This is an archive of the discontinued LLVM Phabricator instance.

Differential D59516

[analyzer] Add custom filter functions for GenericTaintChecker
ClosedPublic

Authored by boga95 on Mar 18 2019, 3:25 PM.

Details

Reviewers
NoQ
Szelethus
xazax.hun
dkrupp
Commits
rG89bc4c662c6c: [analyzer] Add custom filter functions for GenericTaintChecker
Summary

One can pass a configuration file to the checker with the following argument: -analyzer-config alpha.security.taint.TaintPropagation:Config=/path/to/the/file/taint-generic-config.yaml. The config file can contain:

  • Propagations: One can define functions which propagate or create the taintedness. It has five fields:
    • Name: The name of the function. Mandatory field.
    • SrcArgs: A list of arguments. If any of them tainted, the destination arguments will be marked tainted. It's not defined, the destination arguments always will be marked as tainted.
    • DstArgs: A list of arguments. Set the tainted flag for the arguments, if they are marked. The return value's index is 4294967294(it is temporary).
    • VarType: It's an enum with three possible values: None, Src, Dst. The default value is None and do nothing.
    • VarIndex: It's the first variadic argument for the function. If VarType == Src and any of them is tainted, the destination arguments will be marked ad tainted. If VarType == Dst and they are marked, all argument from the VarIndex will be marked as tainted.
  • Filters: One can define function remove the tainted flag if it is passed to the proper argument.
    • Name: The name of the function. Mandatory field.
    • Args: A list of arguments. If a tainted value is passed to it, the tainted flag will be removed. Mandatory field.
  • Sinks: A list of function which will give a warning if it gets a tainted value.
    • Name: The name of the function. Mandatory field.
    • Args: A list of arguments. If any of those arguments get a tainted value, it will give a warning. Mandatory field.

For the propagations, it uses the config to deduce the TaintPropagationRules from the function's name.
The filter functions are understandable as functions which mark their arguments not tainted. I improved the information flow from pre-visit to post-visit, therefore, the TaintTagType could be passed to the setTaint function. Currently, it only works if the argument is a pointer.

Diff Detail

Event Timeline

boga95 created this revision.Mar 18 2019, 3:25 PM
Herald added subscribers: cfe-commits, Charusso, donat.nagy and 6 others. · View Herald TranscriptMar 18 2019, 3:25 PM
Szelethus requested changes to this revision.Mar 19 2019, 4:29 AM

I'm very much guilty of doing functional and refactoring changes within the same patch, but I think working on GenericTaintChecker AND in the same patch doing (seemingly unrelated) function name changes in ProgramState might be overkill -- Could you please divide this patch into smaller parts please?

This revision now requires changes to proceed.Mar 19 2019, 4:29 AM
boga95 added a parent revision: D59555: [analyzer] Add yaml parser to GenericTaintChecker.Mar 19 2019, 12:30 PM
boga95 added a parent revision: D59637: [analyzer] Use the custom propagation rules and sinks in GenericTaintChecker.Mar 21 2019, 5:51 AM
boga95 removed a parent revision: D59555: [analyzer] Add yaml parser to GenericTaintChecker.
boga95 updated this revision to Diff 191668.Mar 21 2019, 5:56 AM
boga95 retitled this revision from [analyzer] Make GenericTaintChecker configurable to [analyzer] Add custom filter functions for GenericTaintChecker.
Szelethus requested changes to this revision.Mar 25 2019, 6:10 AM

Same thing.

This revision now requires changes to proceed.Mar 25 2019, 6:10 AM
boga95 added a comment.Mar 26 2019, 4:10 PM

I add a new taint type, which represents a lack of taintedness. That's why I changed the name of addTaint() to setTaint(). Of course, it's not an important change, I can move it to another patch.

NoQ added a comment.Mar 26 2019, 6:47 PM

Hi, i wanted to squeeze in D59861 somewhere in the middle of your work, would you mind?
I'll definitely have a look at your patches soon :)

boga95 updated this revision to Diff 193705.Apr 4 2019, 7:13 AM

Rebase after https://reviews.llvm.org/D59861.
Fix custom filter test case: functions without definition always remove taintedness.

Szelethus added a comment.Jul 31 2019, 1:28 AM

In general, the patch is looking alright, I'll take a second look later on. Don't mind my inlines too much, they are more directed towards the original code then your changes.

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
53–56 ↗(On Diff #193705)

Interesting, isn't this predefined for std::pair?

474–476 ↗(On Diff #193705)

When do these happen? For implicit functions in C?

478–480 ↗(On Diff #193705)

And this? Lambdas maybe?

560 ↗(On Diff #193705)

Please add the full type name, else it isn't obvious why we don't take it as a const reference.

561–562 ↗(On Diff #193705)

We don't use std::pair, so we have descriptive field names, do we need these?

lib/StaticAnalyzer/Checkers/Taint.h
25–28 ↗(On Diff #193705)

Is there a very good reason behind us not using an enum instead?

boga95 updated this revision to Diff 219981.Sep 12 2019, 12:55 PM
boga95 marked 4 inline comments as done.
NoQ added a comment.Sep 12 2019, 1:23 PM

I'd like the test cases to actually demonstrate the correct use of the filters and the correct behavior of the Analyzer when the filters are annotated correctly, but it looks to me that they either demonstrate behavior when the annotation is not used correctly, or we disagree about how the taint should work in the first place. Testing the behavior when the annotation is misplaced is fine (with enough comments and probably FIXMEs where applicable), but "positive" tests are more valuable because they are the actual common cases (hopefully).

clang/test/Analysis/taint-generic.c
378–382

myFilter1 will create a new conjured symbol within x when evaluated conservatively. In this case there clearly shouldn't be a warning on Buffer[x] = 1, because nobody marked the new symbol as tainted to begin with. Therefore i think that this test doesn't really test the new functionality.

384–388

Assuming myFilter2 is inlined, we have two execution paths here. On one of them x is reset to a concrete 0. Because concrete values cannot carry taint to begin with, this execution path doesn't test the new functionality. On the other path x indeed has the old tainted value but it's now constrained to [0, INT_MAX]. Because it's still not constrained to be less than BUFSIZE, i'd say this looks more like a false negative and the new functionality makes the analysis worse. So this test does test the new functionality, but it kinda makes the new functionality look bad rather than good.

390–394

In this example myFilter3 promises not to alter the value of x due to const-qualifier on the pointee type of the parameter. Additionally, the function has no chance of preventing the program from reaching the buffer overflow line, other than crashing the program (given that it's C and there are no exceptions). Therefore i'd say this is also a false negative.

A better motivational example that doesn't immediately look like a false negative may look like this:

void testConfigurationFilter3() {
  int x = mySource1();
  if (isOutOfRange(x)) // the filter function
    return;
  Buffer[x] = 1; // no-warning
}

In this case the function looks at the value of x (there's really no need to pass it by pointer) and notifies the caller through its return value that it is unsafe to access the buffer with such index. This is probably the only situation where a "filter" annotation is actually worth it.

NoQ added inline comments.Sep 12 2019, 3:31 PM
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
517

Why not simply remove taint?

boga95 updated this revision to Diff 220385.Sep 16 2019, 1:50 PM
boga95 marked 4 inline comments as done.
boga95 marked 7 inline comments as done.Oct 3 2019, 1:48 PM

Ping

clang/test/Analysis/taint-generic.c
390–394

It could work with C++ despite it hasn't supported any specific feature (yet).

I pass it by const int* because it currently doesn't support the value semantics :(. It has been already in my TODO list.

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
53–56 ↗(On Diff #193705)

Unfortunately, it's not.

474–476 ↗(On Diff #193705)

For example, a lambda doesn't have an FunctionDecl.

478–480 ↗(On Diff #193705)

I haven't found any example of this. It's just a copy-paste refactoring so I don't know the intentions behind that.

I think the checker should work perfectly without it.

lib/StaticAnalyzer/Checkers/Taint.h
25–28 ↗(On Diff #193705)

Unfortunately, enums cannot put into FoldingSet. It has to be a primitive type or a struct with the necessary functions. I can use enums and cast them to unsigned and back, but it isn't convenient.

boga95 marked 2 inline comments as done.Oct 9 2019, 2:37 PM

Ping

steakhal added a subscriber: steakhal.Oct 15 2019, 1:28 AM

I think this patch is ok.

Although there are remarks:

  • I think the current implementation of the taint filtering functions does not follow the expected semantics. Now the modelling would remove taint before calling the function (pre statement). One might expect that the modelling would remove taint only on function return (post statement). This way we would not catch this:
int myFilter(int* p) { // this function is stated as a filter function in the config file
  int lookupTable[32] = {};
  int value = lookupTable[*p]; // using a tainted value for indexing
  escape(p);
  return value;
}
  • I agree with @NoQ about the testConfigurationFilter, which now does not test the implementation but the behavior of the static analyzer if it conservatively invalidates in case of an unknown function call.
  • I also think that we should have testcases for testing the filtering functionality of the config file. Eg. using the myFilter1 could do the job here in the tests.

All in all, I still say that it seems to be a good patch.

clang/test/Analysis/taint-generic.c
59

Have you considered using _Bool instead?

NoQ accepted this revision.Nov 7 2019, 4:53 PM

@NoQ: "Why not simply remove taint?"
@boga95: *removes taint*
@NoQ: "Hmm, now that i think about it, adding a 'no taint' marker might actually work correctly more often."

Like, if you have taint on $x and try to remove taint from derived<$x, x.a>, your current implementation will do nothing. But the approach with adding a 'no taint' marker will actually add a new marker and make subsequent lookups to derived<$x, x.a> will return the newly added marker, which is the correct behavior; additionally, derived<$x, x.b> would remain tainted (where b != a), which is also the correct behavior. It would have still failed when you describe the sub-region slightly differently, but that'd be a fairly minor glitch.

The right way to proceed further with the removeTaint() approach on SymbolDerived is to introduce removePartialTaint() that would complement addPartialTaint(). But that will require changing the data structure in the program state from a simple set of tainted sub-regions to a sophisticated tree of sub-regions that are marked up as tainted or not tainted. Which might have as well been a marker.

I still tend to believe that removeTaint() is the right approach, but it's a bit harder to get right and a bit worse if not enough effort is invested into it.

There definitely is, however, a good use for the removeTaint() function in both approaches: namely, our taint checker still lacks checkDeadSymbols :D

clang/lib/StaticAnalyzer/Checkers/Taint.cpp
111–112

That's not entirely true. Like, if you check (char)x, you still have 24 bytes of x controlled by the attacker. But that's a good false-positive-proof approach.

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
474–476 ↗(On Diff #193705)

Lambda most certainly has a FunctionDecl, which is the declaration of its operator()(), and that's exactly what's going to be in FDecl if a lambda is invoked. However, the getKind() of this FunctionDecl will not be Decl::Function but Decl::CXXMethod, like of any other member function.

So this second check is checking that the function is a simple global function.

I recommend replacing with !isa<CXXMethodDecl>(FDecl), purely for readability, or at least adding a comment.

Szelethus accepted this revision.Nov 8 2019, 5:30 AM

LGTM, provided that the inlines are addressed! Thanks!

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
102–103

I recall that the current thinking is preferring CallEvent, though leave this as-is for now, because @steakhal might already have it locally.

105

We might as well explain what the return value here means (and for the other functions too).

This revision is now accepted and ready to land.Nov 8 2019, 5:30 AM
boga95 marked 2 inline comments as done.Nov 16 2019, 6:30 AM

I did the required changes and tried to commit it, but I couldn't. I heard the codebase was migrated to GitHub. Maybe it affected my commit access.

NoQ added a comment.Nov 19 2019, 12:22 PM

You're now supposed to push directly to github.
You might also have missed http://lists.llvm.org/pipermail/cfe-dev/2019-August/063219.html.

NoQ added a comment.Nov 19 2019, 12:23 PM

See also https://llvm.org/docs/DeveloperPolicy.html#current-contributors-transfering-from-svn.

Closed by commit rG89bc4c662c6c: [analyzer] Add custom filter functions for GenericTaintChecker (authored by boga95). · Explain WhyNov 23 2019, 11:33 AM
This revision was automatically updated to reflect the committed changes.
boga95 marked 2 inline comments as done.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
86 lines
38 lines
37 lines
test/
Analysis/
Inputs/
4 lines
10 lines

Diff 220385

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 93 Lines▼ Show 20 Linesprivate:
mutable std::unique_ptr<BugType> BT; mutable std::unique_ptr<BugType> BT;
void initBugType() const { void initBugType() const {
if (!BT) if (!BT)
BT.reset(new BugType(this, "Use of Untrusted Data", "Untrusted Data")); BT.reset(new BugType(this, "Use of Untrusted Data", "Untrusted Data"));
} }
/// Catch taint related bugs. Check if tainted data is passed to a /// Catch taint related bugs. Check if tainted data is passed to a
/// system call etc. /// system call etc.
bool checkPre(const CallExpr *CE, CheckerContext &C) const; bool checkPre(const CallExpr *CE, const FunctionDecl *FDecl, StringRef Name,
CheckerContext &C) const;
SzelethusUnsubmitted
Done
ReplyInline Actions

I recall that the current thinking is preferring CallEvent, though leave this as-is for now, because @steakhal might already have it locally.

Szelethus: I recall that the current thinking is preferring `CallEvent`, though leave this as-is for now…
/// Add taint sources on a pre-visit. /// Add taint sources on a pre-visit.
SzelethusUnsubmitted
Done
ReplyInline Actions

We might as well explain what the return value here means (and for the other functions too).

Szelethus: We might as well explain what the return value here means (and for the other functions too).
void addSourcesPre(const CallExpr *CE, CheckerContext &C) const; bool addSourcesPre(const CallExpr *CE, const FunctionDecl *FDecl,
StringRef Name, CheckerContext &C) const;
/// Mark filter's arguments not tainted on a pre-visit.
bool addFiltersPre(const CallExpr *CE, StringRef Name,
CheckerContext &C) const;
/// Propagate taint generated at pre-visit. /// Propagate taint generated at pre-visit.
bool propagateFromPre(const CallExpr *CE, CheckerContext &C) const; bool propagateFromPre(const CallExpr *CE, CheckerContext &C) const;
/// Check if the region the expression evaluates to is the standard input, /// Check if the region the expression evaluates to is the standard input,
/// and thus, is tainted. /// and thus, is tainted.
static bool isStdin(const Expr *E, CheckerContext &C); static bool isStdin(const Expr *E, CheckerContext &C);
▲ Show 20 LinesShow All 323 Lines▼ Show 20 LinesGenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(
if (It != CustomPropagations.end()) if (It != CustomPropagations.end())
return It->getValue(); return It->getValue();
return TaintPropagationRule(); return TaintPropagationRule();
} }
void GenericTaintChecker::checkPreStmt(const CallExpr *CE, void GenericTaintChecker::checkPreStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
const FunctionDecl *FDecl = C.getCalleeDecl(CE);
if (!FDecl || FDecl->getKind() != Decl::Function)
return;
StringRef Name = C.getCalleeName(FDecl);
if (Name.empty())
return;
// Check for taintedness related errors first: system call, uncontrolled // Check for taintedness related errors first: system call, uncontrolled
// format string, tainted buffer size. // format string, tainted buffer size.
if (checkPre(CE, C)) if (checkPre(CE, FDecl, Name, C))
return; return;
// Marks the function's arguments and/or return value tainted if it present in // Marks the function's arguments and/or return value tainted if it present in
// the list. // the list.
addSourcesPre(CE, C); if (addSourcesPre(CE, FDecl, Name, C))
return;
addFiltersPre(CE, Name, C);
} }
void GenericTaintChecker::checkPostStmt(const CallExpr *CE, void GenericTaintChecker::checkPostStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
// Set the marked values as tainted. The return value only accessible from // Set the marked values as tainted. The return value only accessible from
// checkPostStmt. // checkPostStmt.
propagateFromPre(CE, C); propagateFromPre(CE, C);
} }
void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State, void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const { const char *NL, const char *Sep) const {
printTaint(State, Out, NL, Sep); printTaint(State, Out, NL, Sep);
} }
void GenericTaintChecker::addSourcesPre(const CallExpr *CE, bool GenericTaintChecker::addSourcesPre(const CallExpr *CE,
const FunctionDecl *FDecl,
StringRef Name,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = nullptr;
const FunctionDecl *FDecl = C.getCalleeDecl(CE);
if (!FDecl || FDecl->getKind() != Decl::Function)
return;
StringRef Name = C.getCalleeName(FDecl);
if (Name.empty())
return;
// First, try generating a propagation rule for this function. // First, try generating a propagation rule for this function.
TaintPropagationRule Rule = TaintPropagationRule::getTaintPropagationRule( TaintPropagationRule Rule = TaintPropagationRule::getTaintPropagationRule(
this->CustomPropagations, FDecl, Name, C); this->CustomPropagations, FDecl, Name, C);
if (!Rule.isNull()) { if (!Rule.isNull()) {
State = Rule.process(CE, C); ProgramStateRef State = Rule.process(CE, C);
if (!State) if (State) {
return;
C.addTransition(State); C.addTransition(State);
return; return true;
}
}
return false;
} }
if (!State) bool GenericTaintChecker::addFiltersPre(const CallExpr *CE, StringRef Name,
return; CheckerContext &C) const {
auto It = CustomFilters.find(Name);
if (It == CustomFilters.end())
return false;
ProgramStateRef State = C.getState();
const ArgVector &Args = It->getValue();
for (unsigned ArgNum : Args) {
if (ArgNum >= CE->getNumArgs())
continue;
const Expr *Arg = CE->getArg(ArgNum);
Optional<SVal> V = getPointedToSVal(C, Arg);
if (V)
State = removeTaint(State, *V);
NoQUnsubmitted
Done
ReplyInline Actions

Why not simply remove taint?

NoQ: Why not simply remove taint?
}
if (State != C.getState()) {
C.addTransition(State); C.addTransition(State);
return true;
}
return false;
} }
bool GenericTaintChecker::propagateFromPre(const CallExpr *CE, bool GenericTaintChecker::propagateFromPre(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Depending on what was tainted at pre-visit, we determined a set of // Depending on what was tainted at pre-visit, we determined a set of
// arguments which should be tainted after the function returns. These are // arguments which should be tainted after the function returns. These are
Show All 25 Linesbool GenericTaintChecker::propagateFromPre(const CallExpr *CE,
if (State != C.getState()) { if (State != C.getState()) {
C.addTransition(State); C.addTransition(State);
return true; return true;
} }
return false; return false;
} }
bool GenericTaintChecker::checkPre(const CallExpr *CE, bool GenericTaintChecker::checkPre(const CallExpr *CE,
const FunctionDecl *FDecl, StringRef Name,
CheckerContext &C) const { CheckerContext &C) const {
if (checkUncontrolledFormatString(CE, C)) if (checkUncontrolledFormatString(CE, C))
return true; return true;
const FunctionDecl *FDecl = C.getCalleeDecl(CE);
if (!FDecl || FDecl->getKind() != Decl::Function)
return false;
StringRef Name = C.getCalleeName(FDecl);
if (Name.empty())
return false;
if (checkSystemCall(CE, Name, C)) if (checkSystemCall(CE, Name, C))
return true; return true;
if (checkTaintedBufferSize(CE, FDecl, C)) if (checkTaintedBufferSize(CE, FDecl, C))
return true; return true;
if (checkCustomSinks(CE, Name, C)) if (checkCustomSinks(CE, Name, C))
return true; return true;
▲ Show 20 LinesShow All 302 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/Taint.h

Show All 21 Lines
/// The type of taint, which helps to differentiate between different types of /// The type of taint, which helps to differentiate between different types of
/// taint. /// taint.
using TaintTagType = unsigned; using TaintTagType = unsigned;
static constexpr TaintTagType TaintTagGeneric = 0; static constexpr TaintTagType TaintTagGeneric = 0;
/// Create a new state in which the value of the statement is marked as tainted. /// Create a new state in which the value of the statement is marked as tainted.
LLVM_NODISCARD ProgramStateRef LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
addTaint(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, const LocationContext *LCtx,
TaintTagType Kind = TaintTagGeneric); TaintTagType Kind = TaintTagGeneric);
/// Create a new state in which the value is marked as tainted. /// Create a new state in which the value is marked as tainted.
LLVM_NODISCARD ProgramStateRef LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SVal V,
addTaint(ProgramStateRef State, SVal V,
TaintTagType Kind = TaintTagGeneric); TaintTagType Kind = TaintTagGeneric);
/// Create a new state in which the symbol is marked as tainted. /// Create a new state in which the symbol is marked as tainted.
LLVM_NODISCARD ProgramStateRef LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
addTaint(ProgramStateRef State, SymbolRef Sym,
TaintTagType Kind = TaintTagGeneric); TaintTagType Kind = TaintTagGeneric);
/// Create a new state in which the pointer represented by the region /// Create a new state in which the pointer represented by the region
/// is marked as tainted. /// is marked as tainted.
LLVM_NODISCARD ProgramStateRef LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State,
addTaint(ProgramStateRef State, const MemRegion *R, const MemRegion *R,
TaintTagType Kind = TaintTagGeneric); TaintTagType Kind = TaintTagGeneric);
LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
const MemRegion *R);
LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
SymbolRef Sym);
/// Create a new state in a which a sub-region of a given symbol is tainted. /// Create a new state in a which a sub-region of a given symbol is tainted.
/// This might be necessary when referring to regions that can not have an /// This might be necessary when referring to regions that can not have an
/// individual symbol, e.g. if they are represented by the default binding of /// individual symbol, e.g. if they are represented by the default binding of
/// a LazyCompoundVal. /// a LazyCompoundVal.
LLVM_NODISCARD ProgramStateRef LLVM_NODISCARD ProgramStateRef addPartialTaint(
addPartialTaint(ProgramStateRef State, ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion,
SymbolRef ParentSym, const SubRegion *SubRegion,
TaintTagType Kind = TaintTagGeneric); TaintTagType Kind = TaintTagGeneric);
/// Check if the statement has a tainted value in the given state. /// Check if the statement has a tainted value in the given state.
bool isTainted(ProgramStateRef State, const Stmt *S, bool isTainted(ProgramStateRef State, const Stmt *S,
const LocationContext *LCtx, const LocationContext *LCtx,
TaintTagType Kind = TaintTagGeneric); TaintTagType Kind = TaintTagGeneric);
/// Check if the value is tainted in the given state. /// Check if the value is tainted in the given state.
bool isTainted(ProgramStateRef State, SVal V, bool isTainted(ProgramStateRef State, SVal V,
Show All 28 Lines PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReport &BR) override; BugReport &BR) override;
}; };
} // namespace taint } // namespace taint
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif #endif

clang/lib/StaticAnalyzer/Checkers/Taint.cpp

Show All 31 Linesvoid taint::printTaint(ProgramStateRef State, raw_ostream &Out, const char *NL,
if (!TM.isEmpty()) if (!TM.isEmpty())
Out << "Tainted symbols:" << NL; Out << "Tainted symbols:" << NL;
for (const auto &I : TM) for (const auto &I : TM)
Out << I.first << " : " << I.second << NL; Out << I.first << " : " << I.second << NL;
} }
void dumpTaint(ProgramStateRef State) { void dumpTaint(ProgramStateRef State) { printTaint(State, llvm::errs()); }
printTaint(State, llvm::errs());
}
ProgramStateRef taint::addTaint(ProgramStateRef State, const Stmt *S, ProgramStateRef taint::addTaint(ProgramStateRef State, const Stmt *S,
const LocationContext *LCtx, const LocationContext *LCtx,
TaintTagType Kind) { TaintTagType Kind) {
return addTaint(State, State->getSVal(S, LCtx), Kind); return addTaint(State, State->getSVal(S, LCtx), Kind);
} }
ProgramStateRef taint::addTaint(ProgramStateRef State, SVal V, ProgramStateRef taint::addTaint(ProgramStateRef State, SVal V,
TaintTagType Kind) { TaintTagType Kind) {
SymbolRef Sym = V.getAsSymbol(); SymbolRef Sym = V.getAsSymbol();
if (Sym) if (Sym)
return addTaint(State, Sym, Kind); return addTaint(State, Sym, Kind);
// If the SVal represents a structure, try to mass-taint all values within the // If the SVal represents a structure, try to mass-taint all values within the
// structure. For now it only works efficiently on lazy compound values that // structure. For now it only works efficiently on lazy compound values that
// were conjured during a conservative evaluation of a function - either as // were conjured during a conservative evaluation of a function - either as
// return values of functions that return structures or arrays by value, or as // return values of functions that return structures or arrays by value, or as
// values of structures or arrays passed into the function by reference, // values of structures or arrays passed into the function by reference,
// directly or through pointer aliasing. Such lazy compound values are // directly or through pointer aliasing. Such lazy compound values are
// characterized by having exactly one binding in their captured store within // characterized by having exactly one binding in their captured store within
// their parent region, which is a conjured symbol default-bound to the base // their parent region, which is a conjured symbol default-bound to the base
// region of the parent region. // region of the parent region.
if (auto LCV = V.getAs<nonloc::LazyCompoundVal>()) { if (auto LCV = V.getAs<nonloc::LazyCompoundVal>()) {
if (Optional<SVal> binding = if (Optional<SVal> binding =
State->getStateManager().getStoreManager() State->getStateManager().getStoreManager().getDefaultBinding(
.getDefaultBinding(*LCV)) { *LCV)) {
if (SymbolRef Sym = binding->getAsSymbol()) if (SymbolRef Sym = binding->getAsSymbol())
return addPartialTaint(State, Sym, LCV->getRegion(), Kind); return addPartialTaint(State, Sym, LCV->getRegion(), Kind);
} }
} }
const MemRegion *R = V.getAsRegion(); const MemRegion *R = V.getAsRegion();
return addTaint(State, R, Kind); return addTaint(State, R, Kind);
} }
Show All 12 LinesProgramStateRef taint::addTaint(ProgramStateRef State, SymbolRef Sym,
while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym)) while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
Sym = SC->getOperand(); Sym = SC->getOperand();
ProgramStateRef NewState = State->set<TaintMap>(Sym, Kind); ProgramStateRef NewState = State->set<TaintMap>(Sym, Kind);
assert(NewState); assert(NewState);
return NewState; return NewState;
} }
ProgramStateRef taint::removeTaint(ProgramStateRef State, SVal V) {
SymbolRef Sym = V.getAsSymbol();
if (Sym)
return removeTaint(State, Sym);
const MemRegion *R = V.getAsRegion();
return removeTaint(State, R);
}
ProgramStateRef taint::removeTaint(ProgramStateRef State, const MemRegion *R) {
if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(R))
return removeTaint(State, SR->getSymbol());
return State;
}
ProgramStateRef taint::removeTaint(ProgramStateRef State, SymbolRef Sym) {
// If this is a symbol cast, remove the cast before adding the taint. Taint
// is cast agnostic.
NoQUnsubmitted
Done
ReplyInline Actions

That's not entirely true. Like, if you check (char)x, you still have 24 bytes of x controlled by the attacker. But that's a good false-positive-proof approach.

NoQ: That's not entirely true. Like, if you check `(char)x`, you still have 24 bytes of `x`…
while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
Sym = SC->getOperand();
ProgramStateRef NewState = State->remove<TaintMap>(Sym);
assert(NewState);
return NewState;
}
ProgramStateRef taint::addPartialTaint(ProgramStateRef State, ProgramStateRef taint::addPartialTaint(ProgramStateRef State,
SymbolRef ParentSym, SymbolRef ParentSym,
const SubRegion *SubRegion, const SubRegion *SubRegion,
TaintTagType Kind) { TaintTagType Kind) {
// Ignore partial taint if the entire parent symbol is already tainted. // Ignore partial taint if the entire parent symbol is already tainted.
if (const TaintTagType *T = State->get<TaintMap>(ParentSym)) if (const TaintTagType *T = State->get<TaintMap>(ParentSym))
if (*T == Kind) if (*T == Kind)
return State; return State;
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines
} }
bool taint::isTainted(ProgramStateRef State, SymbolRef Sym, TaintTagType Kind) { bool taint::isTainted(ProgramStateRef State, SymbolRef Sym, TaintTagType Kind) {
if (!Sym) if (!Sym)
return false; return false;
// Traverse all the symbols this symbol depends on to see if any are tainted. // Traverse all the symbols this symbol depends on to see if any are tainted.
for (SymExpr::symbol_iterator SI = Sym->symbol_begin(), for (SymExpr::symbol_iterator SI = Sym->symbol_begin(),
SE = Sym->symbol_end(); SI != SE; ++SI) { SE = Sym->symbol_end();
SI != SE; ++SI) {
if (!isa<SymbolData>(*SI)) if (!isa<SymbolData>(*SI))
continue; continue;
if (const TaintTagType *Tag = State->get<TaintMap>(*SI)) { if (const TaintTagType *Tag = State->get<TaintMap>(*SI)) {
if (*Tag == Kind) if (*Tag == Kind)
return true; return true;
} }
▲ Show 20 LinesShow All 59 LinesShow Last 20 Lines

clang/test/Analysis/Inputs/taint-generic-config.yaml

Show All 30 Lines - Name: mySnprintf
SrcArgs: [1] SrcArgs: [1]
DstArgs: [0, -1] DstArgs: [0, -1]
VariadicType: Src VariadicType: Src
VariadicIndex: 3 VariadicIndex: 3
# A list of filter functions # A list of filter functions
Filters: Filters:
# int x; // x is tainted # int x; // x is tainted
# myFilter(&x); // x is not tainted anymore # isOutOfRange(&x); // x is not tainted anymore
- Name: myFilter - Name: isOutOfRange
Args: [0] Args: [0]
# A list of sink functions # A list of sink functions
Sinks: Sinks:
# int x, y; // x and y are tainted # int x, y; // x and y are tainted
# mySink(x, 0, 1); // It will warn # mySink(x, 0, 1); // It will warn
# mySink(0, 1, y); // It will warn # mySink(0, 1, y); // It will warn
# mySink(0, x, 1); // It won't warn # mySink(0, x, 1); // It won't warn
- Name: mySink - Name: mySink
Args: [0, 2] Args: [0, 2]

clang/test/Analysis/taint-generic.c

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines
typedef struct _FILE FILE; typedef struct _FILE FILE;
#ifdef FILE_IS_STRUCT #ifdef FILE_IS_STRUCT
extern struct _FILE *stdin; extern struct _FILE *stdin;
#else #else
extern FILE *stdin; extern FILE *stdin;
#endif #endif
#define bool int
steakhalUnsubmitted
Done
ReplyInline Actions

Have you considered using _Bool instead?

steakhal: Have you considered using `_Bool` instead?
int fscanf(FILE *restrict stream, const char *restrict format, ...); int fscanf(FILE *restrict stream, const char *restrict format, ...);
int sprintf(char *str, const char *format, ...); int sprintf(char *str, const char *format, ...);
void setproctitle(const char *fmt, ...); void setproctitle(const char *fmt, ...);
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
// Define string functions. Use builtin for some of them. They all default to // Define string functions. Use builtin for some of them. They all default to
// the processing in the taint checker. // the processing in the taint checker.
#define strcpy(dest, src) \ #define strcpy(dest, src) \
▲ Show 20 LinesShow All 274 Lines▼ Show 20 Lines
// Test configuration // Test configuration
int mySource1(); int mySource1();
void mySource2(int*); void mySource2(int*);
void myScanf(const char*, ...); void myScanf(const char*, ...);
int myPropagator(int, int*); int myPropagator(int, int*);
int mySnprintf(char*, size_t, const char*, ...); int mySnprintf(char*, size_t, const char*, ...);
bool isOutOfRange(const int*);
void mySink(int, int, int); void mySink(int, int, int);
void testConfigurationSources1() { void testConfigurationSources1() {
int x = mySource1(); int x = mySource1();
Buffer[x] = 1; // expected-warning {{Out of bound memory access }} Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
} }
void testConfigurationSources2() { void testConfigurationSources2() {
Show All 10 Lines
void testConfigurationPropagation() { void testConfigurationPropagation() {
int x = mySource1(); int x = mySource1();
int y; int y;
myPropagator(x, &y); myPropagator(x, &y);
Buffer[y] = 1; // expected-warning {{Out of bound memory access }} Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
} }
void testConfigurationFilter() {
int x = mySource1();
if (isOutOfRange(&x)) // the filter function
return;
Buffer[x] = 1; // no-warning
NoQUnsubmitted
Done
ReplyInline Actions

myFilter1 will create a new conjured symbol within x when evaluated conservatively. In this case there clearly shouldn't be a warning on Buffer[x] = 1, because nobody marked the new symbol as tainted to begin with. Therefore i think that this test doesn't really test the new functionality.

NoQ: `myFilter1` will create a new conjured symbol within `x` when evaluated conservatively. In this…
}
void testConfigurationSinks() { void testConfigurationSinks() {
int x = mySource1(); int x = mySource1();
mySink(x, 1, 2); mySink(x, 1, 2);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}} // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
NoQUnsubmitted
Done
ReplyInline Actions

Assuming myFilter2 is inlined, we have two execution paths here. On one of them x is reset to a concrete 0. Because concrete values cannot carry taint to begin with, this execution path doesn't test the new functionality. On the other path x indeed has the old tainted value but it's now constrained to [0, INT_MAX]. Because it's still not constrained to be less than BUFSIZE, i'd say this looks more like a false negative and the new functionality makes the analysis worse. So this test does test the new functionality, but it kinda makes the new functionality look bad rather than good.

NoQ: Assuming `myFilter2` is inlined, we have two execution paths here. On one of them `x` is reset…
mySink(1, x, 2); // no-warning mySink(1, x, 2); // no-warning
mySink(1, 2, x); mySink(1, 2, x);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}} // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
} }