[cfe-dev] Question about tainting support
Francisco Chiotta
franchiotta at gmail.com
Mon Aug 3 20:11:11 PDT 2015
Ted, thanks for your response and help.
Yes, actually the idea is to taint the value of ’s’ itself. The checker
would provide propagation rules in order for the user to be able to define
which are the functions that get tainted data propagated to other objects
(this approach is based on GenericTaintChecker, which is included with the
analyzer).
I am also interested in tracking the used member variables (or global vars)
on method invocation over structs. For example, given a struct like struct
X { … } myStruct; and executing myStruct.someMethod(). The checker should
go and visit the body of the function, and mark as tainted any uses of
member vars of myStruct and also global variables.
For now, I am getting the symbolic base of the LazyCompoundVal, and just
mark that as tainted as the following piece of code shows.
https://github.com/franchiotta/clang/blob/customtaintchecker/lib/StaticAnalyzer/Checkers/CustomTaintChecker.cpp#L815
2015-08-03 20:24 GMT-03:00 Ted Kremenek <kremenek at apple.com>:
> Thinking about this more about your example…
>
> void somemethod(string s) {
> m(&s);
> }
>
> What specifically is tainted after the the call to ‘m’? The values of
> ’s’? If we know nothing about ’s’, technically the contents of ’s’ are all
> invalidated by the analyzer. Thus is makes sense to taint the region ’s’
> itself. That said, when a value gets loaded from the tainted ’s’ that also
> needs to be treated as tainted, thus taint is a derived property. The
> taint tracking will need to handle not just symbols/region that are
> explicitly tainted, but taint that is implied because of the relationship
> to other tainted data.
>
> For example, in this case if I taint all of ’s’, I expect that any data
> that I load from it to also be tainted.
>
> > On Jul 31, 2015, at 10:15 PM, Ted Kremenek <kremenek at apple.com> wrote:
> >
> > LazyCompoundVal is just the value of ’s’, it is not ’s’ itself. After
> the call to ‘m’, does ’s’ have a new value? What, semantically, are you
> trying to track as being tainted?
> >
> > Since ’s’ is a struct value, the LazyCompoundVal is just “the struct
> values of ’s’ when a specific symbolic Store was used”. We use
> LazyCompoundVals as an important optimization hack over CompoundVals, but
> they themselves do not have identity. They do, however, wrap things that
> do have identity. For example, LazyCompoundVal wraps an underlying
> MemRegion, which is the abstract memory that would have contained the
> value. In this case, the MemRegion is for the parameter ’s’ itself. Is
> the idea for ’s’ itself to be tainted? If so, you want to query for that
> MemRegion, and mark it tainted.
> >
> >> On Jun 9, 2015, at 8:20 PM, Francisco Chiotta <franchiotta at gmail.com>
> wrote:
> >>
> >> Is it possible to mark as tainted a Sval that represents a class or
> struct?
> >>
> >> For example, take a look at this code:
> >>
> >> void somemethod(string s) {
> >> m(&s);
> >> }
> >>
> >> I want to taint 's' as soon as it is passed on 'm' method. &s
> represents a loc, if I try to get the Sval from it, I get a
> nonloc:LazyCompundVar which doesn't have a symbol associated to make it
> tainted.
> >>
> >> I'm a little bit confused, could anyone please clarify this?
> >> _______________________________________________
> >> cfe-dev mailing list
> >> cfe-dev at cs.uiuc.edu
> >> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150804/110faa86/attachment.html>
More information about the cfe-dev
mailing list