Closed am009 closed 2 years ago
am009
commented
2 years ago Heap.getHeap doesn't have this issue, because there is a allocSite.
public static Heap getHeap(Address allocSite, Context context, long size, boolean valid)Heap allocChunk = Heap.getHeap(allocAddress, context, size, true);我还想问问代码里哪里有widening这种加快迭代速度的逻辑吗,看了一圈没看到。
MatthewShao
commented
2 years ago Thanks for reporting this issue, we've confirmed that current TaintMap is not precise enough for your situation. I think one possible solution is adding callsite to TaintMap.Source. It would be greatly appreciated if you sent us a pr.
For widening question, since we have K limit for k-set, which replaces the widening mechanism to some context. It means you can lower the K parameter to accelerate analysis.
zyq8709
commented
2 years ago K in K-set is somewhat equivalent to widening operator, however it sacrifices the whole precision. You can still add delay widening or limited widening operators according to the widening points computed by WTO and set K as a super big number to gain better precision.
Take com.bai.env.funcs.externalfuncs.GetenvFunction as an example. (External function model for
char *getenv(const char *name))the source is:
contextdoesn't include the current callsite of external function. So, for different callsites in the current function,TaintMap.getTaintswill return the same taint.If I analyze this shared object:
and set breakpoint at
GetenvFunction.invoke, I can see the same context (main[0, 0, 0]) and the same taints (taints = 2) twice.I think it should return different taints?
(by the way, I am working on a research project that heavily uses BinAbsInspector)