Taint Analysis

One can do basic taint analysis based on simple reachability when using the OverflowDB driver. This wraps around Joern's dataflow engine and adds an incremental aspect by saving the IFDS-style paths calculated during the query. More on this can be found in the next section.

Example

Let's refer to the example found on Plume Examples. Let's look at two class files where one calls the other:

public class Foo {

    public static void main(String[] args) {
        var a = 1;
        var b = 2;
        var c = Bar.add(a, b);
        System.out.println(c);
    }

}

public class Bar {

    public static int add(int x, int y) {
        return x + y;
    }

}

Using OverflowDbDriver::nodesReachableBy one can find which sources will reach a given sink. E.g.

def taintAnalysis(d: OverflowDbDriver): Unit = {
    import io.shiftleft.semanticcpg.language._
    import io.shiftleft.codepropertygraph.{Cpg => CPG}

    println("Finding data flows from source identifiers with the name " +
        "'a' sinking at methods with names 'add'")
    val cpg = CPG(d.cpg.graph)
    d.nodesReachableBy(cpg.identifier("a"), cpg.call("add"))
        .map { n => s"${n.label}: ${n.property("CODE")} @ line ${n.property("LINE_NUMBER")}" }
        .foreach(println(_))
}

The code above will return something like:

Finding data flows from source identifiers with the name 'a' sinking at methods with names 'add'
IDENTIFIER: a @ line 4
IDENTIFIER: a @ line 6

Note that the signature is: nodesReachableBy(<source>, <sink>). For more on how to use the nodesReachableBy call refer to the Joern Docs.