<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 20 Sep 2019 at 21:35, Artem Dergachev <<a href="mailto:noqnoqneo@gmail.com">noqnoqneo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
@Gavin: I'm worried that you're choosing a wrong strategy here.
Branches with tainted conditions can be used for sanitizing the
input, but it sounds like you want to ban them rather than promote
them. That said, i can't figure out what's the right solution for
you unless i understand the original problem that you're trying to
solve.<br>
<br>
@Kristof: Do you think you can implement a
checkBeginControlDependentSection / checkEndControlDependentSection
callback pair on top of your control dependency tracking mechanisms,
so that they behaved intuitively and always perfectly paired each
other, even in the more complicated cases like for-loops and Duff's
devices? (there's no indication so far that we really need them -
scope contexts are much more valuable and might actually be helpful
here as well - but i'm kinda curious).<br></div></blockquote><div><br></div><div>I guess so. I'm seeing a couple things to keep track of (inlined function calls to name one), but nothing too bad.</div><div><br></div><div>It raises (haha) a question about exceptions, if we ever end up supporting them, what happens if an exception is raised? Also, just came to my mind, should any block with a non-<font face="monospace">noexcept</font><font face="arial, sans-serif"> function call have an edge to the exit block if we take exceptions into account?</font></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<div class="gmail-m_-4944449558918191960moz-cite-prefix">On 9/20/19 10:46 AM, Kristóf Umann via
cfe-dev wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">+ Artem because he knows everything about the
analyzer and symbolic execution, + Balázs because he is
currently working on TaintChecker.
<div><br>
</div>
<div>My first instinct here would be to combine pathsensitive
analysis with control flow analysis. In the header file <font face="monospace">clang/include/clang/Analysis/Analyses/Dominators.h</font>
you will find the class <font face="monospace">ControlDependencyCalculator</font>.
You could calculate the control dependencies of the block in
which <font face="monospace">sensitive_func() </font>is
called (you can retrieve that through the current <font face="monospace">ExplodedNode</font>) and find that the <font face="monospace">CFGBlock</font> whose <font face="monospace">getLastCondition()</font> is <font face="monospace">value < xxx</font> is in fact a
control dependency. Then, you could, in theory, check
whether parts of this expression is tainted.</div>
<div><br>
</div>
<div>Artem, do you think this makes any sense?</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, 20 Sep 2019 at
16:10, Gavin Cui via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello all,<br>
I want to check if a tainted value can affect the control
flow of some sensitive functions. For example:<br>
<br>
value = taint_source()<br>
if (value < xxx) {<br>
sensitive_func()<br>
}<br>
<br>
The taint propagation in clang static analyzer fit part of
my need. One approach I can think of is: <br>
Whenever I encounter a branch condition (register
checkBranchCondition() call back), I will push a tag(tainted
or not) to a taintStack variable in ProgramState.<br>
After the branch block closed, I will pop one tag. <br>
If sensitive_function() get encountered, I will check all
the tags in taintStack to see if any of them is tainted.<br>
<br>
The problem is I did not find a callback like
checkBranchCondition() which will be called every time
exiting a branch block. Then what should be a good approach
for this control flow checking?<br>
<br>
Any suggestions would be appreciated.<br>
<br>
Thank you,<br>
Gavin<br>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</blockquote>
</div>
</div>
<br>
<fieldset class="gmail-m_-4944449558918191960mimeAttachmentHeader"></fieldset>
<pre class="gmail-m_-4944449558918191960moz-quote-pre">_______________________________________________
cfe-dev mailing list
<a class="gmail-m_-4944449558918191960moz-txt-link-abbreviated" href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>
<a class="gmail-m_-4944449558918191960moz-txt-link-freetext" href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div></div>