C++: IR-based taint tracking#966
Conversation
| @@ -0,0 +1,6 @@ | |||
| | taint.cpp:35:12:35:17 | taint.cpp:41:7:41:13 | AST only | | |||
| | taint.cpp:35:12:35:17 | taint.cpp:42:7:42:13 | AST only | | |||
| | taint.cpp:37:22:37:27 | taint.cpp:43:7:43:13 | AST only | | |||
There was a problem hiding this comment.
these three are local flow through global variables
| | taint.cpp:35:12:35:17 | taint.cpp:42:7:42:13 | AST only | | ||
| | taint.cpp:37:22:37:27 | taint.cpp:43:7:43:13 | AST only | | ||
| | taint.cpp:120:11:120:16 | taint.cpp:137:7:137:9 | AST only | | ||
| | taint.cpp:127:8:127:13 | taint.cpp:130:7:130:9 | IR only | |
There was a problem hiding this comment.
These two lines are improvements; the result on 120 is a false positive in the AST, the result on 127 is a false negative in the AST
| | taint.cpp:37:22:37:27 | taint.cpp:43:7:43:13 | AST only | | ||
| | taint.cpp:120:11:120:16 | taint.cpp:137:7:137:9 | AST only | | ||
| | taint.cpp:127:8:127:13 | taint.cpp:130:7:130:9 | IR only | | ||
| | taint.cpp:185:11:185:16 | taint.cpp:181:8:181:9 | AST only | |
There was a problem hiding this comment.
This is a regression, because the AST taint-tracking library treats addresses of tainted data as tainted; this should be fixed once interprocedural buffer flow is added.
jbj
left a comment
There was a problem hiding this comment.
LGTM. I don't have any comments that should block the merge.
| @@ -1,5 +1,5 @@ | |||
| int source(); | |||
| void sink(...); | |||
| void sink(...) {}; | |||
There was a problem hiding this comment.
Why? By the way, I changed the data-flow version of this test in 502b7cf, and this should probably be changed similarly.
There was a problem hiding this comment.
This will make the argument to sink be considered non-escaping, which should help with the last test in the file once we get interprocedural buffer flow.
| ( | ||
| nodeTo instanceof ArithmeticInstruction | ||
| or | ||
| nodeTo instanceof BitwiseInstruction |
There was a problem hiding this comment.
I wonder if we should block taint propagation at bitwise and by default. It really requires both operands to be tainted before the result of the and is tainted. Anyway, let's defer that until later.
No description provided.