Tainting Arrays using reflection about phosphor HOT 12 CLOSED

Please see my comment on your PR. Please do not open a PR to add a new test until you have debugged it to verify that it's not a problem in the test itself.

If you have simple usage questions, like "How do I taint an array?" It might be more straightforward to, again, make a more compact example. Reflection is just adding a lot of confusion for you here.

Your code

int[] temp = (int[])f.get(fh);
temp = MultiTainter.taintedIntArray(temp, "tainted");

is equivalent to

MultiTainter.taintedIntArray(f.arr_i,"tainted");

At which point is might be clear that you are neglecting to assign f.arr_i to be the return value of MultiTainter.taintedIntArray, and that you really wanted

f.arr_i=MultiTainter.taintedIntArray(f.arr_i,"tainted");

And that you probably should have an f.set.... in your example code too.

from phosphor.

from phosphor.

Thanks for your reply. I cannot taint any object directly, as I mentioned before I am extending the phosphor’s MultiTainter to taint the fields of an object using reflection till certain depth.

What does this mean? You are unable to add the line
f.set(fh,MultiTainter.taintedIntArray(temp,"tainted");?

from phosphor.

Yes I have added, It gives a type casting error. Please look at the code below

package rough_work;

import java.lang.reflect.Field;
import edu.columbia.cs.psl.phosphor.runtime.MultiTainter;
public class rough_work {

public static class ArrayFieldHolder{
	public int[] arr_i = {2,4,5};
}

public static void main(String[] args) throws Exception
{		
	ArrayFieldHolder fh = new ArrayFieldHolder();	
	for (Field f : fh.getClass().getDeclaredFields())
	{
		int[] temp  = (int[])f.get(fh);
		f.set(fh, MultiTainter.taintedIntArray(temp, "tainted"));
	}
	System.out.println(MultiTainter.getTaint(fh.arr_i[1]));
}

}

Error Message:

objc[29226]: Class JavaLaunchHelper is implemented in both /Users/ajaychhokra/Dropbox/Taint_Analysis_isstac/phosphor/Phosphor/target/jre-inst-w-ctrl-data-multi/bin/java and /Users/ajaychhokra/Dropbox/Taint_Analysis_isstac/phosphor/Phosphor/target/jre-inst-w-ctrl-data-multi/lib/libinstrument.dylib. One of the two will be used. Which one is undefined.
Exception in thread "main" java.lang.ClassCastException: java.lang.Long cannot be cast to edu.columbia.cs.psl.phosphor.struct.LazyIntArrayObjTags
at java.lang.Throwable.fillInStackTrace$$PHOSPHORTAGGED(Throwable.java)
at java.lang.Throwable.fillInStackTrace$$PHOSPHORTAGGED(Throwable.java:783)
at java.lang.Throwable.(Throwable.java:265)
at java.lang.Exception.(Exception.java:66)
at java.lang.RuntimeException.(RuntimeException.java:62)
at java.lang.ClassCastException.(ClassCastException.java:58)
at java.lang.ClassCastException.(ClassCastException.java)
at rough_work.rough_work.main$$PHOSPHORTAGGED(rough_work.java:16)
at rough_work.rough_work.main(rough_work.java)

from phosphor.

That's because you are still iterating over every field. Please add the following before the f.get and cast: System.out.println(f.getName() +" " + f.getType());, and observe if you see a field of type long there.

Just as you can not cast from long to int[] normally, when using Phosphor, you can't cast from long to int[].

from phosphor.

Sorry, I forgot to add the if condition, It does not taint the array components. The code is as follows:

public static void main(String[] args) throws Exception
{
ArrayFieldHolder fh = new ArrayFieldHolder();
for (Field f : fh.getClass().getDeclaredFields())
{
if (f.get(fh).getClass().isArray()){
int[] temp = (int[])f.get(fh);
f.set(fh, MultiTainter.taintedIntArray(temp, "tainted"));
}

	}
	System.out.println(MultiTainter.getTaint(fh.arr_i[1]));  // null
}

I'll really appreciate if you can add a small test case for the same

from phosphor.

OK - thanks for reducing this down to a simpler example. I've pushed a patch.

from phosphor.

Thanks, for pushing the patch. I am able to taint the array field by using jre-inst-obj JRE but jre-inst-implicit does not taint that field.

from phosphor.

OK

from phosphor.

Is the issue fixed with jre-inst-implicit (control flow tracking) ?

from phosphor.

Yes - did you see the commit?

from phosphor.

Thanks

from phosphor.