<div dir="ltr"><div dir="ltr" style="font-size:12.8px">Thanks for the explanation . The use case I had in mind was that readval is a function loaded from a dynamic library and it returns some value which is critical ( may or may not depend on external input). But since the programmer knows it is critical in some sense , he might want to track the flow of the return value through taint propagation and dump all instructions which access variables/memory locations that depend on the initial critical sources. Is there anyway by which I can guarantee those initial return values to be tainted?<div><br></div><div>Regards,</div><div>Ashwin</div></div><div class="" style="font-size:12.8px"><div id=":s3" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif" style=""></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 11, 2016 at 7:02 PM, Ashwin Ganesh <span dir="ltr"><<a href="mailto:ashwingane@gmail.com" target="_blank">ashwingane@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for the explanation . The use case I had in mind was that readval is a function loaded from a dynamic library and it returns some value which is critical ( may or may not depend on external input). But since the programmer knows it is critical in some sense , he might want to track the flow of the return value through taint propagation and dump all instructions which access variables/memory locations that depend on the initial critical sources. Is there anyway by which I can guarantee those initial return values to be tainted?<div><br></div><div>Regards,</div><div>Ashwin</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 11, 2016 at 6:02 PM, Artem Dergachev via cfe-dev <span dir="ltr"><<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>> int readval()<br>
> {<br>
> return 10;<br>
> }<br>
><br>
> int a,b;<br>
> a = readval() // warning : tainted<br>
> b = a+1 //warning : tainted<br>
<br></span>
In your example, readval() returns 10. Our analysis is inter-procedural, so it knows such things.<br>
<br>
10 is a concrete value. A concrete value cannot be tainted - an attacker cannot forge 10 to become 20, or something like that. It's just "the" 10, and all 10's are the same. Something is tainted if it's a user input or is anyhow known to be able to take completely arbitrary values; 10 is not an input from the user, and it's quite under our control. So the analyzer knows for sure that readval() returns a value that cannot be tainted, and the message from the checker gets ignored - this is expressed by the fact that the analyzer was unable to obtain a symbol from the value provided by the checker, because the value is concrete.<br>
<br>
In fact, only *symbols* may be "truly" tainted. To be exact, addTaint() works with SymExpr's (SymbolRef's) and, additionally, SymbolicRegion's (which are essentially regions pointed to by SymExpr pointers). isTainted() works on SymExpr's, SymbolicRegion's and their sub-regions, and additionally on SVal's of class nonloc::SymbolVal, loc::MemRegionVal, nonloc::LocAsInteger whenever they contain a SymExpr or a SymbolicRegion or its sub-region.<br>
<br>
If i replace your definition of readval() with an opaque forward declaration, eg:<br>
<br>
int readval();<br>
void foo() {<br>
int a = readval() // warning : tainted<br>
}<br>
<br>
then everything works as expected.<br>
<br>
On the other hand, if the definition of readval() is truly available in your translation unit, then you don't need to add *it* to GenericTaintChecker - instead, add whatever readval() calls to obtain the user input, and the analyzer would model readval() itself and pass the symbol down to the caller.<br>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>