rizin icon indicating copy to clipboard operation
rizin copied to clipboard
verified publisher icon rizinorg

[Static analysis] Adding taint flag for registers

Open Rot127 opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe.

Tracking which registers depend on unknown or varying input values (e.g. passed arguments, mutable system registers or writable memory) can be useful for many things.

For example:

  • Clicking on a register in a function can highlight which previous registers or instructions were used to calculate its value. Or we can draw a graph for this.
  • Abstract interpretation can use the information for graph analysis as well to determine which value is varying and which one is already known during static analysis.
  • It eases resolving of constant values. If we have an indirect call we can just check the taint bit of the register. If unset we can resolve the calls target already during static analysis.

Describe the solution you'd like

For every new function added we can build a graph for the registers used in it.

  • Starting with marking every argument register, which is used before set, with a taint flag.
  • Now, every instructions which consumes a register with a taint flag, sets the taint flag for its destination register as well.

Same for values which are deduced by other register out of scope (system registers).

Registers with an unset taint flag, are assumed to contain statically deducible values.

Obviously this must be extended for memory operations as well. If the memory reference loads from static memory, the destination register doesn't need to have the taint flag set.

Describe alternatives you've considered

None

Additional context

None yet

Rot127 avatar Nov 24 '23 00:11 Rot127

We could use RzIL for that

XVilka avatar May 26 '24 12:05 XVilka

Actually it fits very well in the abstract interpretation I currently implement.

The abstract interpreter is an independent module and can be used for it. Or it is a by-product of the static analysis runs.

Abstract interpretation is also better because we can walk every path of a given function. Which would be a problem with emulation.

Also, this information should be stored then in the knowledge base.

In any case, no need to implement something new I think. If anyone is interested, please ping me here.

Rot127 avatar May 26 '24 13:05 Rot127