Taint design options - Githubissues

toshipiazza / drtaint

Very WIP taint analysis for DynamoRIO (ARM)

BSD 3-Clause "New" or "Revised" License

18 stars 5 forks source link

Taint design options #4

Open toshipiazza opened 6 years ago

toshipiazza commented 6 years ago

Should have an options struct that controls taint propagation dials, as well as IR-level design issues. For example:

Should PC be explicitly tainted, i.e. on blx r0. The taint prop would be simulated by mov pc, r0
Should eflags be explicitly tainted, i.e. on eor r0, r0, r1, where r0 is tainted.

toshipiazza commented 6 years ago

Expanding a bit on tainting PC; if we have something like mov pc, r0, PC should end up tainted with the current implementation. However, something like blx r0 will not set PC's taint value currently.

Is there some correctness implication here? blx r0 followed by mov r1, pc will end up with r1 having a meaningless taint value. I guess we should just always support tainting pc, as it's trivial to add handling to indirect jumps.

toshipiazza commented 6 years ago

Some canonical taint propagation policies from the literature:

[x] Copy Propagation
[x] Arithmetic Propagation
[ ] Address Propagation

It's not feasible to implement Control Propagation using only dynamic analysis, so we punt on this.