Get data flow for leaks in taint analysis

[peckto]

Is your feature request related to a problem? Please describe. I'm working with the taint analysis feature of phasar (eg. ide-xtaint). The resulting leaks seem to be identified by their sink function. I could not find a way to refer to the source function nor the to whole data flow. Is it possible to get the source function and ideally the whole data flow between source and sink which represents the leak?

Describe the solution you'd like It would be nice to have for every leak something like this:

Found leak in main.c:100
- source: main.c:10 fgets()
- sink: main.c:100 execl()

Describe alternatives you've considered N/A

Additional context I need to admit, that I'm not too much into ide/ifds algorithms. Is it with possible, to get all concrete data flows between source and sink? If yes, how can I get them with phasar?

[MMory]

@fabianbs96 what is the state of this? don't we already have sth. like this?

[fabianbs96]

Your question seems to have multiple parts. Let's answer them one by one.

1. Getting the source function for a taint leak: We are not propagating this information and as of now, there are no plans to implement this. One the other hand, it is quite easy to get the information about the sink as we are communicating the leak instruction.
2. Getting all dataflows between a source and sink: As of now, you only can retrieve the holding dataflow facts (=tainted values) for each IR instruction via the resultsAt function of the IDESolver/SolverResults. However, We are also working on a path sensitive analysis that would allow you to retrieve all paths leading to a leak position. We will integrate this into open-source phasar eventually. This may then also - at least partially - solve your first problem.

[peckto]

Thanks for your answer and the clarification! I would be glad to see the path sensitive analysis as open source :)

This issue is solved for me. Feel free to close it, or leave it open for reference.