Skip to content

Fraunhofer-SIT/iFlowBench

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

iFlowBench

iFlowBench is an open test suite for evaluating the effectiveness of data-flow analysis tools, specifically for Objective-C binaries. This suite provides both the source code and pre-compiled versions of multiple test cases, allowing users to avoid the need for proprietary software and hardware for compilation.

Open for contributions!

You are most welcome to contribute to iFlowBench testcase collection. To do so, please fork the project, commit your changes for the main.m, update this README and then send us a pull request.

Benchmark cases

General Objective-C

  • SourceToSink: Simple direct source-to-sink data flow.
  • SourceToSinkNoLeak: Source-to-sink without leak as the data is sanitized before reaching the sink.

Global Variables

  • SetStaticPropertyInSecondProcedureLeak: Taints a static property in a second function and leaks it afterward.
  • SetStaticPropertyInSecondProcedureNoLeak: Taints and sanitizes a static property before reaching the sink, resulting in no leak.
  • StaticPropertyLeakOverDifferentObjects: Sets a static property with one object and leaks it using another.
  • FieldToStaticPropertyToFieldLeak: Taints a field, assigns it to a static property, then leaks it from another field.
  • WriteThenReadGlobalVariableIntraproceduralLeak: Taints a static property and leaks it within the same function.
  • WriteThenReadGlobalVariableIntraproceduralNoLeak: Taints, sanitizes, and then leaks a static property, resulting in no leak.

Field and Object Sensitivity - Field Access

  • SinkUninitializedField: Sends an uninitialized field to the sink.
  • SourceToSinkOverField: Direct source-to-sink flow through a field.
  • SourceToSinkOverTwoFieldsOfSameObject: Data flow through two fields in the same object.
  • SourceToSinkOverMultipleFieldsOfSameObject: Flow involving multiple fields within the same object.
  • SourceToSinkOverTwoFieldsOfDifferentObjects: Flow involving fields of two different objects.
  • SourceToSinkOverMultipleFieldsOfDifferentObjects: Flow through multiple fields across different objects.
  • SourceToSinkTaintMultipleFieldsLeakNone: Taints multiple fields but only untainted fields are leaked.
  • SourceToSinkTaintMultipleFieldsOnlyLeakOne: Taints multiple fields, with only one leaked.
  • SourceToSinkTaintMultipleFieldsLeakAll: All tainted fields are leaked.
  • SourceToSinkTaintMultipleFieldsOfDifferentObjectsLeakNone: Taints fields across different objects, but leaks untainted fields.
  • SourceToSinkTaintMultipleFieldsOfDifferentObjectsOnlyLeakOne: Leaks one tainted field among fields across objects.
  • SourceToSinkTaintMultipleFieldsOfDifferentObjectsLeakAll: All tainted fields are leaked from different objects.
  • SourceToSinkOverFieldNoInternalSetter: Flow through a field without using internal setters.
  • SourceToSinkOverTwoFieldsOfSameObjectNoInternalSetter: Flow involving two fields without internal setters.
  • LeakUntaintedField: Leaks an untainted field.
  • LeakTaintedField: Leaks a tainted field.
  • LeakTaintedAndUntaintedField: Leaks both tainted and untainted fields.
  • TaintFieldThenOverwrite: Taints a field, overwrites it, and leaks a sanitized field.
  • TaintAndSanitizeFieldRepeatedly: Repeatedly taints, leaks, and sanitizes a field.
  • SourceToSinkLeakInSecondProcedure: Data flows through a field and leaks within a class function.
  • SourceToSinkNoLeakInSecondProcedure: Data flows through a sanitized field, resulting in no leak.
  • SourceToSinkLeakInSecondProcedurePassingObject: Taints a field in an object and leaks it after passing the object to a function.
  • SourceToSinkNoLeakInSecondProcedurePassingObject: Taints a field in an object, passes it to a function, and does not leak.
  • SourceToSinkLeakInSecondProcedureOverLocalVariable: Data flows through a local variable and leaks.
  • SourceToSinkNoLeakInSecondProcedureOverLocalVariable: Data flows through a local variable but is sanitized.
  • SourceToSinkLeakAfterOneRecursion: Taints a field and leaks it after one recursive function call.
  • NoLeakAfterPassingNSNumberObjectReference: Passes an NSNumber reference, taints it locally, and returns without modifying the original.
  • LeakAfterPassingGenericObjectReference: Taints a field after passing a reference, resulting in a leak.
  • LeakAfterTaintInInitialization: Taints a field during initialization and leaks afterward.
  • LeakAfterInheritanceConstructor: Taints a parent object’s field, inherits it, and leaks it.
  • LeakAfterTaintingMultipleFieldsOfSameObjectInSecondProcedure: Taints multiple fields in a function and leaks afterward.
  • NoLeakAfterTaintingMultipleFieldsOfSameObjectInSecondProcedure: Taints multiple fields, sanitizes them, and does not leak.
  • LeakAfterPassingTwoObjectsToSecondProcedureAndTaintingMultipleFields: Taints fields in two objects and leaks after returning.
  • NoLeakAfterPassingTwoObjectsToSecondProcedureAndTaintingMultipleFields: Taints and sanitizes fields in two objects before returning, with no leak.
  • LeakAfterSwappingFieldsOfSameObject: Taints fields in the same object, swaps them, and leaks one.
  • NoLeakAfterSwappingFieldsOfSameObject: Taints and swaps fields in the same object, but sanitized fields are leaked.
  • LeakAfterSwappingFieldsOfDifferentObjects: Taints fields across objects, swaps, and leaks.
  • NoLeakAfterSwappingFieldsOfDifferentObjects: Swaps fields across objects and leaks only untainted fields.

Field and Object Sensitivity - Field Depth

  • SourceToSinkOverFieldObjectDepth1: Taints a field in an object stored within another object and leaks it.
  • SourceToSinkOverFieldObjectDepth2: Taints a field in an object within a nested object and leaks it.
  • SourceToSinkOverTwoFieldsOfSameObjectInDepth1: Data flows across two fields within an object in a nested depth.
  • SourceToSinkOverTwoFieldsOfSameObjectInMixedDepthJumpDistance1: Data flows across mixed depths in a single-level jump.
  • SourceToSinkOverMultipleFieldsOfDifferentObjectsInMixedDepthMixedJumpDistance: Data flows through multiple objects with mixed depth levels.
  • NoLeakAfterResetObjectDepth1: Resets fields in a depth 1 object, leading to no leak.

Dynamic Dispatch

  • DynamicDispatchLeakChild: Uses dynamic dispatch to a child class, leading to a leak.
  • DynamicDispatchNoLeakChild: Uses dynamic dispatch to a child class without leaking.
  • DynamicDispatchNoLeakParent: Uses the parent class without dispatch, with no leak.

Aliasing - Intra-Procedural

  • SetObjectToAnotherLeak: Aliases two objects, causing a leak.
  • SetObjectToAnotherNoLeak: Aliases two objects without leaking.
  • AliasingIfElseLeak: Combines aliasing with an if-else structure, resulting in a leak.
  • AliasingIfElseLeakNoOpt: Aliasing with if-else control, avoiding optimization effects.
  • AliasingIfElseNoLeak: Aliasing with an if-else structure, but sanitizes data, resulting in no leak.

Aliasing - Inter-Procedural

  • AliasInSecondProcedureLeakAfterReturn: Aliases two objects in a second procedure, leaking upon return.
  • AliasInSecondProcedureNoLeakAfterReturn: Aliases two objects, sanitizes data, and returns without leaking.
  • AliasBeforeCallLeakInSecondProcedure: Aliases objects before passing to a function, leading to a leak.
  • AliasBeforeCallNoLeakInSecondProcedure: Aliases objects before passing to a function, but no leak occurs.

Control Flow

  • IfElseLeak: Simple if-else structure with a leak in one branch.
  • IfElseNoLeak: If-else structure with sanitization in all branches.
  • IfElseIfLeak: If-else-if structure with a leak in one branch.
  • IfElseIfNoLeak: If-else-if structure that sanitizes data in every branch.
  • IfElseIfLeakDifferentFields: If-else-if structure where different fields are tainted and one is leaked.
  • IfElseIfNoLeakDifferentFields: Multiple fields are tainted and sanitized in an if-else-if structure; no tainted field is leaked.
  • SwitchLeak: Switch case where a field is tainted and leaked.
  • SwitchNoLeak: Switch case where each branch sanitizes the field.
  • WhileLeak: While loop with a tainted field that leaks afterward.
  • WhileNoLeak: While loop where the field is sanitized, resulting in no leak.
  • ForLeak: For loop where an object field is tainted and leaks afterward.
  • ForNoLeak: For loop with a sanitized field at the sink.
  • GotoLeak: Goto loop structure resulting in a leak.
  • GotoNoLeak: Goto loop structure where the field is sanitized.

C-Interoperability

  • SourceToSinkCstyle: Direct source-to-sink data flow of an integer.
  • SourceToSinkCstyleOverVariable: Integer taint flow through variable assignments.
  • SourceToSinkCstyleArithmeticAdd: Tainted integer flows through an addition operation.
  • SourceToSinkCstyleArithmeticMultiply: Tainted integer flows through a multiplication operation.
  • LeakOverGlobalCstyleStruct: Field is tainted and accessed through a global C-style struct.
  • NoLeakOverGlobalCstyleStruct: Field accessed via a global struct is sanitized.
  • LeakOverGlobalCstyleStructFunction: Field accessed through a global struct in another function is tainted and leaked.
  • NoLeakOverGlobalCstyleStructFunction: Field accessed via a global struct in another function is sanitized.
  • LeakOverLocalCstyleStruct: Taints a field in a local struct and leaks it.
  • NoLeakOverLocalCstyleStruct: Field in a local struct is sanitized, resulting in no leak.
  • SourceToSinkCastIntToNSNumber: Integer source is cast to NSNumber before reaching the sink.
  • SourceToSinkCastNSNumberToInt: NSNumber source is cast to an integer and flows to the sink.
  • SourceToSinkCastNSNumberToStringToInt: NSNumber source is converted to a string, then cast back to an integer before reaching the sink.

About

Benchmark suite for compiled Objective-C taint analysis

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

2024-12-16 Latest
Dec 16, 2024

Packages

No packages published

Contributors 2

  •  
  •  

Languages