Question about tainting support

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about tainting support

Francisco
Is it possible to mark as tainted a Sval that represents a class or struct?

For example, take a look at this code:

void somemethod(string s) {
    m(&s);
}

I want to taint 's' as soon as it is passed on 'm' method. &s represents a loc, if I try to get the Sval from it, I get a nonloc:LazyCompundVar which doesn't have a symbol associated to make it tainted.

I'm a little bit confused, could anyone please clarify this?

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Question about tainting support

Ted Kremenek
LazyCompoundVal is just the value of ’s’, it is not ’s’ itself.  After the call to ‘m’, does ’s’ have a new value?  What, semantically, are you trying to track as being tainted?

Since ’s’ is a struct value, the LazyCompoundVal is just “the struct values of ’s’ when a specific symbolic Store was used”.  We use LazyCompoundVals as an important optimization hack over CompoundVals, but they themselves do not have identity.  They do, however, wrap things that do have identity.  For example, LazyCompoundVal wraps an underlying MemRegion, which is the abstract memory that would have contained the value.  In this case, the MemRegion is for the parameter ’s’ itself.  Is the idea for ’s’ itself to be tainted?  If so, you want to query for that MemRegion, and mark it tainted.

> On Jun 9, 2015, at 8:20 PM, Francisco Chiotta <[hidden email]> wrote:
>
> Is it possible to mark as tainted a Sval that represents a class or struct?
>
> For example, take a look at this code:
>
> void somemethod(string s) {
>     m(&s);
> }
>
> I want to taint 's' as soon as it is passed on 'm' method. &s represents a loc, if I try to get the Sval from it, I get a nonloc:LazyCompundVar which doesn't have a symbol associated to make it tainted.
>
> I'm a little bit confused, could anyone please clarify this?
> _______________________________________________
> cfe-dev mailing list
> [hidden email]
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Question about tainting support

Ted Kremenek
Thinking about this more about your example…

void somemethod(string s) {
   m(&s);
}

What specifically is tainted after the the call to ‘m’?  The values of ’s’?  If we know nothing about ’s’, technically the contents of ’s’ are all invalidated by the analyzer.  Thus is makes sense to taint the region ’s’ itself.  That said, when a value gets loaded from the tainted ’s’ that also needs to be treated as tainted, thus taint is a derived property.  The taint tracking will need to handle not just symbols/region that are explicitly tainted, but taint that is implied because of the relationship to other tainted data.

For example, in this case if I taint all of ’s’, I expect that any data that I load from it to also be tainted.

> On Jul 31, 2015, at 10:15 PM, Ted Kremenek <[hidden email]> wrote:
>
> LazyCompoundVal is just the value of ’s’, it is not ’s’ itself.  After the call to ‘m’, does ’s’ have a new value?  What, semantically, are you trying to track as being tainted?
>
> Since ’s’ is a struct value, the LazyCompoundVal is just “the struct values of ’s’ when a specific symbolic Store was used”.  We use LazyCompoundVals as an important optimization hack over CompoundVals, but they themselves do not have identity.  They do, however, wrap things that do have identity.  For example, LazyCompoundVal wraps an underlying MemRegion, which is the abstract memory that would have contained the value.  In this case, the MemRegion is for the parameter ’s’ itself.  Is the idea for ’s’ itself to be tainted?  If so, you want to query for that MemRegion, and mark it tainted.
>
>> On Jun 9, 2015, at 8:20 PM, Francisco Chiotta <[hidden email]> wrote:
>>
>> Is it possible to mark as tainted a Sval that represents a class or struct?
>>
>> For example, take a look at this code:
>>
>> void somemethod(string s) {
>>    m(&s);
>> }
>>
>> I want to taint 's' as soon as it is passed on 'm' method. &s represents a loc, if I try to get the Sval from it, I get a nonloc:LazyCompundVar which doesn't have a symbol associated to make it tainted.
>>
>> I'm a little bit confused, could anyone please clarify this?
>> _______________________________________________
>> cfe-dev mailing list
>> [hidden email]
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Question about tainting support

Francisco

Ted, thanks for your response and help.


Yes, actually the idea is to taint the value of ’s’ itself. The checker would provide propagation rules in order for the user to be able to define which are the functions that get tainted data propagated to other objects (this approach is based on GenericTaintChecker, which is included with the analyzer).


I am also interested in tracking the used member variables (or global vars) on method invocation over structs. For example, given a struct like struct X { … } myStruct; and executing myStruct.someMethod(). The checker should go and visit the body of the function, and mark as tainted any uses of member vars of myStruct and also global variables.


For now, I am getting the symbolic base of the LazyCompoundVal, and just mark that as tainted as the following piece of code shows.


https://github.com/franchiotta/clang/blob/customtaintchecker/lib/StaticAnalyzer/Checkers/CustomTaintChecker.cpp#L815


2015-08-03 20:24 GMT-03:00 Ted Kremenek <[hidden email]>:
Thinking about this more about your example…

void somemethod(string s) {
   m(&s);
}

What specifically is tainted after the the call to ‘m’?  The values of ’s’?  If we know nothing about ’s’, technically the contents of ’s’ are all invalidated by the analyzer.  Thus is makes sense to taint the region ’s’ itself.  That said, when a value gets loaded from the tainted ’s’ that also needs to be treated as tainted, thus taint is a derived property.  The taint tracking will need to handle not just symbols/region that are explicitly tainted, but taint that is implied because of the relationship to other tainted data.

For example, in this case if I taint all of ’s’, I expect that any data that I load from it to also be tainted.

> On Jul 31, 2015, at 10:15 PM, Ted Kremenek <[hidden email]> wrote:
>
> LazyCompoundVal is just the value of ’s’, it is not ’s’ itself.  After the call to ‘m’, does ’s’ have a new value?  What, semantically, are you trying to track as being tainted?
>
> Since ’s’ is a struct value, the LazyCompoundVal is just “the struct values of ’s’ when a specific symbolic Store was used”.  We use LazyCompoundVals as an important optimization hack over CompoundVals, but they themselves do not have identity.  They do, however, wrap things that do have identity.  For example, LazyCompoundVal wraps an underlying MemRegion, which is the abstract memory that would have contained the value.  In this case, the MemRegion is for the parameter ’s’ itself.  Is the idea for ’s’ itself to be tainted?  If so, you want to query for that MemRegion, and mark it tainted.
>
>> On Jun 9, 2015, at 8:20 PM, Francisco Chiotta <[hidden email]> wrote:
>>
>> Is it possible to mark as tainted a Sval that represents a class or struct?
>>
>> For example, take a look at this code:
>>
>> void somemethod(string s) {
>>    m(&s);
>> }
>>
>> I want to taint 's' as soon as it is passed on 'm' method. &s represents a loc, if I try to get the Sval from it, I get a nonloc:LazyCompundVar which doesn't have a symbol associated to make it tainted.
>>
>> I'm a little bit confused, could anyone please clarify this?
>> _______________________________________________
>> cfe-dev mailing list
>> [hidden email]
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev