[cfe-dev] Question about tainting support

Ted Kremenek kremenek at apple.com
Mon Aug 3 16:24:49 PDT 2015 

Thinking about this more about your example…

void somemethod(string s) {
   m(&s);
}

What specifically is tainted after the the call to ‘m’?  The values of ’s’?  If we know nothing about ’s’, technically the contents of ’s’ are all invalidated by the analyzer.  Thus is makes sense to taint the region ’s’ itself.  That said, when a value gets loaded from the tainted ’s’ that also needs to be treated as tainted, thus taint is a derived property.  The taint tracking will need to handle not just symbols/region that are explicitly tainted, but taint that is implied because of the relationship to other tainted data.

For example, in this case if I taint all of ’s’, I expect that any data that I load from it to also be tainted.

> On Jul 31, 2015, at 10:15 PM, Ted Kremenek <kremenek at apple.com> wrote:
> 
> LazyCompoundVal is just the value of ’s’, it is not ’s’ itself.  After the call to ‘m’, does ’s’ have a new value?  What, semantically, are you trying to track as being tainted?
> 
> Since ’s’ is a struct value, the LazyCompoundVal is just “the struct values of ’s’ when a specific symbolic Store was used”.  We use LazyCompoundVals as an important optimization hack over CompoundVals, but they themselves do not have identity.  They do, however, wrap things that do have identity.  For example, LazyCompoundVal wraps an underlying MemRegion, which is the abstract memory that would have contained the value.  In this case, the MemRegion is for the parameter ’s’ itself.  Is the idea for ’s’ itself to be tainted?  If so, you want to query for that MemRegion, and mark it tainted.
> 
>> On Jun 9, 2015, at 8:20 PM, Francisco Chiotta <franchiotta at gmail.com> wrote:
>> 
>> Is it possible to mark as tainted a Sval that represents a class or struct?
>> 
>> For example, take a look at this code:
>> 
>> void somemethod(string s) {
>>    m(&s);
>> }
>> 
>> I want to taint 's' as soon as it is passed on 'm' method. &s represents a loc, if I try to get the Sval from it, I get a nonloc:LazyCompundVar which doesn't have a symbol associated to make it tainted.
>> 
>> I'm a little bit confused, could anyone please clarify this?
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>

More information about the cfe-dev mailing list