Open helloworldlong opened 6 years ago
Sorry, I can't really understand, what are you asking for?
Sorry, my English is poor. I have seen your paper "All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution". There are some sentences about my question in this paper: 1) Informally, a statement s2 is control-dependent on statement s1 if s1 controls whether or not s2 will execute. 2) If you do not compute control dependencies, you cannot determine control-flow based taint, and the overall analysis may undertaint. 3) Unfortunately, pure dynamic taint analysis cannot compute control dependencies, thus cannot accurately determine control-flow-based taint. The reason is simple: reasoning about control dependencies requires reasoning about multiple paths, and dynamic analysis executes on a single path at a time. So my question is whether bap can handle the control dependcies.
There is a control dependency in "0xb7ff5eb7 <+23>: mov eax,0x1 //control" in the strcmp instruction, because it depends on "0xb7ff5eac <+12>: jne 0xb7ff5eb7 <strcmp+23>" instruction. If the ZF flag is tainted in the "0xb7ff5eac <+12>: jne 0xb7ff5eb7 <strcmp+23>" instruction, the eax register should be tainted in "0xb7ff5eb7 <+23>: mov eax,0x1 //control" instruction.
in gentrace.cpp:
so bap-pintraces does not log the control flow taint propagation. then the code in strcmp function:
we can not log the taint instruction in the trace file, so we can not get the contrain.