[PATCH] D59516: [analyzer] Make GenericTaintChecker configurable

Borsik Gábor via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Mon Mar 18 15:25:27 PDT 2019 

boga95 created this revision.
boga95 added reviewers: NoQ, Szelethus, xazax.hun, dkrupp.
boga95 added a project: clang.
Herald added subscribers: cfe-commits, Charusso, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware, whisperity.

One can pass a configuration file to the checker with the following argument: `-analyzer-config alpha.security.taint.TaintPropagation:Config=/path/to/the/file/taint-generic-config.yaml`. The config file can contain:

- Propagations: One can define functions which propagate or create the taintedness. It has five fields:
  - Name: The name of the function. Mandatory field.
  - SrcArgs: A list of arguments. If any of them tainted, the destination arguments will be marked tainted. It's not defined, the destination arguments always will be marked as tainted.
  - DstArgs: A list of arguments. Set the tainted flag for the arguments, if they are marked. The return value's index is 4294967294(it is temporary).
  - VarType: It's an enum with three possible values: `None`, `Src`, `Dst`. The default value is `None` and do nothing.
  - VarIndex: It's the first variadic argument for the function. If `VarType == Src` and any of them is tainted, the destination arguments will be marked ad tainted. If `VarType == Dst` and they are marked, all argument from the VarIndex will be marked as tainted.
- Filters: One can define function remove the tainted flag if it is passed to the proper argument.
  - Name: The name of the function. Mandatory field.
  - Args: A list of arguments. If a tainted value is passed to it, the tainted flag will be removed. Mandatory field.
- Sinks: A list of function which will give a warning if it gets a tainted value.
  - Name: The name of the function. Mandatory field.
  - Args: A list of arguments. If any of those arguments get a tainted value, it will give a warning. Mandatory field.

For the propagations, it uses the config to deduce the `TaintPropagationRules` from the function's name.
The filter functions are understandable as functions which mark their arguments not tainted. I improved the information flow from pre-visit to post-visit, therefore, the `TaintTagType` could be passed to the `setTaint` function. Currently, it only works if the argument is a pointer.


Repository:
  rC Clang

https://reviews.llvm.org/D59516

Files:
  include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
  include/clang/StaticAnalyzer/Core/PathSensitive/TaintTag.h
  lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
  lib/StaticAnalyzer/Core/ProgramState.cpp
  test/Analysis/Inputs/taint-generic-config.yaml
  test/Analysis/taint-generic.c

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D59516.191188.patch
Type: text/x-patch
Size: 29356 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20190318/2b93c958/attachment-0001.bin>

More information about the cfe-commits mailing list