Quantcast

[Analyzer] How to deal with lazy compound values when tracking state

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Analyzer] How to deal with lazy compound values when tracking state

Keane, Erich via cfe-dev
Hi there,

I'm implementing a kind of taint propagation and I'm running into a
bit of trouble when some of the tainted values are structs, because of
the LazyCompoundValue optimization. First to illustrate the kind of
thing I want to do, consider:

extern int tainted_function1();
void foo() {
    int x = tainted_function1();
    clang_analyzer_explain(x);
}

Where I try to annotate the taint upon returning from the call
(check::PostCall).
Now, this works well, because `x` is `symbol of type 'int' conjured at
statement 'tainted_function1()'`, so I can store its taintedness in a
SymbolRef->bool map and everyone is happy. However, I'm having trouble
extending the same logic to:

struct foo {
    int a;
    int b;
};
extern struct foo tainted_function2();
void foo() {
    struct foo val = tainted_function2();
    clang_analyzer_explain(val);
}

because `val` is then a `lazily frozen compound value of local
variable 'val'`. I tried playing with that a bit, but I'm having
trouble getting at the symbol from the lazy compound val (I tried
getBinding with the Store and the region from the lazy compound val,
but that just gives me another lazy compound value). How do I
de-lazify the value?
_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Analyzer] How to deal with lazy compound values when tracking state

Keane, Erich via cfe-dev
Hello Kano,

This seems to be a work in progress on it:
https://reviews.llvm.org/D28445 (with a very thorough comments in the
discussion). You can take a look.


03.03.2017 09:02, Keno Fischer via cfe-dev пишет:

> Hi there,
>
> I'm implementing a kind of taint propagation and I'm running into a
> bit of trouble when some of the tainted values are structs, because of
> the LazyCompoundValue optimization. First to illustrate the kind of
> thing I want to do, consider:
>
> extern int tainted_function1();
> void foo() {
>      int x = tainted_function1();
>      clang_analyzer_explain(x);
> }
>
> Where I try to annotate the taint upon returning from the call
> (check::PostCall).
> Now, this works well, because `x` is `symbol of type 'int' conjured at
> statement 'tainted_function1()'`, so I can store its taintedness in a
> SymbolRef->bool map and everyone is happy. However, I'm having trouble
> extending the same logic to:
>
> struct foo {
>      int a;
>      int b;
> };
> extern struct foo tainted_function2();
> void foo() {
>      struct foo val = tainted_function2();
>      clang_analyzer_explain(val);
> }
>
> because `val` is then a `lazily frozen compound value of local
> variable 'val'`. I tried playing with that a bit, but I'm having
> trouble getting at the symbol from the lazy compound val (I tried
> getBinding with the Store and the region from the lazy compound val,
> but that just gives me another lazy compound value). How do I
> de-lazify the value?
> _______________________________________________
> cfe-dev mailing list
> [hidden email]
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev


--
Best regards,
Aleksei Sidorin,
SRR, Samsung Electronics

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Analyzer] How to deal with lazy compound values when tracking state

Keane, Erich via cfe-dev
In reply to this post by Keane, Erich via cfe-dev
Hello, we're almost landing a patch to make this easier:
https://reviews.llvm.org/D28445

(the discussion should be helpful as well)

On 3/3/17 9:02 AM, Keno Fischer via cfe-dev wrote:

> Hi there,
>
> I'm implementing a kind of taint propagation and I'm running into a
> bit of trouble when some of the tainted values are structs, because of
> the LazyCompoundValue optimization. First to illustrate the kind of
> thing I want to do, consider:
>
> extern int tainted_function1();
> void foo() {
>      int x = tainted_function1();
>      clang_analyzer_explain(x);
> }
>
> Where I try to annotate the taint upon returning from the call
> (check::PostCall).
> Now, this works well, because `x` is `symbol of type 'int' conjured at
> statement 'tainted_function1()'`, so I can store its taintedness in a
> SymbolRef->bool map and everyone is happy. However, I'm having trouble
> extending the same logic to:
>
> struct foo {
>      int a;
>      int b;
> };
> extern struct foo tainted_function2();
> void foo() {
>      struct foo val = tainted_function2();
>      clang_analyzer_explain(val);
> }
>
> because `val` is then a `lazily frozen compound value of local
> variable 'val'`. I tried playing with that a bit, but I'm having
> trouble getting at the symbol from the lazy compound val (I tried
> getBinding with the Store and the region from the lazy compound val,
> but that just gives me another lazy compound value). How do I
> de-lazify the value?
> _______________________________________________
> cfe-dev mailing list
> [hidden email]
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Analyzer] How to deal with lazy compound values when tracking state

Keane, Erich via cfe-dev
Whoops didn't notice Aleksei's comment sry, should unwrap the thread
before answering><


On 3/5/17 1:39 PM, Artem Dergachev wrote:

> Hello, we're almost landing a patch to make this easier:
> https://reviews.llvm.org/D28445
>
> (the discussion should be helpful as well)
>
> On 3/3/17 9:02 AM, Keno Fischer via cfe-dev wrote:
>> Hi there,
>>
>> I'm implementing a kind of taint propagation and I'm running into a
>> bit of trouble when some of the tainted values are structs, because of
>> the LazyCompoundValue optimization. First to illustrate the kind of
>> thing I want to do, consider:
>>
>> extern int tainted_function1();
>> void foo() {
>>      int x = tainted_function1();
>>      clang_analyzer_explain(x);
>> }
>>
>> Where I try to annotate the taint upon returning from the call
>> (check::PostCall).
>> Now, this works well, because `x` is `symbol of type 'int' conjured at
>> statement 'tainted_function1()'`, so I can store its taintedness in a
>> SymbolRef->bool map and everyone is happy. However, I'm having trouble
>> extending the same logic to:
>>
>> struct foo {
>>      int a;
>>      int b;
>> };
>> extern struct foo tainted_function2();
>> void foo() {
>>      struct foo val = tainted_function2();
>>      clang_analyzer_explain(val);
>> }
>>
>> because `val` is then a `lazily frozen compound value of local
>> variable 'val'`. I tried playing with that a bit, but I'm having
>> trouble getting at the symbol from the lazy compound val (I tried
>> getBinding with the Store and the region from the lazy compound val,
>> but that just gives me another lazy compound value). How do I
>> de-lazify the value?
>> _______________________________________________
>> cfe-dev mailing list
>> [hidden email]
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Analyzer] How to deal with lazy compound values when tracking state

Keane, Erich via cfe-dev
Yes, I saw and have read the thread with interest, though admittedly I
am not sure I am perfectly clear on how to use it yet. However, before
asking for further help, I'll have to play with it a bit and see if I
can apply it to my use case.

On Sun, Mar 5, 2017 at 5:42 AM, Artem Dergachev <[hidden email]> wrote:

> Whoops didn't notice Aleksei's comment sry, should unwrap the thread before
> answering><
>
>
>
> On 3/5/17 1:39 PM, Artem Dergachev wrote:
>>
>> Hello, we're almost landing a patch to make this easier:
>> https://reviews.llvm.org/D28445
>>
>> (the discussion should be helpful as well)
>>
>> On 3/3/17 9:02 AM, Keno Fischer via cfe-dev wrote:
>>>
>>> Hi there,
>>>
>>> I'm implementing a kind of taint propagation and I'm running into a
>>> bit of trouble when some of the tainted values are structs, because of
>>> the LazyCompoundValue optimization. First to illustrate the kind of
>>> thing I want to do, consider:
>>>
>>> extern int tainted_function1();
>>> void foo() {
>>>      int x = tainted_function1();
>>>      clang_analyzer_explain(x);
>>> }
>>>
>>> Where I try to annotate the taint upon returning from the call
>>> (check::PostCall).
>>> Now, this works well, because `x` is `symbol of type 'int' conjured at
>>> statement 'tainted_function1()'`, so I can store its taintedness in a
>>> SymbolRef->bool map and everyone is happy. However, I'm having trouble
>>> extending the same logic to:
>>>
>>> struct foo {
>>>      int a;
>>>      int b;
>>> };
>>> extern struct foo tainted_function2();
>>> void foo() {
>>>      struct foo val = tainted_function2();
>>>      clang_analyzer_explain(val);
>>> }
>>>
>>> because `val` is then a `lazily frozen compound value of local
>>> variable 'val'`. I tried playing with that a bit, but I'm having
>>> trouble getting at the symbol from the lazy compound val (I tried
>>> getBinding with the Store and the region from the lazy compound val,
>>> but that just gives me another lazy compound value). How do I
>>> de-lazify the value?
>>> _______________________________________________
>>> cfe-dev mailing list
>>> [hidden email]
>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>>
>
_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Analyzer] How to deal with lazy compound values when tracking state

Keane, Erich via cfe-dev
Well, you can either take values of structure fields by constructing
sub-regions of its base region (field or element regions, through
MemRegionManager, or maybe SValBuilder's helper methods would be useful)
and getSVal()'ing them (from the lazy compound value's store - which
contains contents of the structure, unlike the store in the program
state, which contains current contents of the region the structure was
copied from) and marking them as tainted.

Or with D28445 applied, you'd also be able to put taint over the whole
structure by tainting its default conjured symbol and auto-propagating
to all symbols derived from it (this auto-propagation is how our default
taint analysis works; it sounds to me that you're implementing your own
taint analysis, so i'd wonder what's wrong with the default one).

On 3/6/17 12:31 AM, Keno Fischer wrote:

> Yes, I saw and have read the thread with interest, though admittedly I
> am not sure I am perfectly clear on how to use it yet. However, before
> asking for further help, I'll have to play with it a bit and see if I
> can apply it to my use case.
>
> On Sun, Mar 5, 2017 at 5:42 AM, Artem Dergachev <[hidden email]> wrote:
>> Whoops didn't notice Aleksei's comment sry, should unwrap the thread before
>> answering><
>>
>>
>>
>> On 3/5/17 1:39 PM, Artem Dergachev wrote:
>>> Hello, we're almost landing a patch to make this easier:
>>> https://reviews.llvm.org/D28445
>>>
>>> (the discussion should be helpful as well)
>>>
>>> On 3/3/17 9:02 AM, Keno Fischer via cfe-dev wrote:
>>>> Hi there,
>>>>
>>>> I'm implementing a kind of taint propagation and I'm running into a
>>>> bit of trouble when some of the tainted values are structs, because of
>>>> the LazyCompoundValue optimization. First to illustrate the kind of
>>>> thing I want to do, consider:
>>>>
>>>> extern int tainted_function1();
>>>> void foo() {
>>>>       int x = tainted_function1();
>>>>       clang_analyzer_explain(x);
>>>> }
>>>>
>>>> Where I try to annotate the taint upon returning from the call
>>>> (check::PostCall).
>>>> Now, this works well, because `x` is `symbol of type 'int' conjured at
>>>> statement 'tainted_function1()'`, so I can store its taintedness in a
>>>> SymbolRef->bool map and everyone is happy. However, I'm having trouble
>>>> extending the same logic to:
>>>>
>>>> struct foo {
>>>>       int a;
>>>>       int b;
>>>> };
>>>> extern struct foo tainted_function2();
>>>> void foo() {
>>>>       struct foo val = tainted_function2();
>>>>       clang_analyzer_explain(val);
>>>> }
>>>>
>>>> because `val` is then a `lazily frozen compound value of local
>>>> variable 'val'`. I tried playing with that a bit, but I'm having
>>>> trouble getting at the symbol from the lazy compound val (I tried
>>>> getBinding with the Store and the region from the lazy compound val,
>>>> but that just gives me another lazy compound value). How do I
>>>> de-lazify the value?
>>>> _______________________________________________
>>>> cfe-dev mailing list
>>>> [hidden email]
>>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>>

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Loading...