Description
Currently, CryptoAnalysis does not take flow sensitivity into account when evaluating constraints and propagating predicates. Consider the following example:
byte[] bytes1 = new byte[10];
byte[] bytes2 = new byte[10];
SecureRandom sr = new SecureRandom(); // This call generates the predicate 'randomized' on sr
sr.nextBytes(bytes1); // Until here, sr is secure and 'bytes1' should be generated securely
Assertions.hasEnsuredPredicate(bytes1, "randomized"); // <- this should work
sr.setSeed(12345); // This call makes sr inseure because the seed is hard coded (not randomized)
sr.nextBytes(bytes2); // sr is not secure anymore s.t. 'bytes2' is not generated securely
Assertions.notHasEnsuredPredicate(bytes2, "randomized");In this example, we use SecureRandom to generate two byte arrays. Between the generations, we violate its rule s.t. only the first array bytes1 is generated securely. However, in the current state, CryptoAnalysis does not mark bytes1 as secure because it considers all statements/calls when evaluating the constraints/predicates. More precisely, at the call sr.nextBytes(bytes1), it also includes the statement sr.setSeed(12345), although it comes after the call, leading to an insecure sr object and insure bytes bytes1.
Solution: Consider only statements/calls up until the evaluating statement to make the evaluation flow sensitive. In the example, this means to consider only the constructor call new SecureRandom() and sr.nextBytes(bytes1) when evaluating whether a predicate at sr.nextBytes(bytes1) should be generated. One can retrieve the calls up until a statement by calling getLastStateChangeStatements on the TransitionFunction from the IDEal results.
Obsoletes #310