Tainting variables at certain offsets within a struct

[madil27]

We are currently trying to taint the flow of certain annotated variables within a program using both pointer analysis and LLVM use-def chains. We are facing the problem of tainting variables at certain offsets within a struct.

For tainting variables within a struct, our approach is as follows:

1. We use Anderson Field-Sensitive Analysis to create the SVFG.
2. We create a getElementPtrInst with the target struct type and offset, pointing to a specific field within a struct. For instance: getelementptr %struct.Server, %struct.Server* @server_name, i64 0, i32 115
3. We then traverse the entire bit-code and find all instructions with the same properties (Same GEP instructions pointing to the same field within a struct) and add it to our work-list from which our tainting will begin.

However, our approach mentioned above is hacky and inaccurate. We don't have any proper interface through which we can tell the pass which offset within a struct we need to taint, and secondly have it work for all instructions (containing bitcasts and not as simple as the one above)

Our question is, does SVF allow us to directly find the SVFG Node of a variable at a certain struct offset and through it find all the direct and indirect uses. We know that SVF allows finding uses but there is no resource that tells us how we can find a certain offset SVFG node without creating or finding a GEP instruction.

Thanks,

[yuleisui]

Hi Madil27,

This is a good question. Now SVF does not have a straight-forward interface for you to query the tainted flow of a field. However, it is not hard for you can write one.

After you have done the first step "use Anderson Field-Sensitive Analysis to create the SVFG", you do not need to create a gep instruction. Instead, you may wish to find the corresponding GepVFGNode (i.e., representing a PAGEdge "p=q+idx") satisfying the following conditions:

1) the points-to target "o" of "p" by Andersen's analysis denotes the i-th field of a base struct object "o_base". Here you need to query the offset of object "o" (via GepObjPN->getLocationSet().getOffset()) rather than using "idx" since SVF has flattened the field offsets and using "idx" is not proper for obtaining the nested field index.

2) the base object "o_base" is allocated by the instruction of your interest.

After you find the corresponding GepVFGNode, the next step is to traverse from this tainted point on SVFG.

Good luck!

[madil27]

Hi yuleisui,

Thanks for the quick and detailed reply. As mentioned I have been trying to extract the corresponding GepSVFGNode of a global struct variable offset satisfying the conditions mentioned above but am facing some issues.

Consider the simple program:

struct abc
{
    int x;
    char* y;
};
struct abc server;
int main()
{
    server.y = "abc";
    server.x = 4;
    return 0;
}

In this case, the corresponding PAG is, with two GEP Edges 6->20 and 6->18

And the corresponding SVFG contains the PAG Edges 6->20 and 6->18 in Node 10 and Node 11 respectively

I have been trying to find the corresponding SVFG Node, given I have the PAGEdge.

For this, I traversed the outgoingEdges of the global struct server variable to obtain all the outgoing GEP PAGEdges (in this case NormalGepPE). I have been trying to find a method to find the corresponding SVFG Nodes of these Edges but was not able to find a relevant method.

Can you guide me in this regard? What exactly should be the process to find the corresponding GepSVFGNode in the given example?

Thanks,

[yuleisui]

Have you taken a look at this function "https://github.com/SVF-tools/SVF/blob/2e5e41b5b62584f7dafc11905451d0d28d639cd7/include/Util/VFG.h#L164"