SVF icon indicating copy to clipboard operation
SVF copied to clipboard

Published 20 hours ago verified publisher icon SVF-tools

Questions regarding to value-flow of function arguments.

Open jwnhy opened this issue 2 years ago • 1 comments

Thanks for providing such useful tools.

I have no experience in software analysis before and am currently using SVF in one of my research project (analyzing linux kernel and using security primitives to confine certain functions). What I want to achieve is to use SVF to identify the affected range of function arguments, (i.e. how many variables (global vars espacially) are written to using those argument's value). I have read your SVF Teaching which are excellent explainations on SVF. However, I am still a bit confused by the concept of Formal{IN, OUT} and Actual{IN, OUT}. Should I be focusing on the Formal part or the Actual part?

The following is a small .c attempt I used to learn SVF.

int global_in;
int global_arg;

int func_global(){
  global_in = global_arg; // @global_in is now affected by @global_arg
  return global_in;
}

int func(int a) {
  global_in = a; // @global_in is now affected by %a
  return a;
}

int main() {
  int b = 1;
  func(b);
  func_global();
}

This is the SVFG derived.

Thank you very much. I know it's not an issue that can help improve SVF, but your help is really appreciated.

jwnhy avatar Aug 23 '22 07:08 jwnhy

Thanks for providing such useful tools.

I have no experience in software analysis before and am currently using SVF in one of my research project (analyzing linux kernel and using security primitives to confine certain functions). What I want to achieve is to use SVF to identify the affected range of function arguments, (i.e. how many variables (global vars espacially) are written to using those argument's value). I have read your SVF Teaching which are excellent explainations on SVF. However, I am still a bit confused by the concept of Formal{IN, OUT} and Actual{IN, OUT}. Should I be focusing on the Formal part or the Actual part?

The following is a small .c attempt I used to learn SVF.

int global_in;
int global_arg;

int func_global(){
  global_in = global_arg; // @global_in is now affected by @global_arg
  return global_in;
}

int func(int a) {
  global_in = a; // @global_in is now affected by %a
  return a;
}

int main() {
  int b = 1;
  func(b);
  func_global();
}

This is the SVFG derived.

Thank you very much. I know it's not an issue that can help improve SVF, but your help is really appreciated.

Formal{IN, OUT} and Actual{IN, OUT} are used to mimic the value-flow passing between objects (dereferenced pointers). They are indirectly passed in and returned from callees. For example, p is an argument, and *p refers to an object pointed by p. This object can be used at callsite (as ActualIn) and passing into callee at its entry (as FormalIn). Similar, for returning an object at the exit of a callee (as FormalOut) to the callsite (ActualOut).

The example case looks to me can be solved with a taint analysis.

yuleisui avatar Aug 24 '22 03:08 yuleisui