drtaint icon indicating copy to clipboard operation
drtaint copied to clipboard

Published 20 hours ago verified publisher icon toshipiazza

Taint design options

Open toshipiazza opened this issue 7 years ago • 2 comments

Should have an options struct that controls taint propagation dials, as well as IR-level design issues. For example:

  1. Should PC be explicitly tainted, i.e. on blx r0. The taint prop would be simulated by mov pc, r0
  2. Should eflags be explicitly tainted, i.e. on eor r0, r0, r1, where r0 is tainted.

toshipiazza avatar Jan 13 '18 14:01 toshipiazza

Expanding a bit on tainting PC; if we have something like mov pc, r0, PC should end up tainted with the current implementation. However, something like blx r0 will not set PC's taint value currently.

Is there some correctness implication here? blx r0 followed by mov r1, pc will end up with r1 having a meaningless taint value. I guess we should just always support tainting pc, as it's trivial to add handling to indirect jumps.

toshipiazza avatar Jan 15 '18 06:01 toshipiazza

Some canonical taint propagation policies from the literature:

  • [x] Copy Propagation
  • [x] Arithmetic Propagation
  • [ ] Address Propagation

It's not feasible to implement Control Propagation using only dynamic analysis, so we punt on this.

toshipiazza avatar Feb 22 '18 01:02 toshipiazza