Dealing with load/store instructions on static tainted flow analysis

Dear guys,


        I am trying to implement a pass to detect information leak in
programs. The problem is a variation of static tainted-flow analysis:
I have some source functions, sink functions and sanitizers. I want to
know if it is possible for data to flow from source to sink without
going across a sanitizer.


        I am using LLVM, and I am analyzing the LLVM bitcodes. My pass is
working well, but I am having some issues with memory. Once
information flows to the heap, it is hard to know how it propagates to
the rest of the program. Example:


a = SOURCE
b = malloc(100)
...
b[i] = a
...
SINK = c[j]
...


So, the problem is that it is hard to know that c != b and i != j.
Once information flows into memory, the safest thing to do is to flag
the whole memory as a SOURCE. Of course, that is very conservative. I
was wondering if you guys could recommend me some strategies and
techniques to be more precise. In particular, if you could point me
some paper that does it, that would be great.


My best regards,
Gabriel.

Return to the comp.compilers page.
Search the comp.compilers archives again.