Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set annotation for elements in c struct. #12

Open
EmmetZC opened this issue Nov 14, 2016 · 4 comments
Open

Set annotation for elements in c struct. #12

EmmetZC opened this issue Nov 14, 2016 · 4 comments

Comments

@EmmetZC
Copy link

EmmetZC commented Nov 14, 2016

Hi, me again.
The tainting for struct types is not working as I expected. I don't know if there's any misunderstanding here.
Check the code below:

typedef struct {
  int x;
  int y;
} Point;

void main(){
  TAINED Point *tp = malloc(sizeof(Point));
  Point a = *tp; // (1)
  int x = tp->x; // (2)
}

For my idea, both assignments (1) and (2) are illegal and cause an error assigning a tainted value to a normal variable, while in fact, only (1) causes an error and (2) is fine, because quala doesn't treat tp->x as a tainted value.

From this test above, I may infer that quala thinks the elements in a tainted struct are not tainted.
Is this how you think the tainting should be like, or, maybe you have implemented it in a wrong way?
@sampsyo
Copy link
Owner

sampsyo commented Nov 14, 2016

Hi again!

You're right; that's exactly how the checker works. I agree that it's probably not a great implementation of taint tracking—it would probably be a good idea to add a new rule that taints the fields of tainted structs. But just to be clear, that's a design decision: you could also decide that the tainting of struct values is distinct from the tainting of individual fields. We just haven't implemented the more sophisticated strategy yet.

@EmmetZC
Copy link
Author

EmmetZC commented Nov 14, 2016
edited
Loading

Hi, many thanks for your response.
I override the method VisitMemberExpr () in TaintTracking.cpp and now it gives an error for line (2) above, just as I expected.
But now I get a further question with the LLVM IR instructions generated. Check code below:

typedef struct {
  int x;
  int y;
} Point;

void main(){
  TAINTED Point *tp = malloc(sizeof(Point));
  TAINTED int *x = malloc(sizeof(int));
  tp->x = 10;
  *x = 6;
}

The generated LLVM IR is:

; Function Attrs: nounwind
define void @main() #0 {
entry:
  ...
  %x2 = getelementptr inbounds %struct.Point, %struct.Point* %2, i32 0, i32 0
  store i32 10, i32* %x2, align 4 // (a)stores 10 to p->x
  %3 = load i32*, i32** %x, align 4
  store i32 6, i32* %3, align 4, !tyann !1 // (b)stores 6 to *x
  ret void
}

Check out IR(a) and IR(b) generated.
(b) is easy to understand since we set x to be TAINTED int * type, thus the store instruction has a metadata "!tyann !1". What is curious is that instruction(a) has no such metadata. I mean, I've call AddAnnotation for the MemberExpr object in function VisitMemberExpr, why does the store instruction still have no annotation metadata?

Could you please tell me how I can make the store instruction of p->x annotated, just like the store instruction of *x, please?

Many thanks for your time.

@sampsyo
Copy link
Owner

sampsyo commented Nov 14, 2016

Aha; tricky! I don't have any immediate advice for you (this would take me a little too much time to sort out on my end). But I think that you might need to hack the codegen layer in clang-quala to make this work—I don't currently see a way around that.

@EmmetZC
Copy link
Author

EmmetZC commented Nov 14, 2016

Alright, I see.
Thanks a lot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sampsyo @EmmetZC