[cfe-commits] r144825 - in /cfe/trunk/lib/StaticAnalyzer/Checkers: Checkers.td GenericTaintChecker.cpp
Anna Zaks
ganna at apple.com
Wed Nov 16 11:58:13 PST 2011
Author: zaks
Date: Wed Nov 16 13:58:13 2011
New Revision: 144825
URL: http://llvm.org/viewvc/llvm-project?rev=144825&view=rev
Log:
[analyzer] Adding generic taint checker.
The checker is responsible for defining attack surface and adding taint to symbols.
Added:
cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td?rev=144825&r1=144824&r2=144825&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td Wed Nov 16 13:58:13 2011
@@ -28,6 +28,7 @@
def Security : Package <"security">;
def SecurityExperimental : Package<"security">, InPackage<Experimental>, Hidden;
+def Taint : Package<"taint">, InPackage<SecurityExperimental>, Hidden;
def Unix : Package<"unix">;
def UnixExperimental : Package<"unix">, InPackage<Experimental>, Hidden;
@@ -218,6 +219,18 @@
} // end "security.experimental"
//===----------------------------------------------------------------------===//
+// Taint checkers.
+//===----------------------------------------------------------------------===//
+
+let ParentPackage = Taint in {
+
+def GenericTaintChecker : Checker<"TaintPropagation">,
+ HelpText<"Generate taint information used by other checkers">,
+ DescFile<"GenericTaintChecker.cpp">;
+
+} // end "experimental.security.taint"
+
+//===----------------------------------------------------------------------===//
// Unix API checkers.
//===----------------------------------------------------------------------===//
Added: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp?rev=144825&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp (added)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp Wed Nov 16 13:58:13 2011
@@ -0,0 +1,97 @@
+//== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=//
+//
+// The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This checker defines the attack surface for generic taint propagation.
+//
+// The taint information produced by it might be useful to other checkers. For
+// example, checkers should report errors which involve tainted data more
+// aggressively, even if the involved symbols are under constrained.
+//
+//===----------------------------------------------------------------------===//
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class GenericTaintChecker : public Checker< check::PostStmt<CallExpr> > {
+
+ mutable llvm::OwningPtr<BuiltinBug> BT;
+
+ /// Functions defining the attacke surface.
+ typedef void (GenericTaintChecker::*FnCheck)(const CallExpr *,
+ CheckerContext &C) const;
+ void processScanf(const CallExpr *CE, CheckerContext &C) const;
+ void processRetTaint(const CallExpr *CE, CheckerContext &C) const;
+
+public:
+ void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
+};
+}
+
+void GenericTaintChecker::checkPostStmt(const CallExpr *CE,
+ CheckerContext &C) const {
+ if (!C.getState())
+ return;
+
+ StringRef Name = C.getCalleeName(CE);
+
+ // Define the attack surface.
+ // Set the evaluation function by switching on the callee name.
+ FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
+ .Case("scanf", &GenericTaintChecker::processScanf)
+ .Case("getchar", &GenericTaintChecker::processRetTaint)
+ .Default(NULL);
+
+ // If the callee isn't defined, it is not of security concern.
+ // Check and evaluate the call.
+ if (evalFunction)
+ (this->*evalFunction)(CE, C);
+
+}
+static SymbolRef getPointedToSymbol(const ProgramState *State,
+ const Expr* Arg) {
+ SVal AddrVal = State->getSVal(Arg->IgnoreParenCasts());
+ Loc *AddrLoc = dyn_cast<Loc>(&AddrVal);
+ SVal Val = State->getSVal(*AddrLoc);
+ return Val.getAsSymbol();
+}
+
+
+void GenericTaintChecker::processScanf(const CallExpr *CE,
+ CheckerContext &C) const {
+ const ProgramState *State = C.getState();
+ assert(CE->getNumArgs() == 2);
+ SVal x = State->getSVal(CE->getArg(1));
+ // All arguments except for the very first one should get taint.
+ for (unsigned int i = 1; i < CE->getNumArgs(); ++i) {
+ // The arguments are pointer arguments. The data they are pointing at is
+ // tainted after the call.
+ const Expr* Arg = CE->getArg(i);
+ SymbolRef Sym = getPointedToSymbol(State, Arg);
+ if (Sym)
+ State = State->addTaint(Sym);
+ }
+ C.addTransition(State);
+
+}
+
+void GenericTaintChecker::processRetTaint(const CallExpr *CE,
+ CheckerContext &C) const {
+ const ProgramState *NewState = C.getState()->addTaint(CE);
+ C.addTransition(NewState);
+}
+
+void ento::registerGenericTaintChecker(CheckerManager &mgr) {
+ mgr.registerChecker<GenericTaintChecker>();
+}
More information about the cfe-commits
mailing list