Help with Taint analysis

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Help with Taint analysis

Juan Carlos Martinez Santos
Hello clang,

I am interested in doing taint analysis. My idea is get a complete list of all variables which are potentially influenced by outside input. Checking the mail list, I found that a way to do this is walking into GRExprEngine and his friends (SVals and MemRegion). 

However, I don't know how to start. 

Thanks in advance,

--
Juan Carlos

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Help with Taint analysis

Lei Zhang
Maybe a new engine, instead of using the path sensitive one(GRExprEngine)? Some work like phoenix have done using SSA & lattices?

2010/1/13 Juan Carlos Martinez Santos <[hidden email]>
Hello clang,

I am interested in doing taint analysis. My idea is get a complete list of all variables which are potentially influenced by outside input. Checking the mail list, I found that a way to do this is walking into GRExprEngine and his friends (SVals and MemRegion). 

However, I don't know how to start. 

Thanks in advance,

--
Juan Carlos

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Help with Taint analysis

Zhongxing Xu
In reply to this post by Juan Carlos Martinez Santos
Hi,

Check out the Checker interface. Maybe you can create a new Checker, track all taint information in that Checker with a generic data mapping. Then update the taint information via the Checker::EvalCallExpr() callback. Note that GRExprEngine is path sensitive analysis. I don't know if that is what you want.

2010/1/13 Juan Carlos Martinez Santos <[hidden email]>
Hello clang,

I am interested in doing taint analysis. My idea is get a complete list of all variables which are potentially influenced by outside input. Checking the mail list, I found that a way to do this is walking into GRExprEngine and his friends (SVals and MemRegion). 

However, I don't know how to start. 

Thanks in advance,

--
Juan Carlos

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Help with Taint analysis

Lei Zhang
In reply to this post by Juan Carlos Martinez Santos
I don't know if clang now has a right engine for taint analysis.

Of course you can create a new checker to track all taint information using GRExprEngine as Zhongxing said, but GRExprEngine is path sensitive. Maybe flow sensitive analysis for taint analysis is enough?

Otherwise, i think the result from taint analysis may be useful for other checkers. So can we implement it  like LiveVariable analysis?

Phoenix is a framework for build compilers or program analysis tools from MS. You can find an taint analysis example from the phoenix SDK docs.Maybe you can borrow some ideas from it.

2010/1/13 Juan Carlos Martinez Santos <[hidden email]>
Hello clang,

I am interested in doing taint analysis. My idea is get a complete list of all variables which are potentially influenced by outside input. Checking the mail list, I found that a way to do this is walking into GRExprEngine and his friends (SVals and MemRegion). 

However, I don't know how to start. 

Thanks in advance,

--
Juan Carlos

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev