Skip to content

C++: IR-based taint tracking#966

Merged
jbj merged 4 commits into
github:masterfrom
rdmarsh2:rdmarsh/cpp/ir-taint-tracking
Feb 22, 2019
Merged

C++: IR-based taint tracking#966
jbj merged 4 commits into
github:masterfrom
rdmarsh2:rdmarsh/cpp/ir-taint-tracking

Conversation

@rdmarsh2

Copy link
Copy Markdown
Contributor

No description provided.

@rdmarsh2 rdmarsh2 requested a review from a team as a code owner February 22, 2019 01:19
@@ -0,0 +1,6 @@
| taint.cpp:35:12:35:17 | taint.cpp:41:7:41:13 | AST only |
| taint.cpp:35:12:35:17 | taint.cpp:42:7:42:13 | AST only |
| taint.cpp:37:22:37:27 | taint.cpp:43:7:43:13 | AST only |

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these three are local flow through global variables

| taint.cpp:35:12:35:17 | taint.cpp:42:7:42:13 | AST only |
| taint.cpp:37:22:37:27 | taint.cpp:43:7:43:13 | AST only |
| taint.cpp:120:11:120:16 | taint.cpp:137:7:137:9 | AST only |
| taint.cpp:127:8:127:13 | taint.cpp:130:7:130:9 | IR only |

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two lines are improvements; the result on 120 is a false positive in the AST, the result on 127 is a false negative in the AST

| taint.cpp:37:22:37:27 | taint.cpp:43:7:43:13 | AST only |
| taint.cpp:120:11:120:16 | taint.cpp:137:7:137:9 | AST only |
| taint.cpp:127:8:127:13 | taint.cpp:130:7:130:9 | IR only |
| taint.cpp:185:11:185:16 | taint.cpp:181:8:181:9 | AST only |

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a regression, because the AST taint-tracking library treats addresses of tainted data as tainted; this should be fixed once interprocedural buffer flow is added.

@jbj jbj added the C++ label Feb 22, 2019

@jbj jbj left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I don't have any comments that should block the merge.

@@ -1,5 +1,5 @@
int source();
void sink(...);
void sink(...) {};

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? By the way, I changed the data-flow version of this test in 502b7cf, and this should probably be changed similarly.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will make the argument to sink be considered non-escaping, which should help with the last test in the file once we get interprocedural buffer flow.

(
nodeTo instanceof ArithmeticInstruction
or
nodeTo instanceof BitwiseInstruction

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should block taint propagation at bitwise and by default. It really requires both operands to be tainted before the result of the and is tainted. Anyway, let's defer that until later.

@jbj jbj merged commit 21573d3 into github:master Feb 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants