|Dealing with load/store instructions on static tainted flow analysis firstname.lastname@example.org (Gabriel Quadros) (2011-06-06)|
|Re: Dealing with load/store instructions on static tainted flow analys email@example.com (glen herrmannsfeldt) (2011-06-07)|
|Re: Dealing with load/store instructions on static tainted flow analys firstname.lastname@example.org (2011-06-08)|
|Re: Dealing with load/store instructions on static tainted flow analys email@example.com (George Neuner) (2011-06-09)|
|Re: Dealing with load/store instructions on static tainted flow analys firstname.lastname@example.org (Martin Ward) (2011-06-12)|
|From:||Gabriel Quadros <email@example.com>|
|Date:||Mon, 6 Jun 2011 21:00:41 -0700 (PDT)|
|Keywords:||storage, analysis, question|
|Posted-Date:||07 Jun 2011 03:26:12 EDT|
I am trying to implement a pass to detect information leak in
programs. The problem is a variation of static tainted-flow analysis:
I have some source functions, sink functions and sanitizers. I want to
know if it is possible for data to flow from source to sink without
going across a sanitizer.
I am using LLVM, and I am analyzing the LLVM bitcodes. My pass is
working well, but I am having some issues with memory. Once
information flows to the heap, it is hard to know how it propagates to
the rest of the program. Example:
a = SOURCE
b = malloc(100)
b[i] = a
SINK = c[j]
So, the problem is that it is hard to know that c != b and i != j.
Once information flows into memory, the safest thing to do is to flag
the whole memory as a SOURCE. Of course, that is very conservative. I
was wondering if you guys could recommend me some strategies and
techniques to be more precise. In particular, if you could point me
some paper that does it, that would be great.
My best regards,
Return to the
Search the comp.compilers archives again.