상속: ICFGPruner
예제 #1
0
        /// <summary>
        /// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
        /// </summary>
        /// <returns>A TainSets for the custom function that is being analyzed</returns>
        /// <param name="customFunction">Custom function object to perform the analysis on</param>
        /// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
        /// <param name="paramActualVals">Parameter actual values</param>
        /// <param name="resolver">File inclusion resolver</param>
        /// <param name="includeStack">Currently known includes</param>
        /// <param name="functionCalls">Currently known function calls</param>
        internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
            IList<ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
        {
            var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;

            var traverser = new XmlTraverser();
            var cfgcreator = new CFGCreator();
            traverser.AddVisitor(cfgcreator);
            traverser.Traverse(stmts);

            var cfgPruner = new CFGPruner();
            cfgPruner.Prune(cfgcreator.Graph);

            var initialTaint = varStorage.ToMutable();
            initialTaint.SuperGlobals.Clear();
            initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
            initialTaint.LocalVariables.Clear();
            initialTaint.LocalAccessibleGlobals.Clear();

            for(int i = 1; i <= paramActualVals.Count; i++)
            {
                var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
                if (paramFormal.Value == null)
                {
                    continue;
                }
                var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) {Info = paramActualVals[i - 1].ValueInfo};
                initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
            }

            var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory);
            blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
            var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack);
            var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
            //var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
            var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
            taintAnalysis.Analyze(cfgcreator.Graph);

            var exprInfoAll = new ExpressionInfo();

            foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
            {
                exprInfoAll = exprInfoAll.Merge(exprInfo);
            }

            return exprInfoAll;
        }
예제 #2
0
파일: Program.cs 프로젝트: jtvn/Eir-CTLLTL
        private static File BuildFileCFGAndExtractFileInformation(KeyValuePair<string, XmlDocument> parsedFile)
        {
            var traverser = new XmlTraverser();
            var metricAnalyzer = new MetricVisitor();
            var extractor = new ClassAndFunctionExtractor();
            var printer = new ASTPrinter(Console.Out);
            var cfgcreator = new CFGCreator();
            traverser.AddVisitor(extractor);
            traverser.AddVisitor(metricAnalyzer);
            traverser.AddVisitor(cfgcreator);
            //traverser.AddVisitor(printer);
            traverser.AddVisitors(_components.AstVisitors.ToArray());

            traverser.Traverse(parsedFile.Value.FirstChild.NextSibling);

            foreach (var function in extractor.Functions)
            {
                function.File = parsedFile.Key;
            }
            foreach (var closure in extractor.Closures)
            {
                closure.File = parsedFile.Key;
            }

            FunctionsHandler.Instance.CustomFunctions.AddRange(extractor.Functions);

            foreach (var @class in extractor.Classes)
            {
                @class.File = parsedFile.Key;
                foreach (var method in @class.Methods)
                {
                    //HACK: This is not a good way to handle this! Should we add a new derived function class called method that includes the class name
                    //-||-: and make a special list for them in the function handler, or is this okay?
                    method.Name = @class.Name + "->" + method.Name;
                    method.File = parsedFile.Key;
                    FunctionsHandler.Instance.CustomFunctions.Add(method);
                }
            }

            //cfgcreator.Graph.VisualizeGraph("graph", Program.Configuration.GraphSettings);
            var cfgPruner = new CFGPruner();
            cfgPruner.Prune(cfgcreator.Graph);
            //cfgcreator.Graph.VisualizeGraph("graph-pruned", Configuration.GraphSettings);

            File file = new File(parsedFile.Value) {
                                                       CFG = cfgcreator.Graph,
                                                       FullPath = parsedFile.Key,
                                                       Interfaces = extractor.Interfaces.GroupBy(i => i.Name, i => i).ToDictionary(i => i.Key, i => i.ToList()),
                                                       Classes = extractor.Classes.GroupBy(c => c.Name, c => c).ToDictionary(c => c.Key, c => c.ToList()),
                                                       Closures = extractor.Closures.ToArray(),
                                                       Functions = extractor.Functions.GroupBy(i => i.Name, i => i).ToDictionary(i => i.Key, i => i.ToList())
                                                   };
            return file;
        }