[cfe-dev] Clang Static Analyzer conditional terminating call back

Kristóf Umann via cfe-dev cfe-dev at lists.llvm.org
Fri Sep 20 10:46:48 PDT 2019 

+ Artem because he knows everything about the analyzer and symbolic
execution, + Balázs because he is currently working on TaintChecker.

My first instinct here would be to combine pathsensitive analysis with
control flow analysis. In the header file
clang/include/clang/Analysis/Analyses/Dominators.h you will find the class
ControlDependencyCalculator. You could calculate the control dependencies
of the block in which sensitive_func() is called (you can retrieve that
through the current ExplodedNode) and find that the CFGBlock whose
getLastCondition() is value < xxx is in fact a control dependency. Then,
you could, in theory, check whether parts of this expression is tainted.

Artem, do you think this makes any sense?

On Fri, 20 Sep 2019 at 16:10, Gavin Cui via cfe-dev <cfe-dev at lists.llvm.org>
wrote:

> Hello all,
> I want to check if a tainted value can affect the control flow of some
> sensitive functions. For example:
>
> value = taint_source()
> if (value < xxx) {
>         sensitive_func()
> }
>
> The taint propagation in clang static analyzer fit part of my need. One
> approach I can think of is:
> Whenever I encounter a branch condition (register checkBranchCondition()
> call back), I will push a tag(tainted or not) to a taintStack variable in
> ProgramState.
> After the branch block closed, I will pop one tag.
> If sensitive_function() get encountered, I will check all the tags in
> taintStack to see if any of them is tainted.
>
> The problem is I did not find a callback like checkBranchCondition() which
> will be called every time exiting a branch block.  Then what should be a
> good approach for this control flow checking?
>
> Any suggestions would be appreciated.
>
> Thank you,
> Gavin
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190920/65d25d90/attachment.html>

More information about the cfe-dev mailing list