Exemple #1
0
        public override void VisitNativeAnalyzer(NativeAnalyzerPoint p)
        {
            string functionName = p.OwningPPGraph.FunctionName;

            if (nativeSanitizers.Contains(p.OwningPPGraph.FunctionName))
            {
                FunctionResolverBase.SetReturn(OutputSet, new MemoryEntry(Output.CreateInfo(false)));
                return;
            }

            // If a native function is not sanitizer, propagates taint status from arguments to return value

            // 1. Get values of arguments of the function
            // TODO: code duplication: the following code, code in SimpleFunctionResolver, and NativeFunctionAnalyzer. Move the code to some API (? FlowInputSet)
            Input.SetMode(SnapshotMode.MemoryLevel);
            MemoryEntry argc = InputSet.ReadVariable(new VariableIdentifier(".argument_count")).ReadMemory(Input);

            Input.SetMode(SnapshotMode.InfoLevel);
            int argumentCount                 = ((IntegerValue)argc.PossibleValues.ElementAt(0)).Value;
            List <MemoryEntry> arguments      = new List <MemoryEntry>();
            List <Value>       argumentValues = new List <Value>();

            for (int i = 0; i < argumentCount; i++)
            {
                arguments.Add(OutputSet.ReadVariable(Argument(i)).ReadMemory(OutputSet.Snapshot));
                argumentValues.AddRange(arguments.Last().PossibleValues);
            }

            // 2. Propagate arguments to the return value.
            FunctionResolverBase.SetReturn(OutputSet, new MemoryEntry(Output.CreateInfo(mergeTaint(argumentValues))));
        }
Exemple #2
0
        /// <summary>
        /// Visits a native analyzer program point. If function is a sanitizer, the output is sanitized,
        /// if it is a reporting function, a warning is created.
        /// </summary>
        /// <param name="p">program point to visit</param>
        public override void VisitNativeAnalyzer(NativeAnalyzerPoint p)
        {
            _currentPoint = p;
            string functionName = p.OwningPPGraph.FunctionName;

            // 1. Get values of arguments of the function
            // TODO: code duplication: the following code, code in SimpleFunctionResolver, and NativeFunctionAnalyzer. Move the code to some API (? FlowInputSet)
            Input.SetMode(SnapshotMode.MemoryLevel);
            MemoryEntry argc = InputSet.ReadVariable(new VariableIdentifier(".argument_count")).ReadMemory(Input);

            Input.SetMode(SnapshotMode.InfoLevel);
            int argumentCount = ((IntegerValue)argc.PossibleValues.ElementAt(0)).Value;

            List <MemoryEntry> arguments = new List <MemoryEntry>();
            List <ValueInfo>   values    = new List <ValueInfo>();
            bool nullValue = false;

            for (int i = 0; i < argumentCount; i++)
            {
                arguments.Add(OutputSet.ReadVariable(Argument(i)).ReadMemory(OutputSet.Snapshot));
                List <Value> argumentValues = new List <Value>(arguments.Last().PossibleValues);
                if (hasPossibleNullValue(OutputSet.ReadVariable(Argument(i))))
                {
                    nullValue = true;
                }
                VariableIdentifier varID = null;
                Value toRemove           = null;
                foreach (Value val in argumentValues)
                {
                    if (val is InfoValue <VariableIdentifier> )
                    {
                        varID    = (val as InfoValue <VariableIdentifier>).Data;
                        toRemove = val;
                    }
                }
                if (toRemove != null)
                {
                    argumentValues.Remove(toRemove);
                }
                values.Add(new ValueInfo(argumentValues, varID));
            }

            TaintInfo outputTaint = mergeTaint(values, nullValue);

            // try to sanitize the taint info
            if (outputTaint != null)
            {
                sanitize(p, ref outputTaint);
                warningsReportingFunct(p, outputTaint);
            }

            // 2. Propagate arguments to the return value.
            // TODO: quick fix
            if (outputTaint.tainted || outputTaint.nullValue)
            {
                FunctionResolverBase.SetReturn(OutputSet, new MemoryEntry(Output.CreateInfo(outputTaint)));
            }
        }