taintgrind
taintgrind copied to clipboard
wmkhoo
Tainting string data type
Hi,
Is Taintgrind follows operations on std::string? In my code, the data is tainted until it is converted to the string data type. After that, taintgrind loses the flow of the data!
Thanks for bringing up this issue. Could you provide a test case that demonstrates the issue?
Here I have two modules. The first one produces a random data (ebBalance). The second module sends reading request in TLM to the first one to read ebBalance. Immediately after data conversion to string, the taint flow will be lost.
in energyBalance module:
` { ... ebBalance= rand()%2000-1000;
TNT_TAINT(&ebBalance, sizeof(ebBalance));
std::cout<< " data for tainting is: " << ebBalance << std::endl;
} // balanceGenerator()
void energyBalance::b_transport(int id, tlm::tlm_generic_payload& tlmPayload, sc_core::sc_time& delay) { if(tlmPayload.get_command() == tlm::TLM_READ_COMMAND) { if (tlmPayload.get_address() == 0x10 ) {
tlmPayload.set_data_ptr((unsigned char*)ebBalance);
tlmPayload.set_response_status(tlm::TLM_OK_RESPONSE); }
} }
`
in second mudole:
` { ... if(tlmPayload.get_response_status() == tlm::TLM_OK_RESPONSE) {
int reveivedEB= (int)(tlmPayload.get_data_ptr());
sEBalance= std::to_string(reveivedEB); // data after here is not tainted
std::string temp = sEBalance; // I made this one for testing. temp is not tainted
`
Another issue is that when I get string data to the TNT_TAINT(&a, sizeof(a)) or to TNT_IS_TAINTED(t, &a, sizeof(a)) it raises an error. So I have to first convert the data to int, then pass it to TNT_IS_TAINTED(t, &a, sizeof(a))!
I think the problem is not about tainting string data type, it is about the size of tainted data which will be changed after converting to string. In piece of code which I mentioned above, in second module sEBalance is tainted, but the propagation of sEBalance is not followed in the rest of program. To check if Taintgrind can follow the propagation of string data type, instead of tainting ebBalance in module 1, I passed sEBalance to the TNT_TAINT function. It followed the propagation of sEBalance through the rest of program. The size of ebBalance which is a integer is 4 and the size of sEBalance is 32.
At least for me, std::to_string is implemented by _itoa.c.
const char _itoa_upper_digits[36]
= "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
...
const char *digits = (upper_case? _itoa_upper_digits : _itoa_lower_digits);
...
*--buflim = digits[value % Base];
In the above, value, which is tainted, is used as an index to copy the corresponding characters into buflim. The taint will not be propagated, because pointer tainting is not implemented (see Pointer tainting).
So, yes. sEBalance will not be tainted after std::to_string. The only way is to taint it manually after std::to_string. Thanks for raising this issue.