Open bjchan9an opened 2 years ago
The example looks ok to me. SVFG should be able to capture the def-use of p
from the argument to the callsite parameter. You can generate the SVFG using wpa -ander -svfg *.bc
to have a look. You could also attach the llvm bc file.
Thanks for your quick reply!
Consider the case as follows, we expect to capture the information flow from buf
(defined at line 7) to system()
(line 11).
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4 #include <unistd.h>
5
6 int main() {
7 char buf[32];
8 char cmd[1024];
9 read(0, buf, 32);
10 sprintf(cmd, "ls %s", buf);
11 system(cmd);
12 return 0;
13 }
Then, we generate the SVFG:
clang -c -emit-llvm -g3 ./test.c -o test.bc
wpa -ander -svfg -dump-vfg test.bc
It seems that there is not a path from buf
(defined at line 7) to system()
(line 11). The taint transfer function sprintf
is not explicitly handled in SVF code.
You will need to specify or model the behaviour of sprintf. For example, expand the function call to be instructions.
Hi, we are trying to perform taint analysis with SVF. A common case is as below:
As shown in above case, there exists information flow from the CallArg
*p
to thesystem()
calling. However, defaultly generated svfg seems not handle such case. Maybe we have to customize our SVFGBuilder for capturing information flow during taint transfering functions such assprintf
?We would really appreciate for some guidance. :)