[cfe-dev] Clang Static Analyzer conditional terminating call back
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Fri Sep 20 12:35:45 PDT 2019
@Gavin: I'm worried that you're choosing a wrong strategy here. Branches
with tainted conditions can be used for sanitizing the input, but it
sounds like you want to ban them rather than promote them. That said, i
can't figure out what's the right solution for you unless i understand
the original problem that you're trying to solve.
@Kristof: Do you think you can implement a
checkBeginControlDependentSection / checkEndControlDependentSection
callback pair on top of your control dependency tracking mechanisms, so
that they behaved intuitively and always perfectly paired each other,
even in the more complicated cases like for-loops and Duff's devices?
(there's no indication so far that we really need them - scope contexts
are much more valuable and might actually be helpful here as well - but
i'm kinda curious).
On 9/20/19 10:46 AM, Kristóf Umann via cfe-dev wrote:
> + Artem because he knows everything about the analyzer and symbolic
> execution, + Balázs because he is currently working on TaintChecker.
>
> My first instinct here would be to combine pathsensitive analysis with
> control flow analysis. In the header file
> clang/include/clang/Analysis/Analyses/Dominators.h you will find the
> class ControlDependencyCalculator. You could calculate the control
> dependencies of the block in which sensitive_func() is called (you can
> retrieve that through the current ExplodedNode) and find that the
> CFGBlock whose getLastCondition() is value < xxx is in fact a control
> dependency. Then, you could, in theory, check whether parts of this
> expression is tainted.
>
> Artem, do you think this makes any sense?
>
> On Fri, 20 Sep 2019 at 16:10, Gavin Cui via cfe-dev
> <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>> wrote:
>
> Hello all,
> I want to check if a tainted value can affect the control flow of
> some sensitive functions. For example:
>
> value = taint_source()
> if (value < xxx) {
> sensitive_func()
> }
>
> The taint propagation in clang static analyzer fit part of my
> need. One approach I can think of is:
> Whenever I encounter a branch condition (register
> checkBranchCondition() call back), I will push a tag(tainted or
> not) to a taintStack variable in ProgramState.
> After the branch block closed, I will pop one tag.
> If sensitive_function() get encountered, I will check all the tags
> in taintStack to see if any of them is tainted.
>
> The problem is I did not find a callback like
> checkBranchCondition() which will be called every time exiting a
> branch block. Then what should be a good approach for this
> control flow checking?
>
> Any suggestions would be appreciated.
>
> Thank you,
> Gavin
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190920/74e7b420/attachment.html>
More information about the cfe-dev
mailing list