Differenciate between tainting analysis and symbolic execution

illera88 / Ponce

IDA 2016 plugin contest winner! Symbolic Execution just one-click away!

https://docs.idaponce.com

Other

1.48k stars 72 forks source link

Differenciate between tainting analysis and symbolic execution #4

Closed 0ca closed 8 years ago

0ca commented 8 years ago

The plugin could be use just to do tainting analysis and know which instructions of the program are tainted and this is different to make a symbolic execution analysis where all the formulas (from the tainted instructions) are being generated.

Tainting analysis should be quite more light than symbolic execution. So in some scenarios it could be useful to allow the user just to do tainting without symbolic.

0ca commented 8 years ago

I added two flags in globals.cpp:

#define ENABLE_TAINTING_ENGINE true
#define ENABLE_SYMBOLIC_ENGINE true

But when I disable the symbolic engine the tainting engine is not working. I reported this "bug" to triton: https://github.com/JonathanSalwan/Triton/issues/379

0ca commented 8 years ago

Jonathan fixed it: https://github.com/JonathanSalwan/Triton/issues/379

Now it is possible to disable the symbolic engine and do only taint analysis.