search

awslabs / ar-go-tools

ar-go-tools (Argot) is a collection of analysis tools for Go
Apache License 2.0
9 stars 1 forks source link

Ensure summaries of un-analyzed functions are sufficient #9

Open amzn-jasonrk opened 1 year ago

amzn-jasonrk commented 1 year ago

Some functions could behave in ways that individual summaries of dataflow and escape are insufficient to capture taint flows, when the body of the function isn't analyzed:

func leak(p *string) {
    pkgGlobal = p
}
// in standard library, so taint doesn't see function bodies:
func ok(x string, p *string) {
    *p = x
    leak(p)
}
func bad(x string, p *string) {
    y := "abc"
    q := &y
    *q = x
    leak(q)
}

In this example, ok function doesn't have an issue, because the dataflow notices x flows to p, and the escape notices that p escapes. In the bad function, the dataflow doesn't have any edges (as p is unused), and the escape analysis doesn't report any escapes of arguments, so taint would be lost, even though it can flow to a shared object.

This problem only occurs when the dataflow cannot see the function body; if the taint analysis sees the function body it will see the leak of a tainted value q.

To solve this, some kind of summary that includes the effects of dataflow and escape together seems necessary, i.e. an edge from an argument to a virtual "escaped" node in this case.

victornicolet commented 1 year ago

This issue is still relevant as we continue integrating the escape analysis to the dataflow analysis.

github-actions[bot] commented 10 months ago

Stale issue message

github-actions[bot] commented 6 months ago

Stale issue message

github-actions[bot] commented 1 week ago

Stale issue message