[cfe-dev] Clang Static Analyzer conditional terminating call back

Fri Sep 20 13:00:07 PDT 2019

On Fri, 20 Sep 2019 at 21:35, Artem Dergachev <noqnoqneo at gmail.com> wrote:

> @Gavin: I'm worried that you're choosing a wrong strategy here. Branches
> with tainted conditions can be used for sanitizing the input, but it sounds
> like you want to ban them rather than promote them. That said, i can't
> figure out what's the right solution for you unless i understand the
> original problem that you're trying to solve.
>
> @Kristof: Do you think you can implement a
> checkBeginControlDependentSection / checkEndControlDependentSection
> callback pair on top of your control dependency tracking mechanisms, so
> that they behaved intuitively and always perfectly paired each other, even
> in the more complicated cases like for-loops and Duff's devices? (there's
> no indication so far that we really need them - scope contexts are much
> more valuable and might actually be helpful here as well - but i'm kinda
> curious).
>

I guess so. I'm seeing a couple things to keep track of (inlined function
calls to name one), but nothing too bad.

It raises (haha) a question about exceptions, if we ever end up supporting
them, what happens if an exception is raised? Also, just came to my mind,
should any block with a non-noexcept function call have an edge to the exit
block if we take exceptions into account?

> On 9/20/19 10:46 AM, Kristóf Umann via cfe-dev wrote:
>
> + Artem because he knows everything about the analyzer and symbolic
> execution, + Balázs because he is currently working on TaintChecker.
>
> My first instinct here would be to combine pathsensitive analysis with
> control flow analysis. In the header file
> clang/include/clang/Analysis/Analyses/Dominators.h you will find the
> class ControlDependencyCalculator. You could calculate the control
> dependencies of the block in which sensitive_func() is called (you can
> retrieve that through the current ExplodedNode) and find that the CFGBlock
> whose getLastCondition() is value < xxx is in fact a control dependency.
> Then, you could, in theory, check whether parts of this expression is
> tainted.
>
> Artem, do you think this makes any sense?
>
> On Fri, 20 Sep 2019 at 16:10, Gavin Cui via cfe-dev <
> cfe-dev at lists.llvm.org> wrote:
>
>> Hello all,
>> I want to check if a tainted value can affect the control flow of some
>> sensitive functions. For example:
>>
>> value = taint_source()
>> if (value < xxx) {
>>         sensitive_func()
>> }
>>
>> The taint propagation in clang static analyzer fit part of my need. One
>> approach I can think of is:
>> Whenever I encounter a branch condition (register checkBranchCondition()
>> call back), I will push a tag(tainted or not) to a taintStack variable in
>> ProgramState.
>> After the branch block closed, I will pop one tag.
>> If sensitive_function() get encountered, I will check all the tags in
>> taintStack to see if any of them is tainted.
>>
>> The problem is I did not find a callback like checkBranchCondition()
>> which will be called every time exiting a branch block.  Then what should
>> be a good approach for this control flow checking?
>>
>> Any suggestions would be appreciated.
>>
>> Thank you,
>> Gavin
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at lists.llvm.org
>> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>
> _______________________________________________
> cfe-dev mailing listcfe-dev at lists.llvm.orghttps://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190920/5da01c98/attachment.html>