RootLUG
commented
11 months ago Hello, great question. Like you noted the system currently propagates tainted/not tainted via that attached object, this is now the initial implementation but it has it's drawbacks like you noted.
I already found several use cases where this is not sufficient like probably sql injection may not be applicable to shell and vice versa. I briefly played with an idea of having multiple flows that can be mixed together and tracked independently.
This was just an experiment so it's not in the code base but it showed promising results but it's not currently on top of the list or in active development. There isn't a concrete plan but it's one of the things I would like to re-design on how it works.
There is also another drawback tied to this that the system would need to be designed in a way to not only independently track different flows that can be then mixed (which is the "easy" part) but to be able to track multiple representations of the same variable at once; and I haven't figured this out completely, which is one of the blockers if we go with redesigning/improving the taint flow analysis. The problem is that a variable can end up with a different typing/code path if there is a recursion, for loops, or something like that (I can't think of a good example right now from top of my head) and in ends up in a situation where on semantic level the variable is the same (place in a code) but on taint level analysis it is something different and cannot be combined with a different flow going through the same place. I'm not sure if there is technical term for this but I call it internally "streams" where streams cannot be combined together (in the same variable) but different flow in the same stream can be combined if that makes sense. So this is in short one of the "features" that needs to be designed properly as it is very closely related to being able to combine and track multiple flows correctly and also in performance wise manner. Taint analysis currently already takes a significant portion of the analysis time and one thing I am worried is that with introduction of the streams it would multiply significantly at the points where the stream need to be split into multiple ones that are tracked separately.
Any ideas and help are more than welcome on this, I tried researching it for a while and experimenting but I haven't found much info online and in research papers.
I'm wondering if the current implementation of the project supports value-level taint analysis. It seems that the propagation of tainted values is only done through the TaintLog object. Based on my analysis, it appears that the current implementation only propagates a binary "tainted or not" flag, but I'm curious if it's possible to perform more fine-grained analysis, such as tracking the actual values of tainted data.
If the goal is to analyze more complex models, I'm concerned that the current logging mechanism may not be sufficient. Can you provide more information on how the project handles taint analysis, and whether value-level analysis is supported? If not, are there any plans to add this functionality in the future?