void print(TaintQuestion tq) { 47 | for (SimulationContext sContext : tq.getsContexts()) { 48 | Logger.print(sContext.isContainsSink() + " " + sContext.hashCode()); 49 | for (StmtItem u : sContext.getInstructionTrace()) { 50 | Logger.print(" " + u.isContainsSink() + " " + u.getU()); 51 | Logger.print(" " + u.getUnitIndex() + " " + u.getSm()); 52 | } 53 | } 54 | } 55 | 56 | private void printState(TaintQuestion tq) { 57 | 58 | int ended = 0; 59 | int all = 0; 60 | for (SimulationContext sContext : tq.getsContexts()) { 61 | 62 | if (sContext.isTerminated()) 63 | ended++; 64 | all++; 65 | 66 | } 67 | 68 | System.out.println(all + " / " + ended); 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/utility/BlockGenerator.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.utility; 2 | 3 | 4 | import java.util.HashSet; 5 | import java.util.Hashtable; 6 | import java.util.List; 7 | 8 | import soot.Body; 9 | import soot.toolkits.graph.Block; 10 | import soot.toolkits.graph.CompleteBlockGraph; 11 | 12 | public class BlockGenerator { 13 | static BlockGenerator bg = new BlockGenerator(); 14 | 15 | public static BlockGenerator getInstance() { 16 | return bg; 17 | } 18 | 19 | private BlockGenerator() { 20 | } 21 | 22 | Hashtable ht = new Hashtable(); 23 | 24 | public CompleteBlockGraph generate(Body b) { 25 | if (!ht.containsKey(b)) { 26 | ht.put(b, new CompleteBlockGraph(b)); 27 | } 28 | return ht.get(b); 29 | } 30 | 31 | public static boolean isCircle(Block b, Block current, CompleteBlockGraph cbg, HashSet history) { 32 | if (history.contains(current)) { 33 | return false; 34 | } 35 | boolean isc = false; 36 | 37 | history.add(current); 38 | for (Block blk : cbg.getPredsOf(current)) { 39 | if (b == blk) 40 | isc = true; 41 | else 42 | isc |= isCircle(b, blk, cbg, history); 43 | if (isc) 44 | return isc; 45 | } 46 | history.remove(current); 47 | return isc; 48 | } 49 | 50 | public static void removeCircleBlocks(List bs, Block current, CompleteBlockGraph cbg) { 51 | HashSet rem = new HashSet(); 52 | 53 | for (Block blk : bs) { 54 | if (isCircle(current, blk, cbg, new HashSet())) { 55 | rem.add(blk); 56 | } 57 | } 58 | for (Block blk : rem) { 59 | bs.remove(blk); 60 | } 61 | 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/utility/FileUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.utility; 2 | 3 | import java.io.BufferedWriter; 4 | import java.io.FileWriter; 5 | import java.io.IOException; 6 | import java.io.PrintWriter; 7 | import java.nio.file.Files; 8 | import java.nio.file.Paths; 9 | 10 | public class FileUtility { 11 | 12 | public static void wf(String path, String content, boolean append) { 13 | try { 14 | PrintWriter out = new PrintWriter(new BufferedWriter(new FileWriter(path, append))); 15 | out.println(content); 16 | out.close(); 17 | } catch (IOException e) { 18 | e.printStackTrace(); 19 | } 20 | 21 | } 22 | 23 | public static String read(String path){ 24 | 25 | try { 26 | return new String(Files.readAllBytes(Paths.get(path))); 27 | } catch (IOException e) { 28 | // TODO Auto-generated catch block 29 | e.printStackTrace(); 30 | } 31 | 32 | return ""; 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/utility/ListUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.utility; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | import soot.PatchingChain; 7 | import soot.Unit; 8 | 9 | public class ListUtility { 10 | 11 | public static List chain2List(PatchingChain us) { 12 | List ls = new ArrayList(); 13 | for (Unit inst : us) { 14 | ls.add(inst); 15 | } 16 | return ls; 17 | } 18 | 19 | public static List Array2List(T[] ts) { 20 | List ls = new ArrayList(); 21 | for (T inst : ts) { 22 | ls.add(inst); 23 | } 24 | return ls; 25 | } 26 | 27 | public static List clone(List ls) { 28 | List list = new ArrayList(); 29 | for (T t : ls) { 30 | list.add(t); 31 | } 32 | return list; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/utility/Logger.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.utility; 2 | 3 | public class Logger { 4 | public static String TAG = "Logger "; 5 | 6 | public static void printI(String args) { 7 | println(TAG + args); 8 | } 9 | 10 | public static void printW(String args) { 11 | String str = TAG + "[W]" + args; 12 | println(str); 13 | // FileUtility.wf("./logs/warnning.txt", str, true); 14 | } 15 | 16 | public static void print(Object args) { 17 | println(TAG + args); 18 | } 19 | 20 | public static void printE(String args) { 21 | args = TAG + args; 22 | // FileUtility.wf("./logs/error.txt", args, true); 23 | println(args); 24 | } 25 | 26 | private static void println(Object obj) { 27 | //System.out.println(obj); 28 | } 29 | 30 | } 31 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/utility/MethodUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.utility; 2 | 3 | import java.util.Iterator; 4 | 5 | import org.json.JSONObject; 6 | 7 | import soot.PatchingChain; 8 | import soot.SootClass; 9 | import soot.SootMethod; 10 | import soot.Type; 11 | import soot.Unit; 12 | import soot.Value; 13 | import soot.ValueBox; 14 | import soot.jimple.ParameterRef; 15 | 16 | public class MethodUtility { 17 | public static ParameterRef getParameterRef(SootMethod sm, int i) { 18 | for (ValueBox box : sm.retrieveActiveBody().getUseAndDefBoxes()) { 19 | if (box.getValue() instanceof ParameterRef) { 20 | if (((ParameterRef) box.getValue()).getIndex() == i) 21 | return (ParameterRef) box.getValue(); 22 | } 23 | } 24 | 25 | return null; 26 | } 27 | 28 | public static Value findValueByString(SootMethod sm, String i) { 29 | for (ValueBox box : sm.retrieveActiveBody().getUseAndDefBoxes()) { 30 | Logger.print(box.getValue().toString() + " " + sm.retrieveActiveBody().getUseAndDefBoxes().size()); 31 | if (box.getValue().toString().equals(i)) { 32 | return box.getValue(); 33 | } 34 | } 35 | return null; 36 | } 37 | 38 | public static int getUnitIndex(SootMethod sm, Unit i) { 39 | PatchingChain units = sm.retrieveActiveBody().getUnits(); 40 | int index = 0; 41 | for (Iterator iter = units.snapshotIterator(); iter.hasNext();) { 42 | if (iter.next().equals(i)) 43 | return index; 44 | index++; 45 | } 46 | return -1; 47 | } 48 | 49 | public static JSONObject toJson(SootMethod sm) { 50 | JSONObject ret = new JSONObject(); 51 | ret.put("sig", sm); 52 | ret.put("class", sm.getDeclaringClass().getName()); 53 | ret.put("classdetails", class2Json(sm.getDeclaringClass())); 54 | ret.put("name", sm.getName()); 55 | ret.put("isStatic", sm.isStatic()); 56 | ret.put("argCount", sm.getParameterCount()); 57 | int i = 0; 58 | for (Type type : sm.getParameterTypes()) { 59 | ret.put("args" + i, type); 60 | i++; 61 | } 62 | 63 | return ret; 64 | } 65 | 66 | public static JSONObject class2Json(SootClass cls) { 67 | JSONObject ret = new JSONObject(); 68 | ret.put("name", cls.getName()); 69 | 70 | for (SootMethod sm : cls.getMethods()) { 71 | if (!sm.isConstructor()) 72 | continue; 73 | JSONObject constr = new JSONObject(); 74 | ret.append("constructor", constr); 75 | 76 | constr.put("argCount", sm.getParameterCount()); 77 | int i = 0; 78 | for (Type type : sm.getParameterTypes()) { 79 | constr.put("args" + i, type); 80 | i++; 81 | } 82 | 83 | } 84 | 85 | return ret; 86 | } 87 | } 88 | -------------------------------------------------------------------------------- /src/osu/seclab/inputscope/taintanalysis/utility/TimeUtility.java: -------------------------------------------------------------------------------- 1 | package osu.seclab.inputscope.taintanalysis.utility; 2 | 3 | import osu.seclab.inputscope.main.runTest; 4 | 5 | public class TimeUtility { 6 | 7 | public static void main(String[] args) { 8 | // TODO Auto-generated method stub 9 | 10 | } 11 | 12 | 13 | public static void startWatcherBruce(int sec) { 14 | Thread t = new Thread() { 15 | public void run() { 16 | try { 17 | Thread.sleep(sec * 1000); 18 | } catch (InterruptedException e) { 19 | // TODO Auto-generated catch block 20 | e.printStackTrace(); 21 | } 22 | Logger.printE("TimeOut"); 23 | 24 | String line = String.format("%s | %s | %s | %s", 0, "timeout", runTest.pn, ""); 25 | 26 | FileUtility.wf("TimeOuts.txt", line, true); 27 | 28 | System.exit(0); 29 | } 30 | }; 31 | t.setDaemon(true); 32 | t.start(); 33 | } 34 | } 35 | --------------------------------------------------------------------------------