A question about the implementation of Taint Analysis

Question

A question about the implementation of Taint Analysis

anabioticsoul opened this issue 2 years ago · 5 comments

Hello everyone. I am new to taint analysis. Documentation illustrates that the taint analysis in Tai-e is on the top of the pointer analysis framework.
Q1: Does it mean that taint analysis cannot trace the data flow of primitive data type?
Q2: Could I run it without specifying the sinks to propagate the taint as far as possible?
Thank you so much!

Answer 1 · 2023-02-05T13:11:28.000Z

Q1: Currently, yes. We may support tracing of primitive data in the future.
Q2: Yes. You could run the taint analysis without specifying sinks and just propagate the taints. BTW, the propagation of tainted values won't stop even if they reach sinks.

Answer 2 · 2023-02-05T17:33:20.000Z

I get it. Thanks, that's helpful!

Answer 3 · 2023-02-16T07:16:52.000Z

It seems that the taint analysis of Tai-e cannot handle the implicit flow which brings false negatives. As the basis of taint analysis, the pointer analysis is flow-insensitive and path-insensitive.

if(taintedVar == const0){
    a = 1;   //implicit assignment
}

Is flow-sensitive taint analysis required if I want to track the primitive type of data and implicit flows? Could you please recommend a relative algorithm or implementation? Thanks!

Answer 4 · 2023-02-17T04:10:14.000Z

Tracking primitive data is irrelevant to flow sensitivity. But handling implicit flow does require control-flow information. You could correlate conditional expression to the branches by using CFG and dominator algorithm provided by Tai-e.

ASAIK, JSFlow (repo and website (梯子required)) should be able to track implicit flow dynamically. It is for JavaScript, but may be useful for you as a reference.

Answer 5 · 2023-02-17T08:24:36.000Z

Thank you so much! (๑•̀ㅂ•́)و