public override void VisitNativeAnalyzer(NativeAnalyzerPoint p)
{
string functionName = p.OwningPPGraph.FunctionName;
if (nativeSanitizers.Contains(p.OwningPPGraph.FunctionName))
{
FunctionResolverBase.SetReturn(OutputSet, new MemoryEntry(Output.CreateInfo(false)));
return;
}
// If a native function is not sanitizer, propagates taint status from arguments to return value
// 1. Get values of arguments of the function
// TODO: code duplication: the following code, code in SimpleFunctionResolver, and NativeFunctionAnalyzer. Move the code to some API (? FlowInputSet)
Input.SetMode(SnapshotMode.MemoryLevel);
MemoryEntry argc = InputSet.ReadVariable(new VariableIdentifier(".argument_count")).ReadMemory(Input);
Input.SetMode(SnapshotMode.InfoLevel);
int argumentCount = ((IntegerValue)argc.PossibleValues.ElementAt(0)).Value;
List <MemoryEntry> arguments = new List <MemoryEntry>();
List <Value> argumentValues = new List <Value>();
for (int i = 0; i < argumentCount; i++)
{
arguments.Add(OutputSet.ReadVariable(Argument(i)).ReadMemory(OutputSet.Snapshot));
argumentValues.AddRange(arguments.Last().PossibleValues);
}
// 2. Propagate arguments to the return value.
FunctionResolverBase.SetReturn(OutputSet, new MemoryEntry(Output.CreateInfo(mergeTaint(argumentValues))));
}
/// <summary>
/// Visits a native analyzer program point. If function is a sanitizer, the output is sanitized,
/// if it is a reporting function, a warning is created.
/// </summary>
/// <param name="p">program point to visit</param>
public override void VisitNativeAnalyzer(NativeAnalyzerPoint p)
{
_currentPoint = p;
string functionName = p.OwningPPGraph.FunctionName;
// 1. Get values of arguments of the function
// TODO: code duplication: the following code, code in SimpleFunctionResolver, and NativeFunctionAnalyzer. Move the code to some API (? FlowInputSet)
Input.SetMode(SnapshotMode.MemoryLevel);
MemoryEntry argc = InputSet.ReadVariable(new VariableIdentifier(".argument_count")).ReadMemory(Input);
Input.SetMode(SnapshotMode.InfoLevel);
int argumentCount = ((IntegerValue)argc.PossibleValues.ElementAt(0)).Value;
List <MemoryEntry> arguments = new List <MemoryEntry>();
List <ValueInfo> values = new List <ValueInfo>();
bool nullValue = false;
for (int i = 0; i < argumentCount; i++)
{
arguments.Add(OutputSet.ReadVariable(Argument(i)).ReadMemory(OutputSet.Snapshot));
List <Value> argumentValues = new List <Value>(arguments.Last().PossibleValues);
if (hasPossibleNullValue(OutputSet.ReadVariable(Argument(i))))
{
nullValue = true;
}
VariableIdentifier varID = null;
Value toRemove = null;
foreach (Value val in argumentValues)
{
if (val is InfoValue <VariableIdentifier> )
{
varID = (val as InfoValue <VariableIdentifier>).Data;
toRemove = val;
}
}
if (toRemove != null)
{
argumentValues.Remove(toRemove);
}
values.Add(new ValueInfo(argumentValues, varID));
}
TaintInfo outputTaint = mergeTaint(values, nullValue);
// try to sanitize the taint info
if (outputTaint != null)
{
sanitize(p, ref outputTaint);
warningsReportingFunct(p, outputTaint);
}
// 2. Propagate arguments to the return value.
// TODO: quick fix
if (outputTaint.tainted || outputTaint.nullValue)
{
FunctionResolverBase.SetReturn(OutputSet, new MemoryEntry(Output.CreateInfo(outputTaint)));
}
}
/// <summary>
/// If function is a reporting function, a warning might be created.
/// </summary>
/// <param name="p">program point with a function</param>
/// <param name="taintInfo">TaintInfo that is being sanitized</param>
private void warningsReportingFunct(NativeAnalyzerPoint p, TaintInfo taintInfo)
{
NativeAnalyzerMethod method = p.Analyzer.Method;
QualifiedName functName = getMethodName(p);
functAnalyzer = NativeFunctionAnalyzer.CreateInstance();
List <FlagType> flags;
if (functAnalyzer.ReportingFunctions.TryGetValue(functName, out flags))
{
createWarnings(p, taintInfo, flags);
}
}
/// <summary>
/// If the function is a sanitizer, the sanitized taint flows are removed
/// </summary>
/// <param name="p">program point with a function</param>
/// <param name="taintInfo">TaintInfo that is being sanitized</param>
private void sanitize(NativeAnalyzerPoint p, ref TaintInfo taintInfo)
{
NativeAnalyzerMethod method = p.Analyzer.Method;
QualifiedName functName = getMethodName(p);
functAnalyzer = NativeFunctionAnalyzer.CreateInstance();
List <FlagType> flags;
if (functAnalyzer.SanitizingFunctions.TryGetValue(functName, out flags))
{
taintInfo.setSanitized(flags);
}
}
/// <summary>
/// Gets the method name from NativeAnalyzerPoint
/// </summary>
/// <param name="p">point to get the method from</param>
/// <returns>a method name as a QualifiedName</returns>
private QualifiedName getMethodName(NativeAnalyzerPoint p)
{
String functName = p.OwningPPGraph.FunctionName;
return(new QualifiedName(new Name(functName)));
}
