maxwell-bland
commented
2 years ago Update:
There was really no need to do taint tracking on TCG IR ops, as this could all be handled via the Z3 C API. Attached are some files outlining an implementation on modern qemu with Z3 libraries. Ideally in the future the code changes in this tarball are integrated and patched in with control over branching / constraint recording.
Ideally the taint tracking/symexec would be implemented in a more robust manner, without a dependency on angr/claripy, and with support for intermediate state tracking.
Below is a git diff for the current master branch of qemu with an outline of changes to the code-base:
commits_start.txt