Can SymExpr in clang carry multiple taints ?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Can SymExpr in clang carry multiple taints ?

Vassil Vassilev via cfe-dev
Hello, 

I am writing a taint tracking checker with clang static analyzer, more specifically, I am trying to implement some sort of multiple taint tracking, which means I need to add more than one taints to the Symbolic Expressions, however it seems this can not be realized, because tests shows that the later taint will overwrite the earlier ones. Is there any possible approach to carry multiple taints in one SymExpr? 

One more question is that I don't find any function to remove the taint, is it possible to remove some taints at the end of each execution path?  Thank you!

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Can SymExpr in clang carry multiple taints ?

Vassil Vassilev via cfe-dev
Unfortunately, both of these issues are still limitations of the current
taint engine.

We clearly need a multimap from symbols to various taint tags, but we
have only one taint tag kind for now, so there were no problems with that.

There's a patch that implements removeTaint(): reviews.llvm.org/D11700

Not sure why you want to change taint information at the end of the
execution path; it have no effect anyway, because it's already the end
of the execution path.
_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Can SymExpr in clang carry multiple taints ?

A. Sidorin
This post has NOT been accepted by the mailing list yet.
In reply to this post by Vassil Vassilev via cfe-dev
Hello,

There is no simple multimap support (like REGISTER_*_WITH_PROGRAMSTATE) now. However, for taint analysis this functionality may be easily extended with using bitfields. So, I can imagine some functions like:

bool isTainted(ProgramStateRef State, SymbolRef Sym, unsigned TaintKind) {
  const unsigned *TaintKinds = State->get<TaintMap>(Sym);
  return TaintKinds && (*TaintKinds & (1 << TaintKind));
}

ProgramStateRef ProgramState::addTaint(SymbolRef Sym, TaintKind K) {
  const unsigned *CurrKinds = get<TaintMap>(Sym);
  unsigned NewFlag = 1 << K;
  unsigned FinalFlags = CurrKinds ? (*CurrKinds | NewFlag) : NewFlag;
  return set<TaintMap>(FinalFlags);
}

I may forget some signatures, but I think this may be a possible solution in your case.
Reply | Threaded
Open this post in threaded view
|

Re: Can SymExpr in clang carry multiple taints ?

Pengfei
This post has NOT been accepted by the mailing list yet.
Hello,

Thank you for your reply, and it is very helpful. Inspired my your suggestion, I re-read the source code about the tainting features in clang, then I rewrote the addTaint() and isTainted() functions in my own checker, and it seems working correctly now.

What is different from your solution is that I just added a customized struct, which is a taint list,  into the TaintMap in the program state, and so that I can add as many as taint tags as I want, in addition, I can also add additional information I need into the structure. I also add a getTaintList() function, which is implemented by recursively checking and merging the taint list from relevant symbols.

Thank you for your suggestion.

Cheers
Pengfei