[cfe-dev] Clang GenericTaintChecker limitations

Divya Muthukumaran via cfe-dev cfe-dev at lists.llvm.org
Wed Aug 10 06:27:09 PDT 2016

Hi All,

I am looking for an open source static taint analysis tool that I can run
on some applications to reason about security properties -- just to check
if a tainted value can flow to some function parameters etc. The programs I
want to try this on are around 10-20K lines of C code. I was thinking of
using Clang's GenericTaintChecker (and just modifying the taint sources)
for this purpose. I'd like to know if there are any limitations to this
analysis that I should be aware of.

I know that the interprocedural analysis doesn't work across translation
units, but I'v managed to merge my source files using the cilly tool. I was
mainly wondering about the precision of the taint analysis (what sort of
pointer/alias analysis the IPA uses etc). If you could point me to any
documentation that discusses the memory model, that would be great.

Is the clang taint checker considered the state-of-the-art in open-source
taint checking tools or is there something that is considered better (more

Divya Muthukumaran
Research Associate
Department of Computing
Imperial College London
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160810/eb6b60c1/attachment.html>

More information about the cfe-dev mailing list