CBMC
Loading...
Searching...
No Matches
taint_analysis.cpp
Go to the documentation of this file.
1/*******************************************************************\
2
3Module: Taint Analysis
4
5Author: Daniel Kroening, kroening@kroening.com
6
7\*******************************************************************/
8
11
12#include "taint_analysis.h"
13
14#include <util/invariant.h>
15#include <util/json.h>
16#include <util/message.h>
17#include <util/pointer_expr.h>
18#include <util/prefix.h>
19#include <util/simplify_expr.h>
20#include <util/std_code.h>
21#include <util/string_constant.h>
22
23#include <goto-programs/class_hierarchy.h>
24
25#include <analyses/custom_bitvector_analysis.h>
26
27#include "taint_parser.h"
28
29#include <fstream> // IWYU pragma: keep
30#include <iostream>
31
32class taint_analysist
33{
34public:
35 explicit taint_analysist(message_handlert &message_handler)
36 : log(message_handler)
37 {
38 }
39
40 bool operator()(
41 const std::string &taint_file_name,
42 const symbol_tablet &,
43 goto_functionst &,
44 bool show_full,
45 const std::optional<std::string> &json_file_name);
46
47protected:
48 messaget log;
49 taint_parse_treet taint;
50 class_hierarchyt class_hierarchy;
51
52 void instrument(const namespacet &, goto_functionst &);
53 void instrument(const namespacet &, goto_functionst::goto_functiont &);
54};
55
56void taint_analysist::instrument(
57 const namespacet &ns,
58 goto_functionst &goto_functions)
59{
60 for(auto &function : goto_functions.function_map)
61 instrument(ns, function.second);
62}
63
64void taint_analysist::instrument(
65 const namespacet &ns,
66 goto_functionst::goto_functiont &goto_function)
67{
68 for(goto_programt::instructionst::iterator
69 it=goto_function.body.instructions.begin();
70 it!=goto_function.body.instructions.end();
71 it++)
72 {
73 const goto_programt::instructiont &instruction=*it;
74
75 goto_programt insert_before, insert_after;
76
77 if(instruction.is_function_call())
78 {
79 const exprt &function = instruction.call_function();
80
81 if(function.id() == ID_symbol)
82 {
83 const irep_idt &identifier = to_symbol_expr(function).get_identifier();
84
85 std::set<irep_idt> identifiers;
86
87 identifiers.insert(identifier);
88
89 irep_idt class_id = function.get(ID_C_class);
90 if(class_id.empty())
91 {
92 }
93 else
94 {
95 std::string suffix = std::string(
96 id2string(identifier), class_id.size(), std::string::npos);
97
98 class_hierarchyt::idst parents =
99 class_hierarchy.get_parents_trans(class_id);
100 for(const auto &p : parents)
101 identifiers.insert(id2string(p) + suffix);
102 }
103
104 for(const auto &rule : taint.rules)
105 {
106 bool match = false;
107 for(const auto &i : identifiers)
108 {
109 if(
110 i == rule.function_identifier ||
111 has_prefix(
112 id2string(i),
113 "java::" + id2string(rule.function_identifier) + ":"))
114 {
115 match = true;
116 break;
117 }
118 }
119
120 if(match)
121 {
122 log.debug() << "MATCH " << rule.id << " on " << identifier
123 << messaget::eom;
124
125 exprt where = nil_exprt();
126
127 const code_typet &code_type = to_code_type(function.type());
128
129 bool have_this = !code_type.parameters().empty() &&
130 code_type.parameters().front().get_bool(ID_C_this);
131
132 switch(rule.where)
133 {
134 case taint_parse_treet::rulet::RETURN_VALUE:
135 {
136 const symbolt &return_value_symbol =
137 ns.lookup(id2string(identifier) + "#return_value");
138 where = return_value_symbol.symbol_expr();
139 break;
140 }
141
142 case taint_parse_treet::rulet::PARAMETER:
143 {
144 unsigned nr =
145 have_this ? rule.parameter_number : rule.parameter_number - 1;
146 if(instruction.call_arguments().size() > nr)
147 where = instruction.call_arguments()[nr];
148 break;
149 }
150
151 case taint_parse_treet::rulet::THIS:
152 if(have_this)
153 {
154 DATA_INVARIANT(
155 !instruction.call_arguments().empty(),
156 "`this` implies at least one argument in function call");
157 where = instruction.call_arguments()[0];
158 }
159 break;
160 }
161
162 switch(rule.kind)
163 {
164 case taint_parse_treet::rulet::SOURCE:
165 {
166 codet code_set_may{ID_set_may};
167 code_set_may.operands().resize(2);
168 code_set_may.op0() = where;
169 code_set_may.op1() =
170 address_of_exprt(string_constantt(rule.taint));
171 insert_after.add(goto_programt::make_other(
172 code_set_may, instruction.source_location()));
173 break;
174 }
175
176 case taint_parse_treet::rulet::SINK:
177 {
178 binary_predicate_exprt get_may{
179 where,
180 ID_get_may,
181 address_of_exprt(string_constantt(rule.taint))};
182 source_locationt annotated_location =
183 instruction.source_location();
184 annotated_location.set_property_class(
185 "taint rule " + id2string(rule.id));
186 annotated_location.set_comment(rule.message);
187 insert_before.add(goto_programt::make_assertion(
188 not_exprt(get_may), annotated_location));
189 break;
190 }
191
192 case taint_parse_treet::rulet::SANITIZER:
193 {
194 codet code_clear_may{ID_clear_may};
195 code_clear_may.operands().resize(2);
196 code_clear_may.op0() = where;
197 code_clear_may.op1() =
198 address_of_exprt(string_constantt(rule.taint));
199 insert_after.add(goto_programt::make_other(
200 code_clear_may, instruction.source_location()));
201 break;
202 }
203 }
204 }
205 }
206 }
207 }
208
209 if(!insert_before.empty())
210 {
211 goto_function.body.insert_before_swap(it, insert_before);
212 // advance until we get back to the call
213 while(!it->is_function_call()) ++it;
214 }
215
216 if(!insert_after.empty())
217 {
218 goto_function.body.destructive_insert(
219 std::next(it), insert_after);
220 }
221 }
222}
223
224bool taint_analysist::operator()(
225 const std::string &taint_file_name,
226 const symbol_tablet &symbol_table,
227 goto_functionst &goto_functions,
228 bool show_full,
229 const std::optional<std::string> &json_file_name)
230{
231 try
232 {
233 json_arrayt json_result;
234 bool use_json = json_file_name.has_value();
235
236 log.status() << "Reading taint file '" << taint_file_name << "'"
237 << messaget::eom;
238
239 if(taint_parser(taint_file_name, taint, log.get_message_handler()))
240 {
241 log.error() << "Failed to read taint definition file" << messaget::eom;
242 return true;
243 }
244
245 log.status() << "Got " << taint.rules.size() << " taint definitions"
246 << messaget::eom;
247
248 log.conditional_output(log.debug(), [this](messaget::mstreamt &mstream) {
249 taint.output(mstream);
250 mstream << messaget::eom;
251 });
252
253 log.status() << "Instrumenting taint" << messaget::eom;
254
255 class_hierarchy(symbol_table);
256
257 const namespacet ns(symbol_table);
258 instrument(ns, goto_functions);
259 goto_functions.update();
260
261 bool have_entry_point=
262 goto_functions.function_map.find(goto_functionst::entry_point())!=
263 goto_functions.function_map.end();
264
265 // do we have an entry point?
266 if(have_entry_point)
267 {
268 log.status() << "Working from entry point" << messaget::eom;
269 }
270 else
271 {
272 log.status() << "No entry point found; "
273 << "we will consider the heads of all functions as reachable"
274 << messaget::eom;
275
276 goto_programt end, gotos, calls;
277
278 end.add(goto_programt::make_end_function());
279
280 for(const auto &gf_entry : goto_functions.function_map)
281 {
282 if(
283 gf_entry.second.body_available() &&
284 gf_entry.first != goto_functionst::entry_point())
285 {
286 const symbolt &symbol = ns.lookup(gf_entry.first);
287 const code_function_callt call(symbol.symbol_expr());
288 goto_programt::targett t =
289 calls.add(goto_programt::make_function_call(call));
290 calls.add(
291 goto_programt::make_goto(end.instructions.begin(), true_exprt()));
292 gotos.add(goto_programt::make_goto(
293 t, side_effect_expr_nondett(bool_typet(), symbol.location)));
294 }
295 }
296
297 goto_functionst::goto_functiont &entry=
298 goto_functions.function_map[goto_functionst::entry_point()];
299
300 goto_programt &body=entry.body;
301
302 body.destructive_append(gotos);
303 body.destructive_append(calls);
304 body.destructive_append(end);
305
306 goto_functions.update();
307 }
308
309 log.status() << "Data-flow analysis" << messaget::eom;
310
311 custom_bitvector_analysist custom_bitvector_analysis;
312 custom_bitvector_analysis(goto_functions, ns);
313
314 if(show_full)
315 {
316 custom_bitvector_analysis.output(ns, goto_functions, std::cout);
317 return false;
318 }
319
320 for(const auto &gf_entry : goto_functions.function_map)
321 {
322 if(!gf_entry.second.body.has_assertion())
323 continue;
324
325 const symbolt &symbol = ns.lookup(gf_entry.first);
326
327 if(gf_entry.first == "__actual_thread_spawn")
328 continue;
329
330 bool first=true;
331
332 forall_goto_program_instructions(i_it, gf_entry.second.body)
333 {
334 if(!i_it->is_assert())
335 continue;
336
337 if(!custom_bitvector_domaint::has_get_must_or_may(i_it->condition()))
338 {
339 continue;
340 }
341
342 if(custom_bitvector_analysis[i_it].has_values.is_false())
343 continue;
344
345 exprt result = custom_bitvector_analysis.eval(i_it->condition(), i_it);
346 if(simplify_expr(std::move(result), ns).is_true())
347 continue;
348
349 if(first)
350 {
351 first=false;
352 if(!use_json)
353 std::cout << "\n"
354 << "******** Function " << symbol.display_name() << '\n';
355 }
356
357 if(use_json)
358 {
359 json_objectt json{
360 {"bugClass",
361 json_stringt(i_it->source_location().get_property_class())},
362 {"file", json_stringt(i_it->source_location().get_file())},
363 {"line",
364 json_numbert(id2string(i_it->source_location().get_line()))}};
365 json_result.push_back(std::move(json));
366 }
367 else
368 {
369 std::cout << i_it->source_location();
370 if(!i_it->source_location().get_comment().empty())
371 std::cout << ": " << i_it->source_location().get_comment();
372
373 if(!i_it->source_location().get_property_class().empty())
374 std::cout << " (" << i_it->source_location().get_property_class()
375 << ")";
376
377 std::cout << '\n';
378 }
379 }
380 }
381
382 if(use_json)
383 {
384 std::ofstream json_out(json_file_name.value());
385
386 if(!json_out)
387 {
388 log.error() << "Failed to open json output '" << json_file_name.value()
389 << "'" << messaget::eom;
390 return true;
391 }
392
393 log.status() << "Analysis result is written to '"
394 << json_file_name.value() << "'" << messaget::eom;
395
396 json_out << json_result << '\n';
397 }
398
399 return false;
400 }
401 catch(const char *error_msg)
402 {
403 log.error() << error_msg << messaget::eom;
404 return true;
405 }
406 catch(const std::string &error_msg)
407 {
408 log.error() << error_msg << messaget::eom;
409 return true;
410 }
411 catch(...)
412 {
413 log.error() << "Caught unexpected error in taint_analysist::operator()"
414 << messaget::eom;
415 return true;
416 }
417}
418
419bool taint_analysis(
420 goto_modelt &goto_model,
421 const std::string &taint_file_name,
422 message_handlert &message_handler,
423 bool show_full,
424 const std::optional<std::string> &json_file_name)
425{
426 taint_analysist taint_analysis(message_handler);
427 return taint_analysis(
428 taint_file_name,
429 goto_model.symbol_table,
430 goto_model.goto_functions,
431 show_full,
432 json_file_name);
433}
class_hierarchy.h
Class Hierarchy.
address_of_exprt
Operator to return the address of an object.
Definition pointer_expr.h:540
ai_baset::output
virtual void output(const namespacet &ns, const irep_idt &function_id, const goto_programt &goto_program, std::ostream &out) const
Output the abstract states for a single function.
Definition ai.cpp:39
ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562
binary_predicate_exprt
A base class for expressions that are predicates, i.e., Boolean-typed, and that take exactly two argu...
Definition std_expr.h:731
bool_typet
The Boolean type.
Definition std_types.h:36
class_hierarchyt
Non-graph-based representation of the class hierarchy.
Definition class_hierarchy.h:41
class_hierarchyt::get_parents_trans
idst get_parents_trans(const irep_idt &id) const
Definition class_hierarchy.h:74
class_hierarchyt::idst
std::vector< irep_idt > idst
Definition class_hierarchy.h:43
code_function_callt
goto_instruction_codet representation of a function call statement.
Definition goto_instruction_code.h:271
code_typet
Base type of functions.
Definition std_types.h:583
codet
Data structure for representing an arbitrary statement in a program.
Definition std_code_base.h:29
custom_bitvector_analysist
Definition custom_bitvector_analysis.h:144
custom_bitvector_domaint::has_get_must_or_may
static bool has_get_must_or_may(const exprt &)
Definition custom_bitvector_analysis.cpp:687
dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition dstring.h:38
dstringt::empty
bool empty() const
Definition dstring.h:89
dstringt::size
size_t size() const
Definition dstring.h:121
exprt
Base class for all expressions.
Definition expr.h:56
exprt::type
typet & type()
Return the type of the expression.
Definition expr.h:84
goto_functionst
A collection of goto functions.
Definition goto_functions.h:25
goto_functionst::function_map
function_mapt function_map
Definition goto_functions.h:29
goto_functionst::goto_functiont
::goto_functiont goto_functiont
Definition goto_functions.h:27
goto_functionst::update
void update()
Definition goto_functions.h:88
goto_functionst::entry_point
static irep_idt entry_point()
Get the identifier of the entry point to a goto model.
Definition goto_functions.h:97
goto_modelt
Definition goto_model.h:27
goto_modelt::symbol_table
symbol_tablet symbol_table
Symbol table.
Definition goto_model.h:31
goto_modelt::goto_functions
goto_functionst goto_functions
GOTO functions.
Definition goto_model.h:34
goto_programt::instructiont
This class represents an instruction in the GOTO intermediate representation.
Definition goto_program.h:181
goto_programt::instructiont::call_arguments
const exprt::operandst & call_arguments() const
Get the arguments of a FUNCTION_CALL.
Definition goto_program.h:300
goto_programt::instructiont::call_function
const exprt & call_function() const
Get the function that is called for FUNCTION_CALL.
Definition goto_program.h:272
goto_programt::instructiont::is_function_call
bool is_function_call() const
Definition goto_program.h:494
goto_programt::instructiont::source_location
const source_locationt & source_location() const
Definition goto_program.h:333
goto_programt
A generic container class for the GOTO intermediate representation of one function.
Definition goto_program.h:73
goto_programt::instructions
instructionst instructions
The list of instructions in the goto program.
Definition goto_program.h:622
goto_programt::make_end_function
static instructiont make_end_function(const source_locationt &l=source_locationt::nil())
Definition goto_program.h:1001
goto_programt::targett
instructionst::iterator targett
Definition goto_program.h:614
goto_programt::destructive_append
void destructive_append(goto_programt &p)
Appends the given program p to *this. p is destroyed.
Definition goto_program.h:722
goto_programt::make_function_call
static instructiont make_function_call(const code_function_callt &_code, const source_locationt &l=source_locationt::nil())
Create a function call instruction.
Definition goto_program.h:1090
goto_programt::make_other
static instructiont make_other(const goto_instruction_codet &_code, const source_locationt &l=source_locationt::nil())
Definition goto_program.h:957
goto_programt::add
targett add(instructiont &&instruction)
Adds a given instruction at the end.
Definition goto_program.h:739
goto_programt::make_goto
static instructiont make_goto(targett _target, const source_locationt &l=source_locationt::nil())
Definition goto_program.h:1039
goto_programt::empty
bool empty() const
Is the program empty?
Definition goto_program.h:799
goto_programt::make_assertion
static instructiont make_assertion(const exprt &g, const source_locationt &l=source_locationt::nil())
Definition goto_program.h:933
irept::get
const irep_idt & get(const irep_idt &name) const
Definition irep.cpp:44
irept::id
const irep_idt & id() const
Definition irep.h:388
json_arrayt
Definition json.h:165
json_numbert
Definition json.h:289
json_objectt
Definition json.h:298
json_stringt
Definition json.h:270
message_handlert
Definition message.h:27
messaget
Class that provides messages with a built-in verbosity 'level'.
Definition message.h:154
messaget::error
mstreamt & error() const
Definition message.h:391
messaget::debug
mstreamt & debug() const
Definition message.h:421
messaget::get_message_handler
message_handlert & get_message_handler()
Definition message.h:183
messaget::conditional_output
void conditional_output(mstreamt &mstream, const std::function< void(mstreamt &)> &output_generator) const
Generate output to message_stream using output_generator if the configured verbosity is at least as h...
Definition message.cpp:139
messaget::eom
static eomt eom
Definition message.h:289
messaget::status
mstreamt & status() const
Definition message.h:406
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91
namespacet::lookup
bool lookup(const irep_idt &name, const symbolt *&symbol) const override
See documentation for namespace_baset::lookup().
Definition namespace.cpp:134
nil_exprt
The NIL expression.
Definition std_expr.h:3208
not_exprt
Boolean negation.
Definition std_expr.h:2454
side_effect_expr_nondett
A side_effect_exprt that returns a non-deterministically chosen value.
Definition std_code.h:1520
source_locationt
Definition source_location.h:20
string_constantt
Definition string_constant.h:15
symbol_tablet
The symbol table.
Definition symbol_table.h:14
symbolt
Symbol table entry.
Definition symbol.h:28
symbolt::location
source_locationt location
Source code location of definition of symbol.
Definition symbol.h:37
symbolt::symbol_expr
class symbol_exprt symbol_expr() const
Produces a symbol_exprt for a symbol.
Definition symbol.cpp:121
symbolt::display_name
const irep_idt & display_name() const
Return language specific display name if present.
Definition symbol.h:55
taint_analysist
Definition taint_analysis.cpp:33
taint_analysist::operator()
bool operator()(const std::string &taint_file_name, const symbol_tablet &, goto_functionst &, bool show_full, const std::optional< std::string > &json_file_name)
Definition taint_analysis.cpp:224
taint_analysist::instrument
void instrument(const namespacet &, goto_functionst &)
Definition taint_analysis.cpp:56
taint_analysist::taint
taint_parse_treet taint
Definition taint_analysis.cpp:49
taint_analysist::taint_analysist
taint_analysist(message_handlert &message_handler)
Definition taint_analysis.cpp:35
taint_analysist::log
messaget log
Definition taint_analysis.cpp:48
taint_analysist::class_hierarchy
class_hierarchyt class_hierarchy
Definition taint_analysis.cpp:50
taint_parse_treet::rulet::PARAMETER
@ PARAMETER
Definition taint_parser.h:30
taint_parse_treet::rulet::THIS
@ THIS
Definition taint_parser.h:30
taint_parse_treet::rulet::RETURN_VALUE
@ RETURN_VALUE
Definition taint_parser.h:30
taint_parse_treet::rulet::SANITIZER
@ SANITIZER
Definition taint_parser.h:29
taint_parse_treet::rulet::SINK
@ SINK
Definition taint_parser.h:29
taint_parse_treet::rulet::SOURCE
@ SOURCE
Definition taint_parser.h:29
taint_parse_treet
Definition taint_parser.h:24
taint_parse_treet::rules
rulest rules
Definition taint_parser.h:63
true_exprt
The Boolean constant true.
Definition std_expr.h:3190
has_prefix
bool has_prefix(const std::string &s, const std::string &prefix)
Definition converter.cpp:13
custom_bitvector_analysis.h
Field-insensitive, location-sensitive bitvector analysis.
forall_goto_program_instructions
#define forall_goto_program_instructions(it, program)
Definition goto_program.h:1229
id2string
const std::string & id2string(const irep_idt &d)
Definition irep.h:44
is_true
bool is_true(const literalt &l)
Definition literal.h:198
pointer_expr.h
API to expression classes for Pointers.
json
static void json(json_objectT &result, const irep_idt &property_id, const property_infot &property_info)
Definition properties.cpp:120
return_value_symbol
symbol_exprt return_value_symbol(const irep_idt &identifier, const namespacet &ns)
produces the symbol that is used to store the return value of the function with the given identifier
Definition remove_returns.cpp:413
simplify_expr
exprt simplify_expr(exprt src, const namespacet &ns)
Definition simplify_expr.cpp:3246
simplify_expr.h
DATA_INVARIANT
#define DATA_INVARIANT(CONDITION, REASON)
This condition should be used to document that assumptions that are made on goto_functions,...
Definition invariant.h:534
std_code.h
to_symbol_expr
const symbol_exprt & to_symbol_expr(const exprt &expr)
Cast an exprt to a symbol_exprt.
Definition std_expr.h:272
to_code_type
const code_typet & to_code_type(const typet &type)
Cast a typet to a code_typet.
Definition std_types.h:788
string_constant.h
taint_analysis
bool taint_analysis(goto_modelt &goto_model, const std::string &taint_file_name, message_handlert &message_handler, bool show_full, const std::optional< std::string > &json_file_name)
Definition taint_analysis.cpp:419
taint_analysis.h
Taint Analysis.
taint_parser
bool taint_parser(const std::string &file_name, taint_parse_treet &dest, message_handlert &message_handler)
Definition taint_parser.cpp:20
taint_parser.h
Taint Parser.