Page MenuHomePhabricator

[analyzer] Add custom filter functions for GenericTaintChecker
Needs ReviewPublic

Authored by boga95 on Mar 18 2019, 3:25 PM.

Details

Summary

One can pass a configuration file to the checker with the following argument: -analyzer-config alpha.security.taint.TaintPropagation:Config=/path/to/the/file/taint-generic-config.yaml. The config file can contain:

  • Propagations: One can define functions which propagate or create the taintedness. It has five fields:
    • Name: The name of the function. Mandatory field.
    • SrcArgs: A list of arguments. If any of them tainted, the destination arguments will be marked tainted. It's not defined, the destination arguments always will be marked as tainted.
    • DstArgs: A list of arguments. Set the tainted flag for the arguments, if they are marked. The return value's index is 4294967294(it is temporary).
    • VarType: It's an enum with three possible values: None, Src, Dst. The default value is None and do nothing.
    • VarIndex: It's the first variadic argument for the function. If VarType == Src and any of them is tainted, the destination arguments will be marked ad tainted. If VarType == Dst and they are marked, all argument from the VarIndex will be marked as tainted.
  • Filters: One can define function remove the tainted flag if it is passed to the proper argument.
    • Name: The name of the function. Mandatory field.
    • Args: A list of arguments. If a tainted value is passed to it, the tainted flag will be removed. Mandatory field.
  • Sinks: A list of function which will give a warning if it gets a tainted value.
    • Name: The name of the function. Mandatory field.
    • Args: A list of arguments. If any of those arguments get a tainted value, it will give a warning. Mandatory field.

For the propagations, it uses the config to deduce the TaintPropagationRules from the function's name.
The filter functions are understandable as functions which mark their arguments not tainted. I improved the information flow from pre-visit to post-visit, therefore, the TaintTagType could be passed to the setTaint function. Currently, it only works if the argument is a pointer.

Diff Detail

Event Timeline

boga95 created this revision.Mar 18 2019, 3:25 PM
Szelethus requested changes to this revision.Mar 19 2019, 4:29 AM

I'm very much guilty of doing functional and refactoring changes within the same patch, but I think working on GenericTaintChecker AND in the same patch doing (seemingly unrelated) function name changes in ProgramState might be overkill -- Could you please divide this patch into smaller parts please?

This revision now requires changes to proceed.Mar 19 2019, 4:29 AM
boga95 updated this revision to Diff 191668.Mar 21 2019, 5:56 AM
boga95 retitled this revision from [analyzer] Make GenericTaintChecker configurable to [analyzer] Add custom filter functions for GenericTaintChecker.
Szelethus requested changes to this revision.Mar 25 2019, 6:10 AM

Same thing.

This revision now requires changes to proceed.Mar 25 2019, 6:10 AM

I add a new taint type, which represents a lack of taintedness. That's why I changed the name of addTaint() to setTaint(). Of course, it's not an important change, I can move it to another patch.

NoQ added a comment.Mar 26 2019, 6:47 PM

Hi, i wanted to squeeze in D59861 somewhere in the middle of your work, would you mind?
I'll definitely have a look at your patches soon :)

boga95 updated this revision to Diff 193705.Apr 4 2019, 7:13 AM

Rebase after https://reviews.llvm.org/D59861.
Fix custom filter test case: functions without definition always remove taintedness.