search

SVF-tools / SVF

Static Value-Flow Analysis Framework for Source Code
http://svf-tools.github.io/SVF/
Other
1.41k stars 436 forks source link

Handling external functions for transfering taint flow #678

Open bjchan9an opened 2 years ago

bjchan9an commented 2 years ago

Hi, we are trying to perform taint analysis with SVF. A common case is as below:

void foo(char *p) {
    char cmd[32];
    sprintf(cmd, "ls %s", p);
    system(cmd);
}

As shown in above case, there exists information flow from the CallArg *p to the system() calling. However, defaultly generated svfg seems not handle such case. Maybe we have to customize our SVFGBuilder for capturing information flow during taint transfering functions such as sprintf?

We would really appreciate for some guidance. :)

yuleisui commented 2 years ago

The example looks ok to me. SVFG should be able to capture the def-use of p from the argument to the callsite parameter. You can generate the SVFG using wpa -ander -svfg *.bc to have a look. You could also attach the llvm bc file.

bjchan9an commented 2 years ago

Thanks for your quick reply! Consider the case as follows, we expect to capture the information flow from buf (defined at line 7) to system() (line 11).

  1 #include <stdio.h>
  2 #include <stdlib.h>
  3 #include <string.h>
  4 #include <unistd.h>
  5 
  6 int main() {
  7         char buf[32];
  8         char cmd[1024];
  9         read(0, buf, 32);
 10         sprintf(cmd, "ls %s", buf);
 11         system(cmd);
 12         return 0;
 13 }

Then, we generate the SVFG:

clang -c -emit-llvm -g3 ./test.c -o test.bc
wpa -ander -svfg -dump-vfg test.bc

svfg

It seems that there is not a path from buf (defined at line 7) to system() (line 11). The taint transfer function sprintf is not explicitly handled in SVF code.

yuleisui commented 2 years ago

You will need to specify or model the behaviour of sprintf. For example, expand the function call to be instructions.