Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taint design options #4

Open
toshipiazza opened this issue Jan 13, 2018 · 2 comments
Open

Taint design options #4

toshipiazza opened this issue Jan 13, 2018 · 2 comments

Comments

@toshipiazza
Copy link
Owner

Should have an options struct that controls taint propagation dials, as well as IR-level design issues. For example:

  1. Should PC be explicitly tainted, i.e. on blx r0. The taint prop would be simulated by mov pc, r0
  2. Should eflags be explicitly tainted, i.e. on eor r0, r0, r1, where r0 is tainted.
@toshipiazza
Copy link
Owner Author

Expanding a bit on tainting PC; if we have something like mov pc, r0, PC should end up tainted with the current implementation. However, something like blx r0 will not set PC's taint value currently.

Is there some correctness implication here? blx r0 followed by mov r1, pc will end up with r1 having a meaningless taint value. I guess we should just always support tainting pc, as it's trivial to add handling to indirect jumps.

toshipiazza added a commit that referenced this issue Jan 15, 2018
@toshipiazza
Fully support tainting PC
752b624 
- on indirect jumps, we set up the taint for pc appropriately
- for bl* instructions, we set the taint for lr appropriately

Issue #4
@toshipiazza
Copy link
Owner Author

toshipiazza commented Feb 22, 2018
edited
Loading

Some canonical taint propagation policies from the literature:

  • Copy Propagation
  • Arithmetic Propagation
  • Address Propagation

It's not feasible to implement Control Propagation using only dynamic analysis, so we punt on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@toshipiazza