Taint analysis capabilities

I want to use your tool to implement taint analysis and I have a few questions.
First, did I get it correctly, that for example if I want to check data that is consumed by Files.createFile(…) method I only need its signature to be specified and no matter where calls to this method are used in the program they will be resolved? Same question for sources.
Second, I saw that in order to launch taint analysis I need to specify main method. Is it considered as a starting point of the whole analysis? For example, if I have some code that is not reachable from main will it be analysed?
And last question, for example I consider any parameter of a public method to be dangerous and I want to track it, so basically any public method call is a sink. I can’t manually add all the public methods of my huge project to the set, is there a way out?

Thanks in advance!


Thanks for your interest in our DFA.

  1. Yes, you need just the fully qualified names of taint sources and sinks. The call resolver will detect the use of them in the analyzed code.

  2. Yes, you need to specify the main method which will be the entry point of the analysis. Apparent dead code will not be reached through the CFA and hence will not be analyzed. You can still run the analysis for entry points from which the code is reachable.

  3. Currently, you cannot select sources and sinks by some property like the access modifier. You have to find their fully qualified names and create the source and sink objects. You can automate the process by either:

a. Using ProGuardCORE to visit the program class pool and generate fully qualified names for all public methods. You can take inspiration from the MemberPrinter from com.guardsquare.proguard.tools.Main.kt. Let us know if you need further help with this solution.

b. Using the CLI disassembler javap to list all class methods, grep all public ones, and construct their fully qualified names.

Great! Thanks a lot for such a quick and detailed answer!